hosts/caramel, users/hana: init

flake.lock

@@ -213,6 +213,27 @@
         "type": "github"
       }
     },
+    "home-manager-porcupine": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-porcupine"
+        ]
+      },
+      "locked": {
+        "lastModified": 1643735249,
+        "narHash": "sha256-hwX+qvF9fipwItm3V6M3mL3L0Iis+PY2DfXqnhPi+uQ=",
+        "owner": "LavaDesu",
+        "repo": "home-manager",
+        "rev": "ea795dd7acc9ce6069a786f6088a296f8e64c280",
+        "type": "github"
+      },
+      "original": {
+        "owner": "LavaDesu",
+        "ref": "backport/gpg-agent",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "linux-tkg": {
       "flake": false,
       "locked": {
@@ -310,6 +331,21 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1641965797,
+        "narHash": "sha256-AfxfIzAZbt9aAzpVBn0Bwhd/M4Wix7G91kEjm9H6FPo=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "87a35a0d58f546dc23f37b4f6af575d0e4be6a7a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1637579689,
@@ -325,6 +361,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-porcupine": {
+      "locked": {
+        "lastModified": 1643503720,
+        "narHash": "sha256-tJic20ufuRnG8V+fTCd3YU6xl1ImxNspoEkXHct0AG4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0f316e4d72daed659233817ffe52bf08e081b5de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1641392867,
@@ -500,11 +552,14 @@
         "fast-syntax-highlighting": "fast-syntax-highlighting",
         "fix-user-popouts": "fix-user-popouts",
         "home-manager": "home-manager",
+        "home-manager-porcupine": "home-manager-porcupine",
         "linux-tkg": "linux-tkg",
         "multitask": "multitask",
         "neovim-nightly": "neovim-nightly",
         "nix-gaming": "nix-gaming",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-porcupine": "nixpkgs-porcupine",
         "no-double-back-pc": "no-double-back-pc",
         "nvim-treesitter": "nvim-treesitter",
         "packwiz": "packwiz",

flake.nix

@@ -1,12 +1,16 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs";
+    nixpkgs-porcupine.url = "github:NixOS/nixpkgs/nixos-21.11";
     home-manager.url = "github:nix-community/home-manager";
+    home-manager-porcupine.url = "github:LavaDesu/home-manager/backport/gpg-agent";
     neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
+    nixos-hardware.url = "github:NixOS/nixos-hardware";
     agenix.url = "github:ryantm/agenix";
 
     agenix.inputs.nixpkgs.follows = "nixpkgs";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager-porcupine.inputs.nixpkgs.follows = "nixpkgs-porcupine";
     neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
 
     nix-gaming.url = "github:fufexan/nix-gaming";
@@ -53,7 +57,7 @@
     zelk = { url = "github:schnensch0/zelk"; flake = false; };
   };
 
-  outputs = { self, agenix, nixpkgs, ... } @ inputs:
+  outputs = { self, agenix, nixpkgs, nixpkgs-porcupine, ... } @ inputs:
     let
       overlays = (import ./overlays)
         ++ [inputs.neovim-nightly.overlay]
@@ -82,6 +86,8 @@
       nixosConfigurations."blossom" = mkSystem nixpkgs "blossom" "x86_64-linux" true;
       nixosConfigurations."fondue" = mkSystem nixpkgs "fondue" "x86_64-linux" false;
 
+      nixosConfigurations."caramel" = mkSystem nixpkgs-porcupine "caramel" "aarch64-linux" false;
+
       # TODO: currently broken
       # devShells.x86_64-linux = pkgs.callPackage ./shells { inherit inputs; };
     };

hosts/caramel/default.nix

@@ -0,0 +1,26 @@
+{ config, inputs, modules, overlays, pkgs, ... }: {
+  networking.hostName = "caramel";
+  system.stateVersion = "21.11";
+  time.timeZone = "Asia/Phnom_Penh";
+
+  age.secrets = {
+    passwd.file = ../../secrets/passwd.age;
+    wpa_conf.file = ../../secrets/wpa_conf.age;
+  };
+  imports = with modules.system; [
+    inputs.home-manager-porcupine.nixosModule
+
+    base
+    home-manager
+    input
+    nix
+    security
+
+    ./filesystem.nix
+    ./kernel.nix
+    ./networking.nix
+    ./packages.nix
+
+    ../../users/hana
+  ];
+}

