From 1bf1cb10d838323418506d505fc8f0845c13f047 Mon Sep 17 00:00:00 2001 From: Richie Cahill Date: Sat, 8 Jun 2024 21:06:59 -0400 Subject: [PATCH] setting up BOB --- .sops.yaml | 6 +- .vscode/settings.json | 3 + systems/bob/configuration.nix | 58 +++++++++++++++++++ systems/bob/default.nix | 8 +++ systems/bob/hardware.nix | 66 +++++++++++++++++++++ users/richie/home/vscode/settings.json | 5 +- users/richie/secrets.yaml | 79 ++++++++++++++------------ 7 files changed, 187 insertions(+), 38 deletions(-) create mode 100644 systems/bob/configuration.nix create mode 100644 systems/bob/default.nix create mode 100644 systems/bob/hardware.nix diff --git a/.sops.yaml b/.sops.yaml index 1abe5ba..9986e85 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,9 +9,10 @@ keys: # cspell:disable - &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2 - &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc - - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej + - &bob age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063 - &jeeves age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w - &jeeves-jr age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh + - &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej - &rhapsody-in-green age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy # cspell:enable @@ -73,7 +74,7 @@ creation_rules: - *admin_alice age: - *artemision - + - path_regex: users/richie/secrets\.yaml$ key_groups: - pgp: @@ -83,3 +84,4 @@ creation_rules: - *jeeves - *jeeves-jr - *rhapsody-in-green + - *bob diff --git a/.vscode/settings.json b/.vscode/settings.json index d2dbc97..cbdb712 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -28,6 +28,7 @@ "dialout", "direnv", "disren", + "dmask", "dotfiles", "eamodio", "errorlens", @@ -37,6 +38,7 @@ "filebrowser", "fileroller", "Filesystems", + "fmask", "foxundermoon", "gamescope", "gparted", @@ -92,6 +94,7 @@ "radarr", "Redistributable", "ripgrep", + "rpool", "rspace", "rtkit", "Sandro", diff --git a/systems/bob/configuration.nix b/systems/bob/configuration.nix new file mode 100644 index 0000000..3fedd1a --- /dev/null +++ b/systems/bob/configuration.nix @@ -0,0 +1,58 @@ +{ + imports = [ + ./hardware.nix + ../../users/richie/global/syncthing_base.nix + ../../users/richie/global/zerotier.nix + ]; + + boot = { + useSystemdBoot = true; + default = true; + }; + + networking = { + networkmanager.enable = true; + hostId = "9ab3b18e"; + }; + + hardware = { + pulseaudio.enable = false; + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; + + security.rtkit.enable = true; + sound.enable = true; + + services = { + openssh.settings.PermitRootLogin = "yes"; + + autopull.enable = false; + + displayManager.sddm.enable = true; + + xserver = { + enable = true; + desktopManager.plasma5.enable = true; + xkb = { + layout = "us"; + variant = ""; + }; + }; + + printing.enable = true; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + }; + + system.autoUpgrade.enable = false; + + system.stateVersion = "23.11"; +} diff --git a/systems/bob/default.nix b/systems/bob/default.nix new file mode 100644 index 0000000..712e2ed --- /dev/null +++ b/systems/bob/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + users = [ "richie" ]; + system = "x86_64-linux"; + home = true; + sops = true; + server = false; +} diff --git a/systems/bob/hardware.nix b/systems/bob/hardware.nix new file mode 100644 index 0000000..e868d89 --- /dev/null +++ b/systems/bob/hardware.nix @@ -0,0 +1,66 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + ]; + kernelModules = [ ]; + luks.devices = { + "luks-rpool-nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2".device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_1TB_S6S1NS0T617615W-part2"; + }; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = lib.mkDefault { + device = "rpool/root"; + fsType = "zfs"; + }; + + "/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/8AE6-270D"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/2ece9ba5-e892-400d-8b50-2126a8eb2fa0"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp11s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/users/richie/home/vscode/settings.json b/users/richie/home/vscode/settings.json index 1a91806..737d000 100644 --- a/users/richie/home/vscode/settings.json +++ b/users/richie/home/vscode/settings.json @@ -62,5 +62,8 @@ "redhat.telemetry.enabled": true, "gitlens.plusFeatures.enabled": false, "github.copilot.editor.enableAutoCompletions": true, - "explorer.confirmPasteNative": false + "explorer.confirmPasteNative": false, + "github.copilot.enable": { + "*": false + } } diff --git a/users/richie/secrets.yaml b/users/richie/secrets.yaml index 8d671ff..0870c25 100644 --- a/users/richie/secrets.yaml +++ b/users/richie/secrets.yaml @@ -11,60 +11,69 @@ sops: - recipient: age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NjRCZ3RYS3g1amQxRUJt - bGxFdHRuU3d2eHlnRlZPQjg5dUN0cGhWelNzCjhWTXNNcmhFNFgwVmRISUZVa0JM - SHRQN2UxRllhZXBlNGJWZEhteDFYM2cKLS0tIFJ3T0V2RWNkTjJNTTJEYTZZb1pa - a1NNazgzWDQ5QUVHU285dkRIY0s0YVkKxhqUovG8RPsn48RCy6ibbLIFeh9rZC1t - idys8aiy3Tk1sMAb7miHjDkilfqwcUwAS+OSsXXiwCfY1V/+SrrQaQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VGsycE1JQUFXbmZOQ3dP + VlMzVllzemN3WWd2dFc4UEdKSnVmcHhNaFZNCmVLZG54RWIybVl3dXNpQ2NLVnBh + dUdKWlJ1dXZ3MFZ1Y2tQVzNJR3pYcjAKLS0tIFFiRHIzZEpjNml3Mm1GOUhRWjBy + UVMwemZIY1RTWkVmQXE3allUNzdLWlkKPBVTtbgPXXnbclANx4nysXeTWmSoIuAg + NfCnCPPgYqe+zW3XL9czEjxyTyH25lnkAWckUhCch3g2uA/7uV1xlg== -----END AGE ENCRYPTED FILE----- - recipient: age128ehc0ssgwnuv4r8ayfyu7r80e82xrkmv63g7h9y9q4mhk4w9dyqfymc2w enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZnF1RnI2MXZtdVVpZjFo - OUlFMFF5ZDZtYmxRUXVOSTNEVE1hTVlsU1FNCmo5WFYwL2Iyb3RhOXJ4WGlRMk1C - bWR1TGp0V1BNV3o4N3FHekNHM1BYTnMKLS0tIFh0R3N1cklQZ29vdkNIY2ZzUGpR - T2Z6NGRFaDlYUWM2TlVZc1Z5UjJvSjgKwmFszve3db2sAxg76SxoGgQ/x0ZYixev - OHx/DdCUfjQHhI0gNXC9XhySPGhYM4xbCZDEe2gp4QFFtToA+feP7Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2blVUSngvekRPMFRmanhy + c08rZ05TdGtLMVZIdjRrY3Nmclo1eVhqNDFzCnhLQlg5YURCUzR3dStva0llN0Z0 + ZzJxVDdRK3pER0RTTVZRS0dhZkkxTEUKLS0tIExNd0ptYm9PY3FnelZmcmgyc3l4 + SE1hU1hzOFVhTThBTmg3LzlvMUljdEUKCwkZlOduNCrNZ7S/aDJfVkUny6uCIdQu + 3sVk5mtz5hwWtycfMNC8+y67S+VzSZPY3GeBN3f9ShWEFT+sM6k3Dg== -----END AGE ENCRYPTED FILE----- - recipient: age1lffr5f5nz0nrenv3ekgy27e8sztsx4gfp3hfymkz77mqaa5a4gts0ncrrh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpK1hCeVVZQWtMMHZDalo2 - L1FFcVhseFpNMEhOREQ0Tnk1TWlrSzMvRTBBCjh4bkovWlpFNFY5c2dMM2pZV2lT - a200dFVtUWp2ZmxBU01pajRZN1NRMmcKLS0tIHd5K25MTVVKc1Z0aTNoeTlacVhT - ZS9MNGxLa0gwdmdmYVovb1NWMFBpMTAKssTiKdnnfWo5B8WAF64FM8hDLi/nU0Ay - 5NY3gTYsKyq/pnVFOp1NKU4I6SuV8jWabwVqpsRXYvC5X7Ec1ZQv5Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RE9lK0xUTXhTQWtJL2V5 + SURFZ0Q4R3FiVkFnbUVEeE0yWUNsRjh6WjFzCjdHVnBNTDVVTk0zOWtuWTdMbXZQ + eVpmNE90RzkyTWN4eWs2SUdubFZ2ek0KLS0tIEZaQis2Z1R6SURhT3g3ZHVTQU1R + M1h3dFZXQStBSGtveENQTi9jeGVSRGcKFoTwIJFF4gMX9854JaGt1M8lcKDWijk0 + LU22l0GOL9h4EFlIFE3keahXO+47Cjr92uMrlAnsX+xdnH0uPdxrNA== -----END AGE ENCRYPTED FILE----- - recipient: age1c7adjulcrma0m7l5ur8efxdjzyskrqcwssfkt77a9rmma7gzss5q02pgmy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dTJiV3VHVEh5SENKbFdw - TjN5ZlZTZlZBQVVHbktHNUNDQmRnVXMvV0dnCjYwRXFnK2pzcmxDSzZQV1FhR2pL - MTdZYzFUYjFUZ0Y4ODBrWTVDaWJxRUkKLS0tIEh5RXE5NktUOTdxamR4S3RCdm0z - ZjFHcmtnd3lPbVdjSDVBenlBR0FOV28KwcBVT9q/OKnMvAkrWe9/+HB2qknSOurA - nKDYMNExyE6K/uOKKbkH0ucaYBN+7+/b50nfUl5i/tfJvIUaWkwQUg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWUhhS0RjcVQvMnRYZDl4 + eFRZbjNDN1ZlRS9neURWdW9tMmV5RiszSGkwCm91b3dWQXVxRlEzMEVnd1lkT3hI + U2oxK1psMHZROTRNd2gremxmS1l1WXcKLS0tIHlsTy9qcUlySlZ4dHo2czBiaVlE + REg4THhDRmdZOHJGVmxZcmIxUThTMUkKeyTq4ibHWukJx+9ApBSt9y3sfy9895Sf + pa2Kkw1VsnQhvEW0+IeRoQnxeQB6rAXlftNhtEodc6d3w+ny/tI3kA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13jg97cvy63fzd2ccthcwvfyyxzw5vmwun8s0afq5l4xm0mhl6pjqhne063 