aboutsummaryrefslogtreecommitdiffstats
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/common/global/default.nix174
-rw-r--r--hosts/common/global/sops.nix17
-rw-r--r--hosts/common/optional/wireless.nix35
-rw-r--r--hosts/common/secrets.yaml50
-rw-r--r--hosts/joshua/default.nix18
-rw-r--r--hosts/joshua/hardware-configuration.nix98
-rw-r--r--hosts/norad/default.nix26
-rw-r--r--hosts/norad/hardware-configuration.nix102
-rw-r--r--hosts/wopr/default.nix23
-rw-r--r--hosts/wopr/hardware-configuration.nix103
-rw-r--r--hosts/work/default.nix62
-rw-r--r--hosts/work/hardware-configuration.nix64
12 files changed, 772 insertions, 0 deletions
diff --git a/hosts/common/global/default.nix b/hosts/common/global/default.nix
new file mode 100644
index 0000000..3f33d55
--- /dev/null
+++ b/hosts/common/global/default.nix
@@ -0,0 +1,174 @@
+# This holds configuration common across hosts
+{
+ inputs,
+ outputs,
+ lib,
+ config,
+ pkgs,
+ ...
+}: {
+ # You can import other NixOS modules here
+ imports = [
+ inputs.home-manager.nixosModules.home-manager
+ inputs.impermanence.nixosModules.impermanence
+ ./sops.nix
+ ];
+
+ #home-manager.useGlobalPkgs = true;
+ home-manager.backupFileExtension = "backup";
+ home-manager.extraSpecialArgs = {
+ inherit inputs outputs;
+ };
+
+ nixpkgs = {
+ # You can add overlays here
+ overlays = [
+ # Add overlays your own flake exports (from overlays and pkgs dir):
+ outputs.overlays.additions
+ # outputs.overlays.modifications
+
+ outputs.overlays.stable-packages
+
+ # You can also add overlays exported from other flakes:
+ # neovim-nightly-overlay.overlays.default
+
+ # Or define it inline, for example:
+ # (final: prev: {
+ # hi = final.hello.overrideAttrs (oldAttrs: {
+ # patches = [ ./change-hello-to-hi.patch ];
+ # });
+ # })
+ ];
+ config = {
+ allowUnfree = true;
+ };
+ };
+
+ nix = let
+ flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+ in {
+ settings = {
+ # Enable flakes and new 'nix' command
+ experimental-features = "nix-command flakes ca-derivations";
+ # Opinionated: disable global registry
+ flake-registry = "";
+ # Workaround for https://github.com/NixOS/nix/issues/9574
+ nix-path = config.nix.nixPath;
+ };
+ gc = {
+ automatic = true;
+ dates = "daily";
+ options = "--delete-older-than 7d";
+ };
+ # Opinionated: disable channels
+ channel.enable = false;
+
+ # Opinionated: make flake registry and nix path match flake inputs
+ registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+ nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+ };
+
+ time.timeZone = "America/Los_Angeles";
+
+ i18n.defaultLocale = "en_US.UTF-8";
+ console = {
+ font = "Lat2-Terminus16";
+ keyMap = "emacs2";
+ };
+
+ programs = {
+ sway.enable = true;
+ zsh.enable = true;
+ git.enable = true;
+
+ fuse.userAllowOther = true;
+ };
+
+ users.mutableUsers = false;
+
+ users.users.sadbeast = {
+ hashedPasswordFile = config.sops.secrets.sadbeast-password.path;
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGpEusv/bS34Q1JQxZXikdcwnq1vToz2d+HgV+E8NRX"
+ ];
+
+ extraGroups = ["wheel" "audio" "docker"];
+ shell = pkgs.zsh;
+ packages = [pkgs.home-manager];
+ };
+
+ sops.secrets.sadbeast-password = {
+ sopsFile = ../secrets.yaml;
+ neededForUsers = true;
+ };
+
+ home-manager.users.sadbeast = import ../../../home/sadbeast/${config.networking.hostName}.nix;
+
+ # This setups a SSH server. Very important if you're setting up a headless system.
+ # Feel free to remove if you don't need it.
+ services = {
+ avahi = {
+ enable = true;
+ nssmdns4 = true;
+ openFirewall = true;
+ };
+
+ openssh = {
+ enable = true;
+ settings = {
+ # Opinionated: forbid root login through SSH.
