repair flake.lock, update disko

add draft scripts for hetzner install
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
2025-04-01 15:17:41 -04:00 · 2025-04-01 15:15:55 -04:00 · 2025-04-01 15:15:55 -04:00 · 2025-04-01 15:15:55 -04:00 · 2025-04-01 15:15:55 -04:00 · 2025-04-01 15:15:55 -04:00
26 changed files with 303 additions and 84 deletions
--- a/README.md
+++ b/README.md
@ -14,7 +14,9 @@ to onboard a new user or system.

 Although we are not actively looking for new members to join in on this repo,
 we are not strictly opposed. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) for further information.
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill)
+for further information.

 ## Repo Structure

--- a/disko/hetzner.nix
+++ b/disko/hetzner.nix
@ -0,0 +1,47 @@
+# USAGE in your configuration.nix.
+# Update devices to match your hardware.
+# {
+#  imports = [ ./disko-config.nix ];
+#  disko.devices.disk.main.device = "/dev/sda";
+# }
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+              priority = 1;
+            };
+            root = {
+              end = "-1G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+            encryptedSwap = {
+              size = "1G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                priority = 100; # prefer to encrypt as long as we have space for it
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@ -107,7 +107,8 @@ rules.
 We allow secrets to be embedded in the repository using `sops-nix`. As part of
 the process everything is encrypted, however adding a new user is a change
 that every existing SOPS user needs to participate in. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill) if you are interested
 in using secrets on your machines.

 ## CI/CD
--- a/docs/sample-setup.sh
+++ b/docs/sample-setup.sh
@ -121,7 +121,7 @@ fi
 DOTS="/mnt/root/dotfiles"
 GC="git -C $DOTS"
 sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists"
-sudo $GC clone https://nayeonie.com/ahuston-0/nix-dotfiles.git .
+sudo $GC clone https://github.com/RAD-Development/nix-dotfiles.git .
 sudo $GC checkout "$FEATUREBRANCH"

