diff options
24 files changed, 717 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a51949 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +hosts/experimental-nixos/services/secrets/ldap-content diff --git a/disk-config.nix b/disk-config.nix new file mode 100644 index 0000000..f717e6d --- /dev/null +++ b/disk-config.nix @@ -0,0 +1,58 @@ +# # Example to create a bios compatible gpt partition +{lib, ...}: { + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + sda2 = { + size = "1G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + }; + }; + + sda3 = { + size = "100%"; + content = { + type = "bcachefs"; + filesystem = "mounted_subvolumes_in_multi"; + label = "group_a.sda2"; + extraFormatArgs = []; + }; + }; + }; + }; + }; + }; + bcachefs_filesystems = { + mounted_subvolumes_in_multi = { + type = "bcachefs_filesystem"; + extraFormatArgs = [ + "--compression=lz4" + "--background_compression=lz4" + ]; + subvolumes = { + "subvolumes/root" = { + mountpoint = "/"; + mountOptions = [ + "verbose" + ]; + }; + "subvolumes/nix" = { + mountpoint = "/nix"; + }; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..58c7b9d --- /dev/null +++ b/flake.lock @@ -0,0 +1,161 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "owner": "ryantm", + "repo": "agenix", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1763651264, + "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=", + "owner": "nix-community", + "repo": "disko", + "rev": "e86a89079587497174ccab6d0d142a65811a4fd9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1763622513, + "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1763823428, + "narHash": "sha256-KxjT9cvwcNa3JaN610befHH6jCyEZiGyC/YYKiYL1qY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a22430796e314cedeeab6bb7c9d527945334ddff", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "disko": "disko", + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..0a5e315 --- /dev/null +++ b/flake.nix @@ -0,0 +1,34 @@ +{ + inputs.nixpkgs.url = "github:NixOS/nixpkgs/release-25.05"; + inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; + inputs.agenix.url = "github:ryantm/agenix"; + + outputs = { + nixpkgs, + nixpkgs-unstable, + disko, + agenix, + ... + } @ inputs: let + lib = nixpkgs.lib; + inherit (lib) filter hasSuffix; + listModules' = path: lib.filesystem.listFilesRecursive path |> filter (hasSuffix ".nix"); + unstable = import nixpkgs-unstable {system = "x86_64-linux";}; + in { + nixosConfigurations.experimental-nixos = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + specialArgs = {inherit inputs unstable nixpkgs-unstable;}; + modules = + [ + disko.nixosModules.disko + agenix.nixosModules.default + ./hardware-configuration.nix + ] + ++ (listModules' modules/common) + ++ (listModules' hosts/experimental-nixos) + ++ (listModules' modules/disks/bcachefs); + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..a790285 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/experimental-nixos/default.nix b/hosts/experimental-nixos/default.nix new file mode 100644 index 0000000..8033946 --- /dev/null +++ b/hosts/experimental-nixos/default.nix @@ -0,0 +1,3 @@ +{ + system.stateVersion = "25.05"; +} diff --git a/hosts/experimental-nixos/experimental-nixos.nix b/hosts/experimental-nixos/experimental-nixos.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/experimental-nixos/experimental-nixos.nix @@ -0,0 +1 @@ +{} diff --git a/hosts/experimental-nixos/networking.nix b/hosts/experimental-nixos/networking.nix new file mode 100644 index 0000000..1d7e4e0 --- /dev/null +++ b/hosts/experimental-nixos/networking.nix @@ -0,0 +1,7 @@ +{pkgs, ...