+ PermitRootLogin = "no";
+ # Opinionated: use keys only.
+ # Remove if you want to SSH using passwords
+ PasswordAuthentication = false;
+ };
+ };
+
+ pipewire = {
+ enable = true;
+ alsa.enable = true;
+ alsa.support32Bit = true;
+ pulse.enable = true;
+ };
+
+ printing.enable = true;
+ };
+ security = {
+ polkit.enable = true;
+ # rtkit is optional but recommended
+ rtkit.enable = true;
+ sudo.wheelNeedsPassword = false;
+
+ pam.services = {
+ swaylock = {};
+ };
+ };
+
+ # environment.persistence."/persistent" = {
+ # hideMounts = true;
+ # directories = [
+ # "/var/log"
+ # "/var/lib/nixos"
+ # "/var/lib/systemd"
+ # ];
+ # files = [
+ # "/etc/machine-id"
+ # "/var/lib/sops-nix/keys.txt"
+ # ];
+ # };
+
+ # system.activationScripts.persistent-dirs.text = let
+ # mkHomePersist = user:
+ # lib.optionalString user.createHome ''
+ # mkdir -p /persistent/${user.home}
+ # chown ${user.name}:${user.group} /persistent/${user.home}
+ # chmod ${user.homeMode} /persistent/${user.home}
+ # '';
+ # users = lib.attrValues config.users.users;
+ # in
+ # lib.concatLines (map mkHomePersist users);
+
+ # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+ system.stateVersion = "24.05";
+}
diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix
new file mode 100644
index 0000000..9d1d42b
--- /dev/null
+++ b/hosts/common/global/sops.nix
@@ -0,0 +1,17 @@
+{
+ inputs,
+ lib,
+ config,
+ ...
+}: {
+ imports = [inputs.sops-nix.nixosModules.sops];
+
+ sops = {
+ age = {
+ #keyFile = "/persistent/var/lib/sops-nix/keys.txt";
+ keyFile = "/var/lib/sops-nix/keys.txt";
+ sshKeyPaths = [];
+ };
+ gnupg.sshKeyPaths = [];
+ };
+}
diff --git a/hosts/common/optional/wireless.nix b/hosts/common/optional/wireless.nix
new file mode 100644
index 0000000..ce66419
--- /dev/null
+++ b/hosts/common/optional/wireless.nix
@@ -0,0 +1,35 @@
+{config, ...}: {
+ # Wireless secrets stored through sops
+ sops.secrets.wireless = {
+ sopsFile = ../secrets.yaml;
+ neededForUsers = true;
+ };
+
+ networking.wireless = {
+ enable = true;
+ fallbackToWPA2 = false;
+
+ # Declarative
+ secretsFile = config.sops.secrets.wireless.path;
+ networks = {
+ "Black Vulture" = {
+ pskRaw = "ext:home_psk";
+ };
+ };
+
+ # Imperative
+ allowAuxiliaryImperativeNetworks = true;
+ userControlled = {
+ enable = true;
+ group = "network";
+ };
+ extraConfig = ''
+ update_config=1
+ '';
+ };
+
+ # Ensure group exists
+ users.groups.network = {};
+
+ systemd.services.wpa_supplicant.preStart = "touch /etc/wpa_supplicant.conf";
+}
diff --git a/hosts/common/secrets.yaml b/hosts/common/secrets.yaml
new file mode 100644
index 0000000..d0dc065
--- /dev/null
+++ b/hosts/common/secrets.yaml
@@ -0,0 +1,50 @@
+sadbeast-password: ENC[AES256_GCM,data:Oy3x2JbsX/iTHSYd//sScEfpK2AcW9mfAD/jHR1zymkZ/hMgrK/pfzWiCiLSrCoV38lcaBsFHdv80Bf7TRhYkUQZ6F6EPtaVYg==,iv:/cEQPob8z5fzsUIo1unv7zT8h2MsdKMTVBxnSMlCgaM=,tag:afhjGiTXdPjiZVpzAKUvwA==,type:str]
+work-password: ENC[AES256_GCM,data:6gcVp0kW+6sHg/9KxqjtnGa6ycfSitlAAAzgc2teE2mmgh9DBfP+0IiTGk0XrHjLZCrGCa/zyrIDKq3jdXE+E42laH7H68SrpA==,iv:LvRc7Uj5MJ3RMxIbp5s2U5qx50RLKe6o8mZSqwbrktk=,tag:ZpIaOfTWtt/6w93O/B2drw==,type:str]