hosts/caramel/filesystem.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  bind = src: {
+    depends = [ "/nix" ];
+    device = src;
+    fsType = "none";
+    neededForBoot = true;
+    options = [ "bind" ];
+  };
+in {
+  fileSystems = {
+    "/" = {
+      device = "rootfs";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=2G" "mode=755" ];
+    };
+
+    "/nix" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "defaults" "noatime" ];
+    };
+
+    "/var/persist" = bind "/nix/persist";
+    "/var/log/journal" = bind "/nix/persist/journal";
+    "/boot" = bind "/nix/persist/boot";
+  };
+}

hosts/caramel/kernel.nix

@@ -0,0 +1,11 @@
+{ config, inputs, pkgs, ... }: {
+  imports = [
+    inputs.nixos-hardware.nixosModules.raspberry-pi-4
+  ];
+  hardware.raspberry-pi."4".fkms-3d.enable = true;
+
+  boot.kernel.sysctl = {
+    "kernel.core_pattern" = "|/bin/false";
+    "kernel.sysrq" = 1;
+  };
+}

hosts/caramel/networking.nix

@@ -0,0 +1,28 @@
+{ config, ... }: {
+  environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
+  networking = {
+    wireless = {
+      enable = true;
+      interfaces = [ "wlan0" ];
+    };
+
+    useDHCP = false;
+    interfaces.wlan0.useDHCP = false;
+
+    interfaces.wlan0.ipv4.addresses = [{
+      address = "192.168.100.15";
+      prefixLength = 24;
+    }];
+    defaultGateway = "192.168.100.1";
+    nameservers = [ "8.8.8.8" ];
+
+    extraHosts = ''
+      192.168.100.10 strawberry
+      192.168.100.11 peach
+      192.168.100.12 butterfly
+      192.168.100.13 winter
+      192.168.100.13 blossom
+      192.168.100.14 apricot
+    '';
+  };
+}

hosts/caramel/packages.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    jq
+    neovim
+    rsync
+    sshfs
+    wget
+  ];
+  environment.variables.EDITOR = "nvim";
+}

secrets.nix

@@ -1,14 +1,15 @@
 let
   apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGS0M4BOLiVUM/qdUpcg9Y4aTeyDfyQl89uhXwFORjn";
   blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wfPCcpkNR3ubr7cBV0UwVCDo/sMmV0aI/JOJTIxQj";
+  caramel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPFJT1XYyjDZFHYT/8RdxAReKkeU8QfpLrmMjEeW/80";
   fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkKZYsYWnI+MgecBjOwf7aL5jtiT0ymCDme3pzucTei";
 
   rin-apricot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzygMMJ/hmPRUeQu/eMmEhAKfFSFIEVstDIerPzxgZ";
   rin-blossom = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPru5eTBvHJ4ZmrrzPRHCGM09wQP/ZHSaKYalDuBVO15";
   rin-fondue = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbPamP5bovUsrBNYnjOk4SN2TaQZAVlJ+4JldK2cL5M";
 in {
-  "secrets/passwd.age".publicKeys = [ apricot fondue blossom rin-apricot rin-fondue rin-blossom ];
-  "secrets/wpa_conf.age".publicKeys = [ apricot blossom rin-apricot rin-blossom ];
+  "secrets/passwd.age".publicKeys = [ apricot caramel fondue blossom rin-apricot rin-fondue rin-blossom ];
+  "secrets/wpa_conf.age".publicKeys = [ apricot caramel blossom rin-apricot rin-blossom ];
 
