diff --git a/flake.lock b/flake.lock index 094c1e7..419c804 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1751144689, - "narHash": "sha256-cgIntaqhcm62V1KU6GmrAGpHpahT4UExEWW2ryS02ZU=", + "lastModified": 1752287590, + "narHash": "sha256-U1IqFnxlgCRrPaeT5IGCdH0j9CNLPFcI/fRAidi0aDQ=", "owner": "zhaofengli", "repo": "colmena", - "rev": "3ceec72cfb396a8a8de5fe96a9d75a9ce88cc18e", + "rev": "d2beb694d54db653399b8597c0f6e15e20b26405", "type": "github" }, "original": { @@ -49,11 +49,11 @@ }, "crane": { "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", + "lastModified": 1751562746, + "narHash": "sha256-smpugNIkmDeicNz301Ll1bD7nFOty97T79m4GUMUczA=", "owner": "ipetkov", "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", + "rev": "aed2020fd3dc26e1e857d4107a5a67a33ab6c1fd", "type": "github" }, "original": { @@ -194,11 +194,11 @@ ] }, "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -389,11 +389,11 @@ ] }, "locked": { - "lastModified": 1751810233, - "narHash": "sha256-kllkNbIqQi3VplgTMeGzuh1t8Gk8TauvkTRt93Km+tQ=", + "lastModified": 1752780124, + "narHash": "sha256-5dn97vIYxn6VozKePOQSDxVCsrl38nDdMJXx86KIJH0=", "owner": "nix-community", "repo": "home-manager", - "rev": "9b0873b46c9f9e4b7aa01eb634952c206af53068", + "rev": "c718918222bdb104397762dea67e6b397a7927fe", "type": "github" }, "original": { @@ -450,11 +450,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1751381593, - "narHash": "sha256-js1XwtJpYhvQrrTaVzViybpztkHJVZ63aXOlFAcTENM=", + "lastModified": 1752673703, + "narHash": "sha256-9Cc0YqL9ZUpaybJsrRJfXex91QlPmQNqpTLgw/KvJGA=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "f4eb75540307c2b33521322c04b7fea74e48a66f", + "rev": "5a776450d904b7ccd377c2a759703152b2553e98", "type": "github" }, "original": { @@ -486,11 +486,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1751432711, - "narHash": "sha256-136MeWtckSHTN9Z2WRNRdZ8oRP3vyx3L8UxeBYE+J9w=", + "lastModified": 1752666637, + "narHash": "sha256-P8J72psdc/rWliIvp8jUpoQ6qRDlVzgSDDlgkaXQ0Fw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "497ae1357f1ac97f1aea31a4cb74ad0d534ef41f", + "rev": "d1bfa8f6ccfb5c383e1eba609c1eb67ca24ed153", "type": "github" }, "original": { @@ -557,11 +557,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1752687322, + "narHash": "sha256-RKwfXA4OZROjBTQAl9WOZQFm7L8Bo93FQwSJpAiSRvo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "6e987485eb2c77e5dcc5af4e3c70843711ef9251", "type": "github" }, "original": { @@ -589,11 +589,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1751203939, - "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=", + "lastModified": 1751791007, + "narHash": "sha256-JBrPWGksmjAw2X71W+kV6moKqPtnxmwsndMQSi+xcu4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "650e71cbf76de8dd16f5648a96981b726c4ef8fe", + "rev": "e8612a671c4f120f93a5c8dbf0cc225e745a4521", "type": "github" }, "original": { @@ -605,11 +605,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1751741127, - "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", + "lastModified": 1752620740, + "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29e290002bfff26af1db6f64d070698019460302", + "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", "type": "github" }, "original": { @@ -680,6 +680,7 @@ "nixpkgs": "nixpkgs_4", "nixpkgs-unstable": "nixpkgs-unstable", "syntax-renderer": "syntax-renderer", + "turny": "turny", "workout-sync": "workout-sync" } }, @@ -691,11 +692,11 @@ ] }, "locked": { - "lastModified": 1751165203, - "narHash": "sha256-3QhlpAk2yn+ExwvRLtaixWsVW1q3OX3KXXe0l8VMLl4=", + "lastModified": 1751769931, + "narHash": "sha256-QR2Rp/41NkA5YxcpvZEKD1S2QE1Pb9U415aK8M/4tJc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "90f547b90e73d3c6025e66c5b742d6db51c418c3", + "rev": "3ac4f630e375177ea8317e22f5c804156de177e8", "type": "github" }, "original": { @@ -796,6 +797,29 @@ "type": "github" } }, + "turny": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1752874301, + "narHash": "sha256-A6IZz46Lfopm5UhMtFfBDimepEUt9lGwhWoEIEQHsgk=", + "owner": "~repomaa", + "repo": "turny", + "rev": "133c05151e77616c7973c1c1038506b2fdee8eab", + "type": "sourcehut" + }, + "original": { + "owner": "~repomaa", + "repo": "turny", + "type": "sourcehut" + } + }, "workout-sync": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index e28b6ed..33e5948 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,11 @@ url = "sourcehut:~repomaa/syntax-renderer"; flake = false; }; + turny = { + url = "sourcehut:~repomaa/turny"; + inputs.flake-parts.follows = "flake-parts"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -94,22 +99,30 @@ nixosConfigurations = let mkConfiguration = - name: + { + name, + extraModules ? [ ], + }: nixpkgs.lib.nixosSystem { inherit specialArgs; modules = [ ./modules ./hosts/${name} - ]; + ] ++ extraModules; }; in { - radish = mkConfiguration "radish"; - radish-vm = mkConfiguration "radish-vm"; - freun-dev = mkConfiguration "freun-dev"; - apu = mkConfiguration "apu"; + radish = mkConfiguration { name = "radish"; }; + radish-vm = mkConfiguration { name = "radish-vm"; }; + freun-dev = mkConfiguration { name = "freun-dev"; }; + apu = mkConfiguration { name = "apu"; }; + turny = mkConfiguration { + name = "turny"; + extraModules = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" ]; + }; }; + images.turny = self.nixosConfigurations.turny.config.system.build.sdImage; colmenaHive = colmena.lib.makeHive self.outputs.colmena; colmena = @@ -119,6 +132,9 @@ allowLocalDeployment = true; targetHost = null; }; + turny = { + targetHost = "10.10.1.233"; + }; }; in { diff --git a/hosts/turny/configuration.nix b/hosts/turny/configuration.nix new file mode 100644 index 0000000..1951506 --- /dev/null +++ b/hosts/turny/configuration.nix @@ -0,0 +1,98 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running `nixos-help`). + +{ + pkgs, + ssh, + config, + inputs, + ... +}: +let + secrets = config.age.secrets; +in +{ + nix = { + settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + auto-optimise-store = true; + }; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + }; + + networking = { + hostName = "turny"; # Define your hostname. + useDHCP = true; + useNetworkd = true; + nftables.enable = true; + wireless = { + enable = true; + networks = { + KotiWLANi.pskRaw = "ext:psk_kotiwlani"; + }; + secretsFile = secrets.wpa_supplicant.path; + }; + }; + + services.avahi = { + publish.enable = true; + }; + + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + + # Set your time zone. + time.timeZone = "Europe/Helsinki"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.jokke = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + packages = [ pkgs.nh ]; + openssh.authorizedKeys.keys = [ ssh.publicKeys.yubikey ]; + initialPassword = "changeme"; + }; + users.users.root.openssh.authorizedKeys.keys = [ ssh.publicKeys.yubikey ]; + + nix.settings.trusted-users = [ "jokke" ]; + + environment.systemPackages = with pkgs; [ + vim + wget + htop + git + inputs.turny.packages.${stdenv.hostPlatform.system}.default + ]; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + modules.firewall = { + enable = true; + allInterfaces = [ "ssh" ]; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/turny/default.nix b/hosts/turny/default.nix new file mode 100644 index 0000000..44d08a4 --- /dev/null +++ b/hosts/turny/default.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./secrets.nix + inputs.nixos-hardware.nixosModules.raspberry-pi-3 + ]; +} diff --git a/hosts/turny/hardware-configuration.nix b/hosts/turny/hardware-configuration.nix new file mode 100644 index 0000000..263926d --- /dev/null +++ b/hosts/turny/hardware-configuration.nix @@ -0,0 +1,4 @@ +{ lib, ... }: +{ + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/hosts/turny/secrets.nix b/hosts/turny/secrets.nix new file mode 100644 index 0000000..5b5d5d5 --- /dev/null +++ b/hosts/turny/secrets.nix @@ -0,0 +1,15 @@ +{ lib, ... }: +{ + age.secrets = lib.listToAttrs ( + map + (secret: { + name = secret; + value = { + file = ../../secrets/${secret}.age; + }; + }) + [ + "wpa_supplicant" + ] + ); +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 30f7836..758cd85 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,11 +9,13 @@ let apu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICAZkIuXtpP9a9bHkBl+MJI//q3ClMqzx03Rd/Xe4rjc"; freun-dev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvCSjIjipog1Xf9mPc683r5VSGSjVc8v1UZg5VrbbxM"; radish = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQ0fy4n3yyD64+g55eZazeI5g9FurJnlC6fRiOXbbks"; + turny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODeWhDvzDGyTGkCoxay80NtgU2OVPL37qXjbhJP7oPJ"; hosts = [ apu freun-dev radish + turny ]; in { @@ -41,4 +43,5 @@ in freun-dev ]; "hledger-basic-auth.age".publicKeys = users ++ [ freun-dev ]; + "wpa_supplicant.age".publicKeys = users ++ [ turny ]; } diff --git a/secrets/wpa_supplicant.age b/secrets/wpa_supplicant.age new file mode 100644 index 0000000..d4dcd1a Binary files /dev/null and b/secrets/wpa_supplicant.age differ