+wireless: ENC[AES256_GCM,data:aeetnjjKGbt0wudRuIY5ruemnxlhm5Iw808G5D9BO1dTYi0EbA7JrXHz3wXh737WsPMOXL0S9NaeRH4w,iv:NIoIJ6CjXWGesoEraRoSH2hmF2JpRvpV8fCpwNi06/c=,tag:/aS84d4H0jEHCBZd/CCOCg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age16qcn9298rk3eav38442zw2ejhqac6uvdj0m86qf4ggnjgug8efgsp9lwcd
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndG9RVWpCZXlsanhTbUky
+ N1drL1RlZVpZbElCaDljVWx6ZG9Vc3JsbTBRCk0rclJkUCtzdVF5NDdKTFRsamZR
+ UXpleTFWcU9CWlRyL0JLVVJCNnNzL2MKLS0tIHNISSsvTllQaFZ5dGk2VTJ0Vkxq
+ enh2dmxhcDgyNjlKRDFRZnlWTndYZjgK8aRkrdMx+SaZBnc2HFVdmwGm8K5T19Aa
+ UsoeqXyCPA1rxUFA6eCzy9y9sst/susfkwgRwFucP9W8lE3+kglMNg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1hls0h26tcls67ukcpt7e0ztua8mwzheaqkuuwl4anv8zstq8regqd7nqv9
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa1RucTA0UnVSQkhtdE9P
+ c2wzS01ucWN5M3A2QjRYZ1h4Y00wSjJvUkJjCktGck9JRFVYcGQyQ0plQ1B6dDNU
+ Zit2MmpDRExTU1NwR0pxc0dyaXdJUjAKLS0tIGE5YXFoRW1MU2VyL2N3ZGFmQSti
+ dFAvNEtTYlgzMUJZQjhZK3VvWGNvTWsKzafclExVkycuEnq5lsloVYSpUd+1SfQS
+ rj5xDJV8E37+q7lsizRhKMtjJNv/raeLXicsBwL2vmnY6RoYsPSfCw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1dg0dxg6nf5rm05py3da3yz8tkg7xtgustuehxwn37cm8mdrf93ysn9n622
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArVEZZaXQ0TjU1RFVZMnQr
+ MWQzbXEyV25RZmhVRFZlUzdjamNYR2hWcjBZCkRSSWMrSVpVV3pETkJUY1AyZTRZ
+ SVZkZDhnMkhaUUxWYklTdUszVlM2VHMKLS0tIFNrL0crZExQV3p2ZGxScmo1aXlK
+ Y3BLSkFyVkpUalRjSkxHMFpLVTJabTAKW2ydqX5ZulhSyiFCaNW3rMFncNBGllZU
+ v2HET4US1eUzT8suMWzfhjm7GA6D7KD3pJICglhtumk9sihRL3TrQg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1a6k6lwndk7w5ck3w8vydw72af3q8appm6jyxj7amwp6fmqnylywsy7ay0e
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUeFlOb093ekpDanBiZEl0
+ TGo4T2w4aHk4Zjl6eUdrS0diQzBWM1ltUDN3ClpVemlBN1YvVmNuZFlGWEVhSktv
+ SHNOZFBzWm5DTzJyNEhiSVRTampjR0UKLS0tIFFVODY0L1h0bThIclgxRnhVZmtk
+ Njl4U3h2UmZUOVhnQ0lqb3NnbUcwME0KfEhBK4MnSGDwQZYztvWKl5k4zRZD+kDT
+ t2yCzytfW3wcWmnqnbtBqFGFiZhtBaN1GhlJhHJY16JClJ/c8dhQ6g==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-17T23:15:06Z"
+ mac: ENC[AES256_GCM,data:ojX6Ec9XP2MMnBQUkxlvmJYL+q9RGgwNZbtu7HObbXKXwozk68r//A2BwMFILcuFaSi1y1TOfgs1xdSr8wZPqLsGxLLSkruhmNnjO2fbYPYc33FW4OYoloTFeGZuL7Z1RGXUwDDZ59nqzH8DwKqfAmorJ2opyWS/igmEf1plWHQ=,iv:0+za47Ga2yfPcOlV4a8WniQ4wQma+k0+xqFqWvDXdGQ=,tag:Yoz3TvK7QtqwgZMVLJweoA==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.0
diff --git a/hosts/joshua/default.nix b/hosts/joshua/default.nix
new file mode 100644
index 0000000..f2cdd3a
--- /dev/null
+++ b/hosts/joshua/default.nix
@@ -0,0 +1,18 @@
+{
+ imports = [
+ ./hardware-configuration.nix
+
+ ../common/global
+ ];
+
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "joshua";
+
+ sound.enable = true;
+
+ # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+ system.stateVersion = "24.05";
+}
diff --git a/hosts/joshua/hardware-configuration.nix b/hosts/joshua/hardware-configuration.nix
new file mode 100644
index 0000000..fd53e13
--- /dev/null
+++ b/hosts/joshua/hardware-configuration.nix
@@ -0,0 +1,98 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = [];
+ boot.extraModulePackages = [];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e";
+ fsType = "btrfs";
+ options = ["subvol=root" "noatime"];
+ };
+
+ # Note `lib.mkBefore` is used instead of `lib.mkAfter` here.