}: { + networking.firewall = { + enable = true; + package = pkgs.iptables; + allowedTCPPorts = [80 443 25 465 587 110 995 143 993]; + }; +} diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix new file mode 100644 index 0000000..3ea342b --- /dev/null +++ b/hosts/experimental-nixos/services/acme.nix @@ -0,0 +1,14 @@ +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "sirimaharjan@proton.me"; + }; + certs."m4siri.com" = { + webroot = "/var/lib/acme/acme-challenge/"; + }; + certs."mail.m4siri.com" = { + webroot = "/var/lib/acme/acme-challenge/"; + }; + }; +} diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix new file mode 100644 index 0000000..47e67d5 --- /dev/null +++ b/hosts/experimental-nixos/services/ldap.nix @@ -0,0 +1,57 @@ +{ + pkgs, + config, + ... +}: { + secrets.ldap-root = { + file = ./secrets/ldap-root.age; + mode = "444"; + }; + + secrets.ldap-search = { + file = ./secrets/ldap-search-pw.age; + mode = "444"; + }; + services.openldap = { + enable = true; + urlList = ["ldap:///"]; + # mutableConfig = true; + settings = { + attrs = { + olcLogLevel = "conns config"; + }; + + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/misc.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + + "olcDatabase={1}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + olcSuffix = "dc=m4siri,dc=com"; + olcRootDN = "cn=admin,dc=m4siri,dc=com"; + olcRootPW.path = config.secrets.ldap-root.path; + olcAccess = [ + '' {0}to attrs=userPassword + by dn="cn=searchuser,ou=users,dc=m4siri,dc=com" read + by self write + by anonymous auth + by * none'' + '' {1}to * + by * read'' + ]; + }; + }; + }; + + declarativeContents = { + "dc=m4siri,dc=com" = builtins.readFile ./secrets/ldap-content; + }; + }; +} diff --git a/hosts/experimental-nixos/services/nginx.nix b/hosts/experimental-nixos/services/nginx.nix new file mode 100644 index 0000000..07a1a7c --- /dev/null +++ b/hosts/experimental-nixos/services/nginx.nix @@ -0,0 +1,34 @@ +{ + services.nginx.enable = true; + services.nginx.enableReload = true; + + users.users.nginx.extraGroups = ["acme"]; + services.nginx.virtualHosts."m4siri.com" = { + http2 = true; + addSSL = true; + useACMEHost = "m4siri.com"; + }; + services.nginx.virtualHosts."mail.m4siri.com" = { + http2 = true; + addSSL = true; + useACMEHost = "mail.m4siri.com"; + + locations."/" = { + proxyPass = "http://localhost:8080"; + proxyWebsockets = true; + }; + + locations."/.well-known/jmap" = { + proxyPass = "https://localhost:1443"; + }; + + locations."/jmap/session" = { + proxyPass = "https://localhost:1443"; + }; + + locations."/jmap" = { + proxyPass = "http://localhost:8080"; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age Binary files differnew file mode 100644 index 0000000..ec16d56 --- /dev/null +++ b/hosts/experimental-nixos/services/secrets/ldap-content.age diff --git a/hosts/experimental-nixos/services/secrets/ldap-root.age b/hosts/experimental-nixos/services/secrets/ldap-root.age new file mode 100644 index 0000000..46ac649 --- /dev/null +++ b/hosts/experimental-nixos/services/secrets/ldap-root.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyA5b3FF +UHU3L3BUTVJkdlFTanhMZXZLQjRVTGZyWDd1bmt2VWJEM213VVdjCnNmSnF0aWYz +b3kxYWRkMWhLQVlFcjQ3eCt6Q200VjRWM0xOQzVUZy80Y2cKLT4gc3NoLWVkMjU1 +MTkgbC94dFF3IE01Z1ZOdVJidFJiQ1VSQTJHRXhqcmcxdW1QeVdpVlovTXBWaHhR +UWZDZzgKTzc3QXlBVW1DSzZpOXh0VjRtUTFxR2F0a2tTY1dHdWZsVm92Mis4UVIy +VQotPiBqVGU4LWdyZWFzZSB1IFQgQkpxTSx3KlcKT1A4NWtJcno5LysrdVFBeG4w +a1I3a2xaL2ZNYThBCi0tLSBQajdtNjhmeVRTSkp3eFJlSFU3a2dIaVcxdlpabW9S +enpTOHpQRUk3WUNzCrqapwhl61rX/y3n6cFD8xB861lkJlxtATDOIwCEu3nUjgQz +M2a7TW8csioI4DjyuyMuNhMrBw== +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age new file mode 100644 index 0000000..a0cbba9 --- /dev/null +++ b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBScERE +MEZFdm9LbWh5b0xqdTd1TGJxTTU0L01pSk5zWHhlcWFKZzgvNGdzClY0ZHVNdWhm +MWk4aHpYcnhoMlJLemZXL2g0VG8vVHc4YThUR21kSjEyOEEKLT4gc3NoLWVkMjU1 +MTkgbC94dFF3IHFHand2TGJUYUNDeExLemtvRUYxY0N0MW51WXk4ZzFqLzlWTnBI +WmlueUEKeUZsSFNUWUVqcmtSbU9CZzVkTmM0SkUxUzJLZ2xNeUxyenZrWmZESFJL +QQotPiAiLWdyZWFzZSBEWSBlWUlsditRCjk3aHdYYUdmS2ZRWTF5bmRQNkNjN2px +ODJyaTh2Nk5NbXRsZXY4WTlmaEdEb0xVYlQvUVRIcFNBTS9vZmcwWVkKUkFTbTFo +QjRRNmlOR1hjd1Z6RnJQcVlWdlZFanNMazRVREVuazVxazliR3NJdi9Ca3FSL3JH +VG8KLS0tIFUvV1F4YVg2UGJtS1U0a3JidEh2elRDZEViUmI5RSt4MWZEdU1VOFN3 +VHMKbS4mptDGnMfvSjnBm+eKrYhg/VFqR2jovtL3KgViBNhWAh3Sg5Mdua0GEfhM +oNuLTadgM+lAIIdsjAej6Kba0uhjr7P+M+8= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix new file mode 100644 index 0000000..665fb6e --- /dev/null +++ b/hosts/experimental-nixos/services/stalwart.nix @@ -0,0 +1,150 @@ +{ + pkgs, + nixpkgs-unstable, + unstable, + config, + ... +}: { + disabledModules = ["services/mail/stalwart-mail.nix"]; + imports = [ + "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix" + ]; + + environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path; + + systemd.services.stalwart-mail.serviceConfig = { + EnvironmentFile = config.age.secrets.ldap-search.path; + }; + + users.users.stalwart-mail.extraGroups = ["acme"]; + + services.stalwart-mail = { + enable = true; + package = unstable.stalwart-mail; + openFirewall = true; + credentials = { + user_admin_password = config.secrets.ldap-root.path; + user_search_password = config.secrets.ldap-search.path; + }; + + settings = { + certificate.default = { + cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%"; + private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%"; + default = true; + }; + http.url = "protocol + '://' + config_get('server.hostname')"; + tracer.stdout = { + level = "trace"; + }; + auth.search = "%{file:/etc/stalwart-mail/search-pw}%"; + server = { + hostname = "mail.m4siri.com"; + tls = { + implicit = false; + }; + auto-ban = { + auth.rate = "10/1d"; + }; + listener = { + smtp = { + protocol = "smtp"; + bind = "[::]:25"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + tls.implicit = true; + }; + pop3 = { + bind = "[::]:110"; + protocol = "pop3"; + }; + pop3s = { + bind = "[::]:995"; + protocol = "pop3"; + tls.implicit = true; + }; + imap = { + bind = "[::]:143"; + protocol = "imap"; + }; + imaps = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = ["127.0.0.1:8080"]; + protocol = "http"; + }; + https = { + bind = ["127.0.0.1:1443"]; + protocol = "http"; + tls.implicit = true; + }; + jmap = { + bind = ["127.0.0.1:1443"]; + protocol = "http"; + tls.implicit = true; + }; + sieve = { + bind = "[::]:4190"; + protocol = "managesieve"; + }; + }; + }; + + storage.blob = "rocksdb"; + storage.data = "rocksdb"; + storage.directory = "ldap"; + storage.fts = "rocksdb"; + store = { + "rocksdb" = { + compression = "lz4"; + path = "/var/lib/stalwart-mail/data"; + type = "rocksdb"; + }; + }; + + authentication.fallback-admin = { + user = "fallback-admin"; + secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%"; + }; + + directory.ldap = { + type = "ldap"; + url = "ldap://localhost:389"; + timeout = "30s"; + base-dn = "dc=m4siri,dc=com"; + tls.enable = false; + + bind = { + dn = "cn=searchuser,ou=users,dc=m4siri,dc=com"; + secret = "%{env:STALWART_SEARCH_PW}%"; + auth = { + method = "template"; + template = "uid={local},ou=users,dc=m4siri,dc=com"; + search = true; + }; + }; + filter = { + name = "(&(objectClass=inetOrgPerson)(|(mail=?)(uid=?)))"; + email = "(&(objectClass=inetLocalMailRecipient)(|(mail=?)(mailLocalAddress=?)))"; + }; + + attributes = { + name = "uid"; + secret = "userPassword"; + email = "mail"; + email-alias = "mailLocalAddress"; + }; + }; + }; + }; +} diff --git a/modules/common/agenix.nix b/modules/common/agenix.nix new file mode 100644 index 0000000..189f80e --- /dev/null +++ b/modules/common/agenix.