   "secrets/wg_apricot.age".publicKeys = [ apricot rin-apricot rin-blossom ];
   "secrets/wg_fondue.age".publicKeys = [ fondue rin-fondue rin-blossom ];

secrets/wg_apricot.age

@@ -1,12 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 U9FXlg YbiJfSTq1/k1WYQCtN/S5kEQZxXzJD0vK8wY7LzDy30
-bjKK+gKkrs6+wXj3SM21S/t6PJNpOfi8/f2FzoxuSes
--> ssh-ed25519 pumkzw V6sDMLLmFVJfczK9+KqD4yuwoT/uIWYZuYo/8mNBiiA
-Jmf+H4gFJjx5/6FPFR5+2XJNmOf8X1mZ7h5UTojTWS0
--> ssh-ed25519 l9dSQg ubkdn+xI446eViRqmPXj9TSyKfUp1aefb7IIB30ftHc
-XjmIQgGxNTA48Aswen93VK9WjAfqfMAU1EBDTMwr6+M
--> $O-grease o1.b\<F
-CbAaFPbra6i7MpM1ogAF50v7I5UKTsizI6ELMvQsqBf6XDjCt0ukMIpbBxpbLt+f
-nm5bpcE
---- mRqCpp+XPV+MZo+S2EWGqW/x1c8M6rlV7/Mr995OiuI
-«öÔ]~ö¶ØIôÝ€Þ˜Ä.hÓ"°O“Jp=¹~T‰lòç€ü?A«k$šFÀ)'¥k~$¼|¤9s-F^½¿
:‹ãírV<72>ý
+-> ssh-ed25519 U9FXlg H7n5IC6XGcAY9tC8lRFEolb9KD/goej4Dlug5AxkBDU
+3asR+ee3SZ3NOmLOcv2FNHVfX/YmxU9V/wYiyl8dmXM
+-> ssh-ed25519 pumkzw kpBvxdtF3dSm67XAu/hEKYylCP131PueSJCQaSLV+ls
+MoftJyimviq9t74Jb8WnZj9vimzeXzLXSmf2LPG8qaE
+-> ssh-ed25519 l9dSQg 3pbs05PKX0IEDJa4hcLi6JOVxRwfNYn2ZIM+KtbJ2ww
+ab2FQXyW0iEgR2CNNimEye3yeclhaQEJ6bK+1Nxhtzk
+-> T-grease
+B9RPVaCLtAcnepxeFChMUqEgXQ
+--- eB7HKAkFMS1Za08uhuDbHIDThRwLicbadCILSEDebY0
+
°‰%aaÀ<61>w°\ê<>†
+ª‚7”59ödÈ…GŸš~zT2µ¢úz¤<¾#1Þªš	áVgU¨}…ѦÖÞjŠIêRÓêø³À¶Žw

secrets/wg_blossom.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 U9FXlg FMswMl915t4poFFGb2xPz4g/blQtdH9FagTte61d/R8
-AXHuHH4ShWsMgub48/qbsq/NeK/viI/bCSS1++pomGU
--> ssh-ed25519 CUCjXQ XdF7iwyHqvjdM/nzsqwqaSHMyyA5PfKk/v3CrzkcyE4
-tcQI27NojK1cOwWBmcKXIj35ZAXHzVkxrnmUjVlB/Jc
--> +gVY-grease ?w,;$2a 8ID6J] 0-9@5Bwt DRDl)
-PQ
---- Jx/j4/ICbGtU8KY6fwOcC4XcHl9bSR2cUuicod/oV0o
-z¡ä7.òýAO?
Öº’w#›•‚aß”ãËeõ¯ë¤ä4óÝ+L'C<06>1PÞ3¸‹œÐD{[>/GÀ‹ìÀ–¹Ùíï_¬[	ÁWÈøJ
+-> ssh-ed25519 U9FXlg aEmRkLTbk+LlxGIheQpHuW1DOP+dL9fJEKeqMorIeVs
+T0f+AZVjcx9pEmqNESmFug61WHs6qqMjV4exKxHl+Ag
+-> ssh-ed25519 CUCjXQ 4u8pj84nEA2CuUCYg1ISjllbt99uPhD34TbsRj1KdhY
+hu23nGobEw3cBoyJxkcdKUkaY/37D8sD5htyYnCZG0I
+-> L.~Rob(-grease ?5j+u9
+eg1GiLMCsxHS78B/KIUUtA/XHr8BCo1dNh23Y3BZ0Sm6dIsNOWwuZy4sldAK3OgB
+G+bJC4ZTujaqLGZOkX71q989+VVellR8nj9kAuk3weTqVJ6/kIUHMks0Fw
+--- xGTF6ckdRW+rkqfBE/iRFd8A+QBvSm/0sYP0HVN6C+0
+®$WqîPOKř^µŮŔŮůfeŘĺ^ç<>b˘÷Ä™$Žŕ@٤˛ŮŃfšl†Łž˝˘păČë±Ń\‹S(Z§É4ÍŕIhŐ8™|PGn®îč