+ #boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+ # mkdir -p /mnt
+
+ # # We first mount the btrfs root to /mnt
+ # # so we can manipulate btrfs subvolumes.
+ # mount -o subvol=/ /dev/mapper/enc /mnt
+
+ # # While we're tempted to just delete /root and create
+ # # a new snapshot from /root-blank, /root is already
+ # # populated at this point with a number of subvolumes,
+ # # which makes `btrfs subvolume delete` fail.
+ # # So, we remove them first.
+ # #
+ # # /root contains subvolumes:
+ # # - /root/var/lib/portables
+ # # - /root/var/lib/machines
+ # #
+ # # I suspect these are related to systemd-nspawn, but
+ # # since I don't use it I'm not 100% sure.
+ # # Anyhow, deleting these subvolumes hasn't resulted
+ # # in any issues so far, except for fairly
+ # # benign-looking errors from systemd-tmpfiles.
+ # btrfs subvolume list -o /mnt/root |
+ # cut -f9 -d' ' |
+ # while read subvolume; do
+ # echo "deleting /$subvolume subvolume..."
+ # btrfs subvolume delete "/mnt/$subvolume"
+ # done &&
+ # echo "deleting /root subvolume..." &&
+ # btrfs subvolume delete /mnt/root
+
+ # echo "restoring blank /root subvolume..."
+ # btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+ # # Once we're done rolling back to a blank snapshot,
+ # # we can unmount /mnt and continue on the boot process.
+ # umount /mnt
+ #'';
+
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e";
+ fsType = "btrfs";
+ options = ["subvol=nix" "noatime"];
+ };
+
+ fileSystems."/persistent" = {
+ device = "/dev/disk/by-uuid/32a45644-86e5-42c0-96e9-343e8078349e";
+ fsType = "btrfs";
+ neededForBoot = true;
+ options = ["subvol=persist" "noatime"];
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/323A-5741";
+ fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
+ };
+
+ swapDevices = [
+ {device = "/dev/disk/by-uuid/1962cd0f-4063-4996-a33c-8ebaa9ecea1d";}
+ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/norad/default.nix b/hosts/norad/default.nix
new file mode 100644
index 0000000..c1126b2
--- /dev/null
+++ b/hosts/norad/default.nix
@@ -0,0 +1,26 @@
+{
+ imports = [
+ ./hardware-configuration.nix
+
+ ../common/global
+ ../common/optional/wireless.nix
+ ];
+
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "norad";
+
+ # Slows down write operations considerably
+ nix.settings.auto-optimise-store = false;
+
+ services = {
+ logind.extraConfig = ''
+ HandleLidSwitchExternalPower=ignore
+ '';
+ };
+
+ # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+ system.stateVersion = "24.05";
+}
diff --git a/hosts/norad/hardware-configuration.nix b/hosts/norad/hardware-configuration.nix
new file mode 100644
index 0000000..f9b6a44
--- /dev/null
+++ b/hosts/norad/hardware-configuration.nix
@@ -0,0 +1,102 @@
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "firewire_ohci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = ["kvm-intel"];
+ boot.extraModulePackages = [];
+
+ boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/088d061d-7a81-4a91-9d97-c5958d5d4b6c";
+
+ # Note `lib.mkBefore` is used instead of `lib.mkAfter` here.
+ #boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+ # mkdir -p /mnt
+
+ # # We first mount the btrfs root to /mnt
+ # # so we can manipulate btrfs subvolumes.