 # Create ssh keys
@ -179,4 +179,4 @@ Host github.com
        IdentityFile /root/.ssh/id_ed25519_ghdeploy
 EOF
 printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config
-sudo "$GC" remote set-url origin 'ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git'
+sudo "$GC" remote set-url origin 'git@github.com:RAD-Development/nix-dotfiles.git'
--- a/flake.lock
+++ b/flake.lock
@ -67,6 +67,27 @@
        "type": "github"
      }
    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
    "firefox-addons": {
      "inputs": {
        "flake-utils": [
@ -78,11 +99,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1743720325,
-        "narHash": "sha256-0kNs86ZUODyUZbo9dnR6Fyw614I8tVeWe2XrT8/1Qes=",
+        "lastModified": 1743483509,
+        "narHash": "sha256-aHnOrBV4UpVQuv9RHmYaRb0jZRBpmeDWsZWBRoSCc5w=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "479bd1b7c20efc5ced112c2c41b76f2df794439c",
+        "rev": "692aba39210127804151c9436e4b87fe1d0e0f2b",
        "type": "gitlab"
      },
      "original": {
@ -127,11 +148,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -312,11 +333,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743717835,
-        "narHash": "sha256-LJm6FoIcUoBw3w25ty12/sBfut4zZuNGdN0phYj/ekU=",
+        "lastModified": 1743482579,
+        "narHash": "sha256-u81nqA4UuRatKDkzUuIfVYdLMw8birEy+99oXpdyXhY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "66a6ec65f84255b3defb67ff45af86c844dd451b",
+        "rev": "c21383b556609ce1ad901aa08b4c6fbd9e0c7af0",
        "type": "github"
      },
      "original": {
@ -332,11 +353,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1743534164,
-        "narHash": "sha256-cdvSIXdHmNy1cHf7JqaG/Sq2do0pJRBtL0f8MFehaLA=",
+        "lastModified": 1743447171,
+        "narHash": "sha256-5+lbBGlOmVa+dNY8L4ElDCkB7+VedZpPTcBOFIF+0TM=",
        "ref": "add-gitea-pulls",
-        "rev": "86d0009448b11c1ba155abedee556bb7fb948b58",
-        "revCount": 4328,
+        "rev": "a20f37b97fa43eea1570bf125ee95f19ba7e2674",
+        "revCount": 4327,
        "type": "git",
        "url": "https://nayeonie.com/ahuston-0/hydra"
      },
@ -500,11 +521,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743688629,
-        "narHash": "sha256-qiaUSW+wVGFM8iFSyXtTm0AJmiKPtLqOkOpGKaGmdns=",
+        "lastModified": 1743178092,
+        "narHash": "sha256-fOMsQpcdIbj+wOexiCSEW2J4Erqd0LRV25aYiOx4QRw=",
        "owner": "SuperSandro2000",
        "repo": "nixos-modules",
-        "rev": "c7021349367270a397b717683004666bdcfd0b8a",
+        "rev": "77ff511df92a9d4a828bdf032b8f48e7c3d99b50",
        "type": "github"
      },
      "original": {
@ -531,11 +552,11 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1743296961,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "lastModified": 1740877520,
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
        "type": "github"
      },
      "original": {
@ -546,11 +567,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1743576891,
-        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
+        "lastModified": 1743367904,
+        "narHash": "sha256-sOos1jZGKmT6xxPvxGQyPTApOunXvScV4lNjBCXd/CI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
+        "rev": "7ffe0edc685f14b8c635e3d6591b0bbb97365e6c",
        "type": "github"
      },
      "original": {
@ -562,11 +583,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1743732435,
-        "narHash": "sha256-RrWgOj3F1N6kDG0xatvZzP0p1Zq00yhcTMlaj4bWi5E=",
+        "lastModified": 1743472173,
+        "narHash": "sha256-xwNv3FYTC5pl4QVZ79gUxqCEvqKzcKdXycpH5UbYscw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a462b946265ed006720d02153882780b12a8376d",
+        "rev": "88e992074d86ad50249de12b7fb8dbaadf8dc0c5",
        "type": "github"
      },
      "original": {
@ -625,6 +646,7 @@
    },
    "root": {
      "inputs": {
+        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
@ -653,11 +675,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743682350,
-        "narHash": "sha256-S/MyKOFajCiBm5H5laoE59wB6w0NJ4wJG53iAPfYW3k=",
+        "lastModified": 1743475035,
+        "narHash": "sha256-uLjVsb4Rxnp1zmFdPCDmdODd4RY6ETOeRj0IkC0ij/4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "c4a8327b0f25d1d81edecbb6105f74d7cf9d7382",
+        "rev": "bee11c51c2cda3ac57c9e0149d94b86cc1b00d13",
        "type": "github"
      },
      "original": {
@ -673,11 +695,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743756170,
-        "narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=",
+        "lastModified": 1743502316,
+        "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d",
+        "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8",
        "type": "github"
      },
      "original": {
@ -714,11 +736,11 @@
        "tinted-zed": "tinted-zed"
      },
      "locked": {
-        "lastModified": 1743733287,
-        "narHash": "sha256-Yg2225KQ3hM6VJSPLRz7/+Ci3A9t4c/L5GZDFD/MGRU=",
+        "lastModified": 1743496321,
+        "narHash": "sha256-xhHg8ixBhZngvGOMb2SJuJEHhHA10n8pA02fEKuKzek=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "ac8dd8b1a6bc2d367f7ec8e39e0032f03ae9a458",
+        "rev": "54721996d6590267d095f63297d9051e9342a33d",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,7 @@
    substituters = [
      "https://cache.nixos.org/?priority=1&want-mass-query=true"
      "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
-      # "https://attic.nayeonie.com/nix-cache"
+      "https://attic.nayeonie.com/nix-cache"
    ];
    trusted-substituters = [
      "https://cache.nixos.org"
@ -19,7 +19,6 @@
    ];
    trusted-users = [ "root" ];
    allow-import-from-derivation = true;
-    fallback = true;
  };

  inputs = {
@ -41,6 +40,12 @@
    #     flake-parts.follows = "flake-parts";
    #   };
    # };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };

    firefox-addons = {
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@ -137,7 +142,7 @@
      systems = [
        "x86_64-linux"
        # disable arm for now as hydra isn't set up for it
-        # "aarch64-linuxa
+        # "aarch64-linux"
      ];

      forEachSystem = lib.genAttrs systems;
@ -153,7 +158,7 @@
          lib = self;
        }
      );
-      inherit (lib.adev.systems) genSystems getImages;
+      inherit (lib.rad-dev.systems) genSystems getImages;
      inherit (self) outputs; # for hydra
    in
    rec {
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  # create adev namespace for lib
-  adev = rec {
+  # create rad-dev namespace for lib
+  rad-dev = rec {
    systems = import ./systems.nix { inherit lib; };
    container-utils = import ./container-utils.nix { inherit lib; };