secrets/wg_fondue.age

@@ -1,12 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 U9FXlg 3/QnM8zAovLFAWtuBhFgR/dkqF1XkXpc/0aC7YM/l3s
-/bRy+x1ARoUO/jLdSwAfTvwkuE6rLoY6ar7S1S8QcE4
--> ssh-ed25519 W08TTA FLhhvGFWIm6JlYpDAHV39Io7hnj86f8Bm6S5OmhTwVs
-f6O+ZTHvvpT+iq7HTw3JfOEk+4CHCc3gaGC7UbHRecU
--> ssh-ed25519 1f0c9Q 5tWjB31aCfV865BgJjrYulhQf4NOXTph3vUoPyovCSY
-3BKpoGQxv2WfwJEzMxhuls+OtttGadlbjDAmrMxWnHQ
--> ^-grease U1#S>aw Q!xFss
-BEHdYGI8rrokXkOAYmBRn3shh1Hp7k3eW+UQ+pgETav4Ew
---- oIeMw9AThaYLfWbJCU+LKHt6yqUZCXGji2gyYRYu2tQ
-¤Lxä=z:Zµ–
-yþi`»k¿œ¬užàg¯XWþʵ$<24> º«cÑa‹¥<E280B9>‡üR	:<3A>ž)Xàô
š}ÕJî^<5E>ŠŒHkýX¿re
+-> ssh-ed25519 U9FXlg M9BW61KBJzo4jYfzq70S1KRgLQExA4KWuWiCzTAjCEc
+Mqwm/8q86aLovIBuIayOzu1rtmgH6viqotHm8rkqEkA
+-> ssh-ed25519 W08TTA WrZ+qMCzm79TWscjDb+gynJBjNwa+VdGnFuSMLO28k0
+Wzkspgej88pCwGsRRNCgOITwUuePWM4WG9GWcmqhxmk
+-> ssh-ed25519 1f0c9Q q2+Z/b8tDrJplAVCo6VBZORyCnnWWzZpZMYjorUQzy4
+6goHWYtA9JG8TsuD4n33D8Yxp/t/Ofm4jTb5Rccfjaw
+-> `zC$>r-grease
+OPO5Jn6gQCoPXbqgtt/9WwvGWjnhUSpnExAEKVrALl7jyOVB5VSUx4bV7SQ0eHhr
+--- uBikPvGu6FHxckPcxDWQDbQmUi03Q0kIgtjFJ5kHzfA
+….?ÜMtɳ&~eV3<56>¬9^°o¦‘ß	‡¢§‘Ô¦•<„Oï5·é•?àX^¢Á”ügÍÇÕ!p^	ÖR냋âÖ?k#C«4

secrets/wpa_conf.age

@@ -1,14 +1,16 @@
 age-encryption.org/v1
--> ssh-ed25519 U9FXlg E0hhgFA/zsRWQJlrPEcoa3EB5+PsCAqCR1zCnezkFjU
-C17s+kvncsFSdYG4MPG/mBuBwyjQihI0psdBG5TZRkU
--> ssh-ed25519 pumkzw 6lB6ssEW3qI/urBGKNiVvwn2mwNlqjAoteHjzWhSdic
-5H9O9ogZSo5MZxvotcVpH2iTsSl82RoA1mEOqfPJhs8
--> ssh-ed25519 CUCjXQ M1pJrjSYKt79yozkZg5QnWoVXm/Ycux2CjK9KZ2c3Gg
-kIZU/NI0lZK7VqP6LXeBCm1I1QvwPUcrrqRhouE1qXY
--> ssh-ed25519 l9dSQg kdr5ycMPLZHm3gnQXlRGePkmnWMAtQCVL/eeqQNZW3M
-so1UTAIF4xYYC8BGseA+cY7yz49xeqROBoCrnyaa5fQ
--> at-grease pZp\ \
-wFowXoNmbvDQFM/9r4Ju5rPlrj4nP8k4NEtKbUOZovebox75dWododrjol14pk7x
-2YgYznE9r6HsyqN/6wXroQ
---- m1BL/gjAKZlbd2fLwT46xse7I9SzL5hgBIxnoIZmMu4
-oLZ80¬Å“"Á