+ # mount -o subvol=/ /dev/mapper/enc /mnt
+
+ # # While we're tempted to just delete /root and create
+ # # a new snapshot from /root-blank, /root is already
+ # # populated at this point with a number of subvolumes,
+ # # which makes `btrfs subvolume delete` fail.
+ # # So, we remove them first.
+ # #
+ # # /root contains subvolumes:
+ # # - /root/var/lib/portables
+ # # - /root/var/lib/machines
+ # #
+ # # I suspect these are related to systemd-nspawn, but
+ # # since I don't use it I'm not 100% sure.
+ # # Anyhow, deleting these subvolumes hasn't resulted
+ # # in any issues so far, except for fairly
+ # # benign-looking errors from systemd-tmpfiles.
+ # btrfs subvolume list -o /mnt/root |
+ # cut -f9 -d' ' |
+ # while read subvolume; do
+ # echo "deleting /$subvolume subvolume..."
+ # btrfs subvolume delete "/mnt/$subvolume"
+ # done &&
+ # echo "deleting /root subvolume..." &&
+ # btrfs subvolume delete /mnt/root
+
+ # echo "restoring blank /root subvolume..."
+ # btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+ # # Once we're done rolling back to a blank snapshot,
+ # # we can unmount /mnt and continue on the boot process.
+ # umount /mnt
+ #'';
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/2990-A0D7";
+ fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
+ };
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c";
+
+ fsType = "btrfs";
+ options = ["subvol=root" "compress=zstd" "noatime"];
+ };
+
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c";
+ fsType = "btrfs";
+ options = ["subvol=nix" "compress=zstd" "noatime"];
+ };
+
+ fileSystems."/persistent" = {
+ device = "/dev/disk/by-uuid/8bcaf4f2-c648-420d-8605-72407206244c";
+ fsType = "btrfs";
+ neededForBoot = true;
+ options = ["subvol=persistent" "compress=zstd" "noatime"];
+ };
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking = {
+ useDHCP = lib.mkDefault true;
+ wireless = {
+ enable = true;
+ userControlled.enable = true;
+ };
+ };
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware = {
+ cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+ graphics.enable = true;
+ };
+}
diff --git a/hosts/wopr/default.nix b/hosts/wopr/default.nix
new file mode 100644
index 0000000..bfd9de1
--- /dev/null
+++ b/hosts/wopr/default.nix
@@ -0,0 +1,23 @@
+{
+ imports = [
+ # Import your generated (nixos-generate-config) hardware configuration
+ ./hardware-configuration.nix
+
+ ../common/global
+ ];
+
+ # Use the GRUB 2 boot loader.
+ boot.loader.grub.enable = true;
+ boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+ networking.hostName = "wopr";
+
+ services = {
+ logind.extraConfig = ''
+ HandleLidSwitchExternalPower=ignore
+ '';
+ };
+
+ # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+ system.stateVersion = "24.05";
+}
diff --git a/hosts/wopr/hardware-configuration.nix b/hosts/wopr/hardware-configuration.nix
new file mode 100644
index 0000000..02a1988
--- /dev/null
+++ b/hosts/wopr/hardware-configuration.nix
@@ -0,0 +1,103 @@
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "firewire_ohci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = ["kvm-intel"];
+ boot.extraModulePackages = [];
+
+ boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/e9671751-99d2-4a1c-84f1-1f58dc117fc1";
+
+ # Note `lib.mkBefore` is used instead of `lib.mkAfter` here.
+ boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
+ mkdir -p /mnt
+
+ # We first mount the btrfs root to /mnt
+ # so we can manipulate btrfs subvolumes.
+ mount -o subvol=/ /dev/mapper/enc /mnt
+
+ # While we're tempted to just delete /root and create
+ # a new snapshot from /root-blank, /root is already
+ # populated at this point with a number of subvolumes,
+ # which makes `btrfs subvolume delete` fail.
+ # So, we remove them first.
+ #
+ # /root contains subvolumes:
+ # - /root/var/lib/portables
+ # - /root/var/lib/machines
+ #
+ # I suspect these are related to systemd-nspawn, but
+ # since I don't use it I'm not 100% sure.
+ # Anyhow, deleting these subvolumes hasn't resulted
+ # in any issues so far, except for fairly
+ # benign-looking errors from systemd-tmpfiles.
