From d5e3a6d387f69f3b7e19bc06d2b54bfeba3c986e Mon Sep 17 00:00:00 2001 From: tux Date: Sat, 9 May 2026 04:15:22 +0530 Subject: [PATCH] feat(arcturus): add arcturus host --- .sops.yaml | 6 +++ modules/hosts/arcturus/config.nix | 84 +++++++++++++++++++++++++++++ modules/hosts/arcturus/default.nix | 23 ++++++++ modules/hosts/arcturus/disko.nix | 71 ++++++++++++++++++++++++ modules/hosts/arcturus/hardware.nix | 32 +++++++++++ modules/hosts/arcturus/home.nix | 6 +++ modules/hosts/arcturus/secrets.yaml | 29 ++++++++++ 7 files changed, 251 insertions(+) create mode 100644 modules/hosts/arcturus/config.nix create mode 100644 modules/hosts/arcturus/default.nix create mode 100644 modules/hosts/arcturus/disko.nix create mode 100644 modules/hosts/arcturus/hardware.nix create mode 100644 modules/hosts/arcturus/home.nix create mode 100644 modules/hosts/arcturus/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index ef4ab7e..bc7943e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &hosts - &sirius age18hepvvp3nw9ram6usxc8rvpxed2pye0knqx0zutqgxeu35k745vqyxfphz + - &arcturus age1huqa3hc7wcxk4dpelrzny437nzrx4fnll3d8g9ahznzk268yju5qufapxy creation_rules: - path_regex: hosts/sirius/secrets.yaml$ @@ -11,3 +12,8 @@ creation_rules: - age: - *tux - *sirius + - path_regex: hosts/arcturus/secrets.yaml$ + key_groups: + - age: + - *tux + - *arcturus diff --git a/modules/hosts/arcturus/config.nix b/modules/hosts/arcturus/config.nix new file mode 100644 index 0000000..d3accce --- /dev/null +++ b/modules/hosts/arcturus/config.nix @@ -0,0 +1,84 @@ +{ config, ... }: +{ + flake.modules.nixos.arcturus = + { + pkgs, + hostName, + userName, + ... + }: + { + imports = with config.flake.modules.nixos; [ + boot + hardware + networking + virtualisation + ]; + + tnix = { + boot.secure-boot.enable = true; + boot.impermanence.enable = true; + networking.openssh.enable = true; + + virtualisation = { + docker.enable = true; + }; + }; + + sops.secrets = { + tux-password = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; + + discord-token = { + sopsFile = ./secrets.yaml; + }; + + gemini-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + openrouter-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + + opencode-go-api-key = { + sopsFile = ./secrets.yaml; + owner = userName; + }; + }; + + # --- Boot --- + boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; + + # --- Networking --- + networking = { + hostName = hostName; + networkmanager = { + enable = true; + wifi.backend = "iwd"; + }; + wireless.iwd = { + enable = true; + settings = { + Network = { + EnableIPv6 = true; + }; + Settings = { + AutoConnect = true; + }; + }; + }; + firewall.enable = false; + }; + + environment.systemPackages = with pkgs; [ + nvtopPackages.full + ]; + + system.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/arcturus/default.nix b/modules/hosts/arcturus/default.nix new file mode 100644 index 0000000..a3f8793 --- /dev/null +++ b/modules/hosts/arcturus/default.nix @@ -0,0 +1,23 @@ +{ + inputs, + config, + ... +}: +let + hostName = "arcturus"; + userName = "tux"; + userEmail = "t@tux.rs"; + system = "x86_64-linux"; + unstable = true; + nixpkgs = if unstable then inputs.nixpkgs else inputs.nixpkgs-stable; +in +{ + flake.nixosConfigurations."${hostName}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit hostName userName userEmail; }; + modules = [ + config.flake.modules.nixos.core + config.flake.modules.nixos.