®;㫇gœ(Æ¡"5FšÇ‹aŠ6`GÊSfÍ.·´h
Yâ笪§K9‚›Jó=<3D>³· Ö0܆.€¬]qšØGoÄnpË•«ý—Îû3Žo>†
ÅS°¼•yR¡Ôpͦz.K<>ËÅF¹F<C2B9>ep
+-> ssh-ed25519 U9FXlg Pc64mHi61/6bcZu/G650D/hw92BDAlBj7CFQ5LAU33c
+YoNenOF6pRsP5AitHsrq9H9LyTIQMi1fdOgcG483qIg
+-> ssh-ed25519 pumkzw p20ZTbqnpetyCGd96SngDc4Oso9VEP2ubhAujG69hwg
+TDhON74NDj2tUxc9XKe65poZlR3fdNaG4hEKjken1/4
+-> ssh-ed25519 CUCjXQ 70JZRvnQ3DL1VIT+2mxP8MGQHGSnbEWkZ2sppBNqex0
+O/x7uUlk08P7tRcswx3mBZG+JuLaaJbqtZfmOWOqICI
+-> ssh-ed25519 krYeuQ UnBbedQ+1RFHDktCdT8+xi3tYE5lbgciRT3PhxZAQQE
+8AmqhCFnG7zmlKmH/Hk3LByktISqs4+oDHvAcj87YA0
+-> ssh-ed25519 l9dSQg /zQmLpZJlelyrDx/+/EqsR7DSIYo5wDFgBAWOgfmQh8
+8rtQf29u+7UynIidyDbjGgRt/s/CqTWr8WwLYe/bV4I
+-> $b}ea+-grease 'tm-kc N$y <m!
+WxXyIt0zflAF0Gdc6AUFRIUXFkXr1QCBeFSYzMgrRRJP6LiqI4vMbpYReO4rqPVC
+Q5bVvA
+--- 3YoYGTjSswMJT4p5h/nHveEGpJfxwoZjloNUQwrjv+8
+ñù*ù¬I°tâTŒÞ)ÖNÓjEìô¥]»ø´7øžÒZº±ç!ŒNk”<>m2Þ"m
‚„>÷lMjg±úÎr;÷Àûg–²gv‡oÌn¯¢µpKÅ$:lù<1A>z‡…N	C†ß¾¯&7¹„z1(âêþÀ9%Wü„6ÕÔ<C395>>±5Y

users/hana/default.nix

@@ -0,0 +1,31 @@
+{ config, lib, modules, pkgs, ... }: {
+  users.users.hana = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    shell = pkgs.zsh;
+    uid = 1002;
+    passwordFile = config.age.secrets.passwd.path;
+  };
+
+  home-manager.users.hana = { config, enableGUI, lib, pkgs, ... }: {
+    home = {
+      username = "hana";
+      homeDirectory = "/home/hana";
+      stateVersion = "21.11";
+      keyboard = null; # see https://github.com/nix-community/home-manager/issues/2219
+    };
+
+    imports = with modules.user; [
+      direnv
+      git
+      neovim
+      sessionVariables
+      zsh
+    ];
+
+    programs.git.signing.signByDefault = lib.mkForce false;
+    programs.zsh.history.path = lib.mkForce "/nix/persist/hana/zsh_history";
+
+    home.file.".ssh/authorized_keys".source = config.lib.file.mkOutOfStoreSymlink "/nix/persist/hana/authorized_keys";
+  };
+}