+ btrfs subvolume list -o /mnt/root |
+ cut -f9 -d' ' |
+ while read subvolume; do
+ echo "deleting /$subvolume subvolume..."
+ btrfs subvolume delete "/mnt/$subvolume"
+ done &&
+ echo "deleting /root subvolume..." &&
+ btrfs subvolume delete /mnt/root
+
+ echo "restoring blank /root subvolume..."
+ btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+ # Once we're done rolling back to a blank snapshot,
+ # we can unmount /mnt and continue on the boot process.
+ umount /mnt
+ '';
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-label/boot";
+ neededForBoot = true;
+ fsType = "btrfs";
+ };
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/0ceef315-a8bb-4899-b037-4ad4b6d094a7";
+
+ fsType = "btrfs";
+ options = ["subvol=root" "noatime"];
+ };
+
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/0ceef315-a8bb-4899-b037-4ad4b6d094a7";
+ fsType = "btrfs";
+ options = ["subvol=nix" "noatime"];
+ };
+
+ fileSystems."/persistent" = {
+ device = "/dev/disk/by-uuid/0ceef315-a8bb-4899-b037-4ad4b6d094a7";
+ fsType = "btrfs";
+ neededForBoot = true;
+ options = ["subvol=persistent" "noatime"];
+ };
+
+ swapDevices = [
+ {device = "/dev/disk/by-label/swap";}
+ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking = {
+ useDHCP = lib.mkDefault true;
+ wireless = {
+ enable = true;
+ userControlled.enable = true;
+ };
+ };
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/work/default.nix b/hosts/work/default.nix
new file mode 100644
index 0000000..c419fd9
--- /dev/null
+++ b/hosts/work/default.nix
@@ -0,0 +1,62 @@
+{config, ...}: {
+ imports = [
+ ./hardware-configuration.nix
+
+ ../common/global
+ ../common/optional/wireless.nix
+ ];
+
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+
+ networking.hostName = "work";
+
+ # Slows down write operations considerably
+ nix.settings.auto-optimise-store = false;
+
+ services = {
+ logind.extraConfig = ''
+ HandleLidSwitchExternalPower=ignore
+ '';
+ };
+
+ virtualisation.docker = {
+ enable = true;
+
+ daemon.settings = {
+ userland-proxy = false;
+ experimental = true;
+ metrics-addr = "0.0.0.0:9323";
+ ipv6 = true;
+ fixed-cidr-v6 = "fd00::/80";
+ };
+ # rootless = {
+ # enable = true;
+ # setSocketVariable = true;
+ # };
+ storageDriver = "btrfs";
+ };
+
+ users.users.sadbeast = {
+ hashedPasswordFile = config.sops.secrets.sadbeast-password.path;
+
+ extraGroups = ["docker"];
+
+ subUidRanges = [
+ {
+ startUid = 100000;
+ count = 65536;
+ }
+ ];
+ subGidRanges = [
+ {
+ startGid = 100000;
+ count = 65536;
+ }
+ ];
+ };
+
+ # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+ system.stateVersion = "24.05";
+}
diff --git a/hosts/work/hardware-configuration.nix b/hosts/work/hardware-configuration.nix
new file mode 100644
index 0000000..f174382
--- /dev/null
+++ b/hosts/work/hardware-configuration.nix
@@ -0,0 +1,64 @@
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_usb_sdmmc"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = ["kvm-intel"];
+ boot.extraModulePackages = [];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7";
+ fsType = "btrfs";
+ options = ["subvol=root"];
+ };
+
+ boot.initrd.luks.devices."work".device = "/dev/disk/by-uuid/7ce450be-7739-476e-9a8d-e25e57d8707f";
+
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7";
+ fsType = "btrfs";
+ options = ["subvol=nix"];
+ };
+
+ fileSystems."/persistent" = {
+ device = "/dev/disk/by-uuid/0ac2bd64-7a06-4972-af6e-beffa6567ba7";
+ fsType = "btrfs";
+ options = ["subvol=persistent"];
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/A468-9833";
+ fsType = "vfat";
+ options = ["fmask=0022" "dmask=0022"];
+ };
+
+ swapDevices = [
+ {device = "/dev/disk/by-label/swap";}
+ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking = {
+ useDHCP = lib.mkDefault true;
+ wireless = {
+ enable = true;
+ userControlled.enable = true;
+ };
+ };
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware = {
+ cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+ graphics.enable = true;
+ };
+}