${hostName} + ]; + }; +} diff --git a/modules/hosts/arcturus/disko.nix b/modules/hosts/arcturus/disko.nix new file mode 100644 index 0000000..7ab963f --- /dev/null +++ b/modules/hosts/arcturus/disko.nix @@ -0,0 +1,71 @@ +{ inputs, ... }: +{ + flake.modules.nixos.arcturus = + { config, lib, ... }: + { + imports = [ + inputs.disko.nixosModules.disko + ]; + + disko.devices.disk.primary = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + "umask=0077" + ]; + }; + }; + root = { + size = "100%"; + type = "8300"; + content = { + type = "btrfs"; + # Base subvolumes that always exist + subvolumes = { + "/root" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ + "compress=zstd" + "noatime" + "noacl" + "space_cache=v2" + ]; + mountpoint = "/nix"; + }; + } + # Conditionally merge /persist only when impermanence is enabled + // lib.optionalAttrs config.tnix.boot.impermanence.enable { + "/persist" = { + mountOptions = [ + "compress=zstd" + "noatime" + "space_cache=v2" + ]; + mountpoint = "/persist"; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/arcturus/hardware.nix b/modules/hosts/arcturus/hardware.nix new file mode 100644 index 0000000..2857c16 --- /dev/null +++ b/modules/hosts/arcturus/hardware.nix @@ -0,0 +1,32 @@ +{ + flake.modules.nixos.arcturus = + { + config, + lib, + ... + }: + { + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp10s0f3u2i2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/modules/hosts/arcturus/home.nix b/modules/hosts/arcturus/home.nix new file mode 100644 index 0000000..9bb799b --- /dev/null +++ b/modules/hosts/arcturus/home.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + flake.modules.homeManager.arcturus = { + home.stateVersion = "26.05"; + }; +} diff --git a/modules/hosts/arcturus/secrets.yaml b/modules/hosts/arcturus/secrets.yaml new file mode 100644 index 0000000..2894377 --- /dev/null +++ b/modules/hosts/arcturus/secrets.yaml @@ -0,0 +1,29 @@ +tux-password: ENC[AES256_GCM,data:eXg28pYQjIi5iPh4oHBOvIYQReM92T79uty/O461mEoLB8awr8ikq3RM7Mux3jZKM+Fk/Ow3NNG0F/154dZentodr1uvy9gD1g==,iv:nQevOumENveBMuiYMJF0OokORyjZCpR8ahTfOuj2Dzo=,tag:64zz8eVuw1OwTltfAUwWSg==,type:str] +discord-token: ENC[AES256_GCM,data:uzxkrNRRplL/1MfvPZ/EL+I8UACuZQBHZ95BSHuxW0nBjxhr2F89D2BXTcKOBI9qO6uMjK5WBtWzSOw3y9EsngTTm/youIdkrIDLP3r/tkpOkLa/VjM=,iv:OxzFa0nEInV5uxgQFww11ZE1NorH5q130Tgp/6l9uOE=,tag:g4U9wLhPAkz72ktbQ8KrSg==,type:str] +gemini-api-key: ENC[AES256_GCM,data:gLZSoYTdKY+rwIpYiXvN9n9PGkUD6q8Oe7dHnYkjEjwDf5qpjubg,iv:ySoNgQWTu9DjvbashF4ulyYP8fJUl4yrCTeBQ0jrGmw=,tag:FctubsQv50AP78JvTb9bpQ==,type:str] +openrouter-api-key: ENC[AES256_GCM,data:6xONCl9lqOoO7b4CEyCz9607tICDUAkpglRjGS5nYq2ppg2UKqYTrWD1BGCA5Xfs/CWskniVhoNG3vscjKiYCCh9gbM6aqdmTQ==,iv:7Iwc9t00HOOBjA7URXcUO41badqYyJCkFHM/uPkLFxY=,tag:Cl39kitr2e0//HVwAdsdUQ==,type:str] +opencode-go-api-key: ENC[AES256_GCM,data:dmeRKn7TWHnqvpyPQpcEG6yHTb2bRby/rh10ytL0jHj5R+lRmNVdmqUF92GTznY9vEaB6ZYCJecWhpm8g4upNfOWBg==,iv:9UMJpAlD8gpcNiN+liu3nawoAZQKapEg7sCp561N9E8=,tag:OZlASpOa5BQaQwFWjoLCRw==,type:str] +sops: + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Qkh0cmdHNGJTYmFNUFZW + c244RjlyNjlrSWh1bG1IRFFFeFZZVzhaYVdBCmd1N3JNS0IzWDlUMUJSM0pYdi9L + MzlHRk1pZ1hqaVdIYUQwczh2VDVtZE0KLS0tIEtRYWF6V0I3eDBZSnVmZ2R5S0Z5 + Z3hhRitmdEwxbzcrS0cwNTZVK1lXYlUKSFfKk7JGzxRq9weL4NKJqfmAige2O+1T + 59PvEFKvvkGb6ajkzwTw0lB3UFzly6FuTnbSLY9r+oT9AMbxLoKdcQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1huqa3hc7wcxk4dpelrzny437nzrx4fnll3d8g9ahznzk268yju5qufapxy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOYlZiak1CSW1NSGt5QTRi + RjlUeG5EODVkTVJDY1RrZXJ6OU5NQ0RIOG5jCnJxZ1R6MmlGWXY2SmtaY1pQSWdZ + UWp3L2h6c0k0MVpubE9BRSswUEk3ZkkKLS0tIGN4Zm1tcHBiKzAyYWNHVktVZmpU + V3h4dUZLcktrTUZvUm44eVZOWEl4VmMKMTvajoWcktb4jVIP4HyzQiR41Wg8Gdqi + TLKEYsPQgOJ7s8P9gw2uPUY6HRz86CtiC6EbO27u0+8BbI85x1QScg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-05-08T19:38:01Z" + mac: ENC[AES256_GCM,data:G6Klq53VRWgDZDM4aDi0vbs87nvM90eH4e9XZNDMtSdrlf/60Lo2/0qp8kAsuKjf6OC5ThEMSP6h0nWrCZryVGP32b6BCMSUcecFm1rdCP3s64iPUlx/5UeT1dbPG1MPfV+mjO2/43dM9Nkmov7WiFrQ7NNJluvwu/7z6v6hEsQ=,iv:qbesEfb/9hqdwzSvNI0p6/QuGoQQ14ZPwK2S6op9o3g=,tag:5B2cnkWiEeg+GOrtK4H82A==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2