add argiletum
This commit is contained in:
+10
@@ -9,6 +9,10 @@ keys:
|
|||||||
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
|
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
|
||||||
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
|
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
|
||||||
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
|
- &selinunte age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
|
||||||
|
# argiletum: replace placeholder after first boot with:
|
||||||
|
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||||||
|
# then run: sops updatekeys systems/argiletum/secrets.yaml
|
||||||
|
- &argiletum age1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
||||||
# cspell:enable
|
# cspell:enable
|
||||||
# add new users by executing: sops users/<user>/secrets.yaml
|
# add new users by executing: sops users/<user>/secrets.yaml
|
||||||
# then have someone already in the repo run the below
|
# then have someone already in the repo run the below
|
||||||
@@ -55,3 +59,9 @@ creation_rules:
|
|||||||
- *admin_alice
|
- *admin_alice
|
||||||
age:
|
age:
|
||||||
- *palatine-hill
|
- *palatine-hill
|
||||||
|
- path_regex: systems/argiletum/secrets.*\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *admin_alice
|
||||||
|
age:
|
||||||
|
- *argiletum
|
||||||
|
|||||||
@@ -0,0 +1,25 @@
|
|||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
time.timeZone = "America/New_York";
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
hostId = "5f8a1c2e";
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [ 80 ];
|
||||||
|
};
|
||||||
|
useNetworkd = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Raspberry Pi 4 uses U-Boot / extlinux, not systemd-boot
|
||||||
|
boot.useSystemdBoot = lib.mkForce false;
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.tang.enable = true;
|
||||||
|
|
||||||
|
system.stateVersion = "25.11";
|
||||||
|
}
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
{ inputs, ... }:
|
||||||
|
{
|
||||||
|
system = "aarch64-linux";
|
||||||
|
server = true;
|
||||||
|
home = false;
|
||||||
|
sops = true;
|
||||||
|
users = [ "alice" ];
|
||||||
|
modules = [
|
||||||
|
inputs.nixos-hardware.nixosModules.raspberry-pi-4
|
||||||
|
];
|
||||||
|
}
|
||||||
@@ -0,0 +1,21 @@
|
|||||||
|
# TODO: replace with the output of:
|
||||||
|
# sudo nixos-generate-config --show-hardware-config
|
||||||
|
# run on the Pi after initial boot into the NixOS installer.
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot/firmware" = {
|
||||||
|
device = "/dev/disk/by-label/NIXOS_BOOT";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [
|
||||||
|
"fmask=0077"
|
||||||
|
"dmask=0077"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user