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bU5OTWFBNkRRdEFzblhk + VDE1cUdUTHNVUmkzdDFkWHBXL0gxMHVjMjFjCjVLQXROWWErTFhVckorSHZJWG9D + a1BobEorVXdNTC8xcGpvdUZKem04R2cKLS0tIG1TU2ViWTJ2SUxVMG9jOE41bGVk + QWVIUEJxV1diZG0xaUNNMmJaUUhIRHcKlAweCd38TNHdyIhzXIdjgEBj10bn6KK/ + 0e0qgyWNfkJtBYF2PhaBcr7l58dHSbQXXomgG2npGxPGVYMtoLPTsg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-04-13T17:27:06Z" mac: ENC[AES256_GCM,data:xzVCCVSfQz7fH+z3veZI5uJA6eBDRMT5kPT2Qq/KlESKJC4MVn6ErTbdDEFEnfa7vmqnBArPIEWdkSSbPTAvZbCMzuQTUVsjKbHnnvZsVypl0ScVgupGYq/+UhVoW8vKukXMAZ2dZfMWGn3Sso+DpWhR83Pf8FF8Xey4YcJzpIs=,iv:5oDREhX2gxypLurd0lyINklrf2DU/1SyD4sXiO/THUI=,tag:MvlitzHGiRCHJszLn5zoWg==,type:str] pgp: - - created_at: "2024-04-03T21:19:44Z" + - created_at: "2024-06-09T00:29:47Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA29thaGx06tOAQ/+I3rMi9xjj2DtbhPnMAt7QMBdgu+sK/UU6kLlhnhgTu8m - PChhtOagtqjUGKL1PQZTm3bUfauhSVum2RVAef5BKC8+QNTo9FN02cDksRyvEWqZ - BnXS6CCKC3skRoabArPTu1Geivw/7cuMrVXatZF+ol39wzOYUL0fVbBwWJ+BkzZ2 - K/ZGVvLzO5HGxJzAcVDkxXo5QJOBGwVZEtcKnANLbX1CbUGkEUhU3IzBQ8sb7iYk - JCDMnapEehjDIaIDQfCP2YFT3tY9Ab9iPM+2SSwf8JDPC2EAQqWl4Kw50xtqS/l1 - FAZ6B3zcN6II79mMjh1gV+md6D9KZEccR1xgGztFFPYzO6ncfuVa3UHe66mNCL/u - y6ag+1Ct+1BMGLFp3T8EPIWZcG533zTfMxv/TG1BQVx+ZWROloyZzoIoLwduU7cw - 4yV+ta+BaiJf+5M+H0WHaS+v2OdBhtgvxQieI0IQJtIThIi4yBgrRkF6nnsWaMKh - qLB/yyIPUIRjqJhVPAqCuA6sYxmHqVeM07hienxzmaqQaopaHx7C0x3Jhr90hdjR - F2LDUyKfj2T67wYvpI2m/ioYvS7okUANsvgJsRzxiZrj+MxEy7AcXeDK6/sI1Xgu - eN9A3rJxj5ZyslTwDsUvSEDmrS8utQ7qtWJwfpPKe763GGNM6cC/UeDDlrgsw8LS - XgFjqFSBAGiXkp90FDm0sMdvD1twvwG9s7PF2qv15VYwPiVfLTPWvfInRfWVCbIN - 9IqVbtk/NviuyEGz6yGiNKulbRjKeq+oAwgXddaXY4uHruLEr/SYKbfOAJuHBRo= - =pXkD + hQIMA29thaGx06tOAQ//RvcNg6H6CeLvrdLSb7ohPkZGPwgxkIyn8a384ybg5nX3 + TiV1aDlg4RNyvQY371ixYVIO4ddjC2OMyt43ghHIUvH2Lp6dn2anPuqlMXXOTeYL + nEH09fsuZ3Mkg6F30MQH3tBOHvkroKPQCA9Y2JSQhkfO1GsAAm1PhCUgqJDKDK38 + /fwWSPvrOQDhdRDhTVmAHKRpH6XvSN8d5QUWqwaII+34JkQRFNNhqJZCu04QP0Yy + CaceNJg9IoBy2n2nJZ3zQfzOvxujPEnsXnuQ67Oa2GCwwNEsxfjjeFApi97zOeQA + 0LwM6iZGz/d5hdb7HVCVUuU2H9QPNuYWYNEIFJTJjOUY0osaBe+a7xPY4dm5YNsS + Y5VMup6SQINoXQcabkwU2zjbEEEEFWjDrszweLn/YBEdkT1vkJ/Gnrl8j3udYZs4 + /xC/xIbIFjOhXmIi+I4WbeQK8bspS+EbEGT/t+iE2mf3zEjZsjVppGtX1rVoGE1x + 1H3P2IK6CBiT9d8A7ocLFYdGRoXreQyDNJqd4u0XRMjbTgC2rWbOsaBJDzjyQKXV + oAR8o04wwB0wZZaAYYwb6bIqa/UFO2ZKUvQVu8wDVMt0NBwHSMVivu5ArqZwl+pj + Fyy+t6+JVdvATsBfWEyejJ3Y4jjGUCJPkbAdkAxACdmfikye0A+Je4QGOBctMOzS + XgE9V6KGRqKrr2aZBCMgg4H2hoqQLGpQAEKadJ8RvU7PM6C0wbF/5XNPce8rUqOw + 87Bn3wdcQcxCtWHSOj1o0SKRrQ9PlxfnvnVcCGW/vyKbWGvs5JNYMs3IfQ6xXnA= + =OVS5 -----END PGP MESSAGE----- fp: 29F5017C95D9E60B1B1E8407072B0E0B8312DFE3 unencrypted_suffix: _unencrypted