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkAliasOptionModule mkIf; +in { + imports = [(mkAliasOptionModule ["secrets"] ["age" "secrets"])]; + + age.identityPaths = [ + "/root/.ssh/id" + ]; + + environment = { + shellAliases.ragenix = "ragenix --identity ~/.ssh/id"; + systemPackages = [ + pkgs.ragenix + ]; + }; +} diff --git a/modules/common/nix.nix b/modules/common/nix.nix new file mode 100644 index 0000000..fbcbbfd --- /dev/null +++ b/modules/common/nix.nix @@ -0,0 +1,5 @@ +{ + nix.settings = { + experimental-features = ["nix-command" "flakes" "pipe-operators"]; + }; +} diff --git a/modules/common/packages.nix b/modules/common/packages.nix new file mode 100644 index 0000000..3e5b043 --- /dev/null +++ b/modules/common/packages.nix @@ -0,0 +1,15 @@ +{ + pkgs, + unstable, + ... +}: { + environment.systemPackages = with pkgs; + [ + curl + gitMinimal + helix + jujutsu + nushell + ] + ++ [pkgs.stalwart-mail]; +} diff --git a/modules/common/qemu.nix b/modules/common/qemu.nix new file mode 100644 index 0000000..231d13a --- /dev/null +++ b/modules/common/qemu.nix @@ -0,0 +1,6 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ]; +} diff --git a/modules/common/ssh/default.nix b/modules/common/ssh/default.nix new file mode 100644 index 0000000..a4c5891 --- /dev/null +++ b/modules/common/ssh/default.nix @@ -0,0 +1,9 @@ +{ + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = true; + }; + }; +} diff --git a/modules/common/users.nix b/modules/common/users.nix new file mode 100644 index 0000000..bb41b02 --- /dev/null +++ b/modules/common/users.nix @@ -0,0 +1,20 @@ +{ + users.groups.siri = {}; + + users.users.root = { + hashedPassword = "$6$WHOn5nIFRZ/fhc6u$1rMRPwW3anEfWcf.Wd0IxfUoV.ouo5Vm0NxOSyUwtkTP8OKnFfdLL0.OCzS5Dnlp8rIpZNWlUImkqBq7fTZ7i/"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrczZPQlkb9TwtLa5YKs6Npu2vXtG4yJa0AWmwOLtfF siri@m4siri" + ]; + }; + + users.users.siri = { + group = "siri"; + isNormalUser = true; + extraGroups = [ "wheel" ]; + hashedPassword = "$6$WHOn5nIFRZ/fhc6u$1rMRPwW3anEfWcf.Wd0IxfUoV.ouo5Vm0NxOSyUwtkTP8OKnFfdLL0.OCzS5Dnlp8rIpZNWlUImkqBq7fTZ7i/"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrczZPQlkb9TwtLa5YKs6Npu2vXtG4yJa0AWmwOLtfF siri@m4siri" + ]; + }; +} diff --git a/modules/disks/bcachefs/default.nix b/modules/disks/bcachefs/default.nix new file mode 100644 index 0000000..97c37c2 --- /dev/null +++ b/modules/disks/bcachefs/default.nix @@ -0,0 +1,57 @@ +{lib, ...}: { + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + sda2 = { + size = "1G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + }; + }; + + sda3 = { + size = "100%"; + content = { + type = "bcachefs"; + filesystem = "mounted_subvolumes_in_multi"; + label = "group_a.sda2"; + extraFormatArgs = []; + }; + }; + }; + }; + }; + }; + bcachefs_filesystems = { + mounted_subvolumes_in_multi = { + type = "bcachefs_filesystem"; + extraFormatArgs = [ + "--compression=lz4" + "--background_compression=lz4" + ]; + subvolumes = { + "subvolumes/root" = { + mountpoint = "/"; + mountOptions = [ + "verbose" + ]; + }; + "subvolumes/nix" = { + mountpoint = "/nix"; + }; + }; + }; + }; + }; +} diff --git a/modules/disks/bcachefs/grub.nix b/modules/disks/bcachefs/grub.nix new file mode 100644 index 0000000..ba886d2 --- /dev/null +++ b/modules/disks/bcachefs/grub.nix @@ -0,0 +1,7 @@ +{ + boot.loader.grub = { + enable = true; + }; + + boot.supportedFilesystems = ["bcachefs"]; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..20e8868 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,9 @@ +let + siri = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrczZPQlkb9TwtLa5YKs6Npu2vXtG4yJa0AWmwOLtfF siri@m4siri" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxO3pNFgUOv7skfWnaTF+jWGFRjrZf9ISj4E1Ycnwe6 root@nixos" + ]; +in { + "hosts/experimental-nixos/services/secrets/ldap-root.age".publicKeys = siri; + "hosts/experimental-nixos/services/secrets/ldap-search-pw.age".publicKeys = siri; +} |