--- a/lib/systems.nix
+++ b/lib/systems.nix
@ -176,7 +176,7 @@ rec {
          (configPath + "/configuration.nix")
        ]
        ++ modules
-        ++ (lib.adev.fileList (src + "/modules"))
+        ++ (lib.rad-dev.fileList (src + "/modules"))
        ++ genWrapper sops genSops args
        ++ genWrapper home genHome args
        ++ genWrapper true genUsers args
@ -222,7 +222,7 @@ rec {
            // import configPath { inherit inputs; }
          );
        }
-      ) (lib.adev.lsdir path)
+      ) (lib.rad-dev.lsdir path)
    );

  # gets all the images of a specified format
--- a/modules/autopull.nix
+++ b/modules/autopull.nix
@ -61,7 +61,7 @@ in
    lib.mkIf cfg.enable {
      environment.systemPackages =
        [ pkgs.git ]
-        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
+        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
          pkgs.openssh
        ];

--- a/modules/kub_net.nix
+++ b/modules/kub_net.nix
@ -1,10 +1,10 @@
 { lib, config, ... }:
 let
-  cfg = config.services.adev.k3s-net;
+  cfg = config.services.rad-dev.k3s-net;
 in
 {
  options = {
-    services.adev.k3s-net = {
+    services.rad-dev.k3s-net = {
      enable = lib.mkOption {
        default = false;
        example = true;
--- a/modules/yubikey.nix
+++ b/modules/yubikey.nix
@ -5,11 +5,11 @@
  ...
 }:
 let
-  cfg = config.services.adev.yubikey;
+  cfg = config.services.rad-dev.yubikey;
 in
 {
  options = {
-    services.adev.yubikey = {
+    services.rad-dev.yubikey = {
      enable = lib.mkEnableOption "enable yubikey defaults";
      enable-desktop-app = lib.mkEnableOption "installs desktop application";
    };
--- a/shell.nix
+++ b/shell.nix
@ -38,7 +38,7 @@ forEachSystem (
    };

    # constructs a custom shell with commonly used utilities
-    adev = pkgs.mkShell {
+    rad-dev = pkgs.mkShell {
      packages = with pkgs; [
        deadnix
        pre-commit
@ -56,7 +56,7 @@ forEachSystem (
    default = pkgs.mkShell {
      inputsFrom = [
        pre-commit
-        adev
+        rad-dev
        sops
      ];
    };
--- a/systems/artemision/configuration.nix
+++ b/systems/artemision/configuration.nix
@ -75,7 +75,7 @@
    fprintd.enable = lib.mkForce false;
    openssh.enable = lib.mkForce false;

-    adev.yubikey = {
+    rad-dev.yubikey = {
      enable = true;
      enable-desktop-app = true;
    };
--- a/systems/hetzner-bridge/configuration.nix
+++ b/systems/hetzner-bridge/configuration.nix
@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../../disko/hetzner.nix
+    ./networking.nix
+  ];
+  disko.devices.disk.main.device = "scsi-0QEMU_QEMU_HARDDISK_55513992";
+
+  boot = {
+    useSystemdBoot = true;
+  };
+
+  virtualisation.docker.enable = false;
+  services = {
+    locate.enable = false;
+    endlessh-go.enable = false;
+  };
+
+  #hardware.enableAllFirmware = true;
+
+  system.stateVersion = "24.05";
+}
--- a/systems/hetzner-bridge/default.nix
+++ b/systems/hetzner-bridge/default.nix
@ -0,0 +1,8 @@
+{ inputs, ... }:
+{
+  users = [ "alice" ];
+  modules = [
+    # inputs.attic.nixosModules.atticd
+    inputs.disko.nixosModules.disko
+  ];
+}
--- a/systems/hetzner-bridge/hardware.nix
+++ b/systems/hetzner-bridge/hardware.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "ahci"
+      "xhci_pci"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/systems/hetzner-bridge/networking.nix
+++ b/systems/hetzner-bridge/networking.nix
@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      #matchConfig.Name = "enp1s0"; # either ens3 or enp1s0 depending on system, check 'ip addr'
+      matchConfig.Name = "ether";
+      networkConfig.DHCP = "ipv4";
+    };
+  };
+}
--- a/systems/palatine-hill/docker/archiveteam.nix
+++ b/systems/palatine-hill/docker/archiveteam.nix
@ -122,7 +122,7 @@ let
    cmd = lib.splitString " " "--concurrent 6 AmAnd0";

  };
-  inherit (lib.adev.container-utils) createTemplatedContainers;
+  inherit (lib.rad-dev.container-utils) createTemplatedContainers;

  vars = import ../vars.nix;
  at_path = vars.primary_archiveteam;
--- a/systems/palatine-hill/docker/minecraft.nix
+++ b/systems/palatine-hill/docker/minecraft.nix
@ -46,7 +46,7 @@ in
      cmd = [
        (
          "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
-          + (lib.adev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
        )
      ];
    };
--- a/systems/palatine-hill/postgresql.nix
+++ b/systems/palatine-hill/postgresql.nix
@ -28,26 +28,12 @@ in
      '';

      # initialScript = config.sops.secrets."postgres/init".path;
-      ensureDatabases = [
-        "atticd"
-        "alice"
-      ];
+      ensureDatabases = [ "atticd" ];
      ensureUsers = [
        {
          name = "atticd";
          ensureDBOwnership = true;
        }
-        {
-          name = "alice";
-          ensureDBOwnership = true;
-          ensureClauses = {
-            superuser = true;
-            login = true;
-            createrole = true;
-            createdb = true;
-            replication = true;
-          };
-        }
      ];

      refreshCollation = true;
@ -62,7 +48,6 @@ in
          "hydra-send-stats"
          "hydra-server"
          "atticd"
-          "gitea"
        ];
      };
    };
--- a/users/alice/home.nix
+++ b/users/alice/home.nix
@ -90,8 +90,6 @@
      nodejs_20
      nodePackages.prettier
      treefmt
-
-      gocryptfs
    ];
  };

--- a/users/alice/home/doom/custom.el
+++ b/users/alice/home/doom/custom.el
@ -22,6 +22,6 @@

 (setq! lsp-nix-nil-max-mem 20000)
 (setq! lsp-nix-nil-formatter ["nixfmt"])
-;; (add-hook 'python-mode-hook (lambda ()
-;;                                 (require 'sphinx-doc)
-;;                                 (sphinx-doc-mode t)))
+(add-hook 'python-mode-hook (lambda ()
+                                (require 'sphinx-doc)
+                                (sphinx-doc-mode t)))
--- a/users/alice/home/doom/packages.el
+++ b/users/alice/home/doom/packages.el
@ -81,9 +81,9 @@
 (package! pacdiff.el
  :recipe (:host github :repo "fbrosda/pacdiff.el" :files ("pacdiff.el" "README.org" "LICENSE")))

-;;(package! python-docstring-mode
-;;  :recipe (:host github :repo "glyph/python-docstring-mode" :files ("python-docstring.el" "docstring_wrap.py")))
+(package! python-docstring-mode
+  :recipe (:host github :repo "glyph/python-docstring-mode" :files ("python-docstring.el" "docstring_wrap.py")))

-;;(package! sphinx-doc)
+(package! sphinx-doc)

 ;; https://github.com/glyph/python-docstring-mode.git
--- a/users/alice/secrets.yaml
+++ b/users/alice/secrets.yaml
@ -9,8 +9,11 @@ alice:
    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
    gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
-    gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
    age:
        - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
          enc: |
@ -39,8 +42,8 @@ sops:
            ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
            7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-02T04:59:28Z"
-    mac: ENC[AES256_GCM,data:lzOiHCCAm9rlzD04UbrPi6UZ3TM12jffqHKVaI0jdAEsRgFSdtz9AE4HiDS7FHv8daKVgBMgPgmQiRvEXvnouFjgKBYvoMRSav+Zogo1lR3KEnkPsOg+BRz07GsU4wQDyU4Df7cCCVLeLxUBT/AX7no8u4TOOwKjsyYmJbbJjd0=,iv:8mJ43fMFHltVQ4fQe2lQRK9eSb2/7TzUBaIr1tKOjYM=,tag:hGBkAvZ+Glg8PkNqzB+KCw==,type:str]
+    lastmodified: "2025-03-26T15:28:13Z"
+    mac: ENC[AES256_GCM,data:BfEahKHAcnLc/PSagENBIVwxufJrjpMSC6U4hkkxNwcEJYDNAlrF0w00aiexLeX+UfVGIw19+SrNL5zuecEf+GaYzYNy9RE3c66KUM2B/cpuBuzkiwLaBCTfcWr7k8dW11BGFCmugRSG4w6wXKG5B/LyEKB6Vcvp0JRbCYSqZSY=,iv:97UzvdvQCtTLaLDrg6VEwiofHtSPGtaxuPLHfTAyIFA=,tag:r4r45OaV9ZRDzd56RGLFZw==,type:str]
    pgp:
        - created_at: "2024-09-05T06:10:22Z"
          enc: |-
@ -55,4 +58,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
    unencrypted_suffix: _unencrypted
-    version: 3.10.0
+    version: 3.9.4
--- a/utils/hetzner-install.sh
+++ b/utils/hetzner-install.sh
@ -0,0 +1,27 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#git --command bash
+
+set -o errexit   # abort on nonzero exitstatus
+set -o nounset   # abort on unbound variable
+set -o pipefail  # don't hide errors within pipes
+
+MACHINENAME="hetzner-bridge"
+
+sudo mkdir /root/.ssh
+sudo chmod 700 /root/.ssh
+sudo ssh-keygen -t ed25519 -o -a 100 -f "/root/.ssh/id_ed25519_giteadeploy" -q -N "" -C "$MACHINENAME" || echo "key already exists"
+
+sudo cat /root/.ssh/id_ed25519_giteadeploy.pub
+
+sudo ssh-keygen -A
+
+nix --extra-experimental-features 'flakes nix-command' shell nixpkgs#git
+nix --extra-experimental-features 'flakes nix-command' store gc
+FLAKE="git+ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles?ref=feature/hetzner-bridge#hetzner-bridge"
+DISK_DEVICE=/dev/sda
+sudo nix \
+    --extra-experimental-features 'flakes nix-command' \
+    run github:nix-community/disko#disko-install -- \
+    --flake "$FLAKE" \
+    --write-efi-boot-entries \
+    --disk main "$DISK_DEVICE"
--- a/utils/hetzner-nixos-anywhere.sh
+++ b/utils/hetzner-nixos-anywhere.sh
@ -0,0 +1,35 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#mktemp nixpkgs#openssh nixpkgs#nixos-anywhere nixpkgs#sops --command bash
+
+echoerr() { printf "%s\n" "$*" >&2; }
+
+if (( $# != 1 )); then
+    echoerr "usage: $0 <hostname>"
+fi
+
+HOSTNAME=$1
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh"
+
+# Create host keys
+ssh-keygen -A -f "$temp/etc/ssh/"
+
+# Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+
+AGEKEY=$(ssh-to-age < "$temp/etc/ssh/ssh_host_ed25519_key.pub")
+
+echo "$AGEKEY" | tee "./$HOSTNAME.age"
+
+# Install NixOS to the host system with our secrets
+nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip
Author	SHA1	Message	Date
ahuston-0	8afa66dabd	repair flake.lock, update disko	2025-04-01 15:17:41 -04:00
ahuston-0	88168b7345	add draft scripts for hetzner install Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:55 -04:00
ahuston-0	e4f061f2f3	pin nixos-unstable, fix locate service Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:55 -04:00
ahuston-0	154707c07f	roll back to nixos-unstable for now Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:55 -04:00
ahuston-0	5b0bd7d5e7	size -> end for disko root Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:55 -04:00
ahuston-0	db9e8e5f2d	fix networking Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:55 -04:00
ahuston-0	85d6d66b85	rename hardware.nix for hetzner-bridge Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:54 -04:00
ahuston-0	49e689481d	add hetzner and disko config Signed-off-by: ahuston-0 <aliceghuston@gmail.com>	2025-04-01 15:15:51 -04:00