add gendry.jakehillion-terminals host

flake.nix

@@ -10,6 +10,18 @@
   description = "Hillion Nix flake";
 
   outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs: {
+    nixosConfigurations."gendry.jakehillion-terminals.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = inputs;
+      modules = [
+        ./hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
+        agenix.nixosModule
+        {
+          system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+        }
+      ];
+    };
+
     nixosConfigurations."vm.strangervm.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = inputs;

hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix

@@ -0,0 +1,65 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config.system.stateVersion = "22.05";
+
+  config.networking.hostName = "gendry";
+  config.networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
+
+  imports = [
+    ../../modules/common/default.nix
+    ./hardware-configuration.nix
+  ];
+
+  config.boot.loader.systemd-boot.enable = true;
+  config.boot.loader.efi.canTouchEfiVariables = true;
+
+  ## Tailscale
+  config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
+  config.tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
+
+  ## Password (for interactive logins)
+  config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
+  config.users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
+
+  config.security.sudo.wheelNeedsPassword = lib.mkForce true;
+
+  ## Persist files (due to tmpfs root)
+  ### Set root tmpfs to 0755
+  config.fileSystems."/".options = [ "mode=0755" ];
+
+  ### Require data at boot (to have access to host keys for agenix)
+  config.fileSystems."/data".neededForBoot = true;
+
+  ### OpenSSH Host Keys (SSH + agenix secrets)
+  config.services.openssh = {
+    hostKeys = [
+      {
+        path = "/data/system/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/data/system/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  ### Persistent directory symlinks
+  config.systemd.tmpfiles.rules = [
+    #### Persistent home subdirectories
+    "L /root/local - - - - /data/users/root"
+    "L /home/jake/local - - - - /data/users/jake"
+  ];
+
+  ### Persistent /etc/nixos
+  config.fileSystems."/etc/nixos" = {
+    device = "/data/users/root/repos/nixos";
+    options = [ "bind" ];
+  };
+
+  ### Persistent zsh history
+  config.programs.zsh.histFile = lib.mkForce "$HOME/local/.zsh_history";
+}
+

hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix

@@ -0,0 +1,58 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/nix" =
+    {
+      device = "/dev/disk/by-uuid/b29084d3-635c-4548-a3f2-7e656c894608";
+      fsType = "btrfs";
+      options = [ "subvol=nix" ];
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
+
+  fileSystems."/data" =
+    {
+      device = "/dev/disk/by-uuid/b29084d3-635c-4548-a3f2-7e656c894608";
+      fsType = "btrfs";
+      options = [ "subvol=data" ];
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/768E-4995";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}
+

modules/common/shell.nix

@@ -4,9 +4,17 @@
   config.programs.zsh = {
     enable = true;
     histSize = 100000;
+    histFile = "$HOME/.zsh_history";
+
     syntaxHighlighting = {
       enable = true;
     };
+
+    autosuggestions = {
+      enable = true;
+      highlightStyle = "fg=5";
+      strategy = [ "match_prev_cmd" "completion" "history" ];
+    };
   };
 }
 

modules/common/ssh.nix

@@ -1,7 +1,6 @@
 { pkgs, lib, config, ... }:
 
 {
-  users.mutableUsers = false;
   users.users."jake".openssh.authorizedKeys.keyFiles = [ ./authorized_keys ];
 
   programs.mosh.enable = true;

secrets/secrets.nix

@@ -3,13 +3,18 @@ let
   jake-mbp = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp";
   users = [ jake-gentoo jake-mbp ];
 
+  gendry_terminals = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry";
   vm_strangervm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm";
   microserver_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
   microserver_parents = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver";
-  systems = [ vm_strangervm microserver_home microserver_parents ];
+  systems = [ gendry_terminals vm_strangervm microserver_home microserver_parents ];
 in
 {
+  # User Passwords
+  "passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age".publicKeys = users ++ [ gendry_terminals ];
+
   # Tailscale Pre-Auth Keys
+  "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = users ++ [ gendry_terminals ];
   "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = users ++ [ vm_strangervm ];
   "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_home ];
   "tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_parents ];

secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+KjPYZi1OFmBBhU9v7xRqatjJ9uR4G17zCJx0nnzSMdattCIp5Oqyfe2WF7GGwKRD
+kI0+5gHQFBE6h3B0gp2LZIBYL0mOcu17qwMq2IkNSqZJozjdDmr1KbAoIEGUe8jV
+tahRxb5o74pDIICaC1RbfWtGKH3pago6cn+/nrwpwQqEPSZqHdat12UYl3qqZVOt
+js6S4wWmijgPm4W+WgWCUqirJthGmjMIG9gkpV4ylKzjQj5kWRKUatQ6T3/gl4px
+y0caQK+V9zU4CdK0od7bxKLVYN3fyOIAimBqPRmoQxEJrCR4gA0c9RHC85NreWtW
+SDP5bbg5rYjACsMmvxXgBA
+-> ssh-rsa K9mW1w
+ZrUyn3jcFmRaEKE25dsQ3q6T+kEsuo48OyDYcWWFbfbfZHUPA14tlRrr9vXnO0z1
+UmFSGcFiWWFUwJw7tIUbbdDKj2tmNtDSkET4Z7jgxJ1qdHLBdH6I6D+g7BWwiEJt
+Bspn9Y7ngJyBm4HFvUlSV47nhcG3+vDO3jYqNYDE8faMhumVX7JfR2Hg20msE/9G
+Gk1jLgqg8fl7eycSb64MhdTGr4hxFqlltK14RcDnt3L/yO5nWYWf2DTO04xBtyWk
+ypFkMSAiIn68Cw47b8nabqkfKpwhpR5WcT2wqUnkMPzqc/iFm7sC+tXPV33ZAnLP
+jC2JTgNwBbtSIIX8cfSY4g
+-> ssh-ed25519 rjda/A uGrydFlzSMircul6ytkWwfUxONXNzQW1djteOBNqTGQ
+G+gqoNTwxLwK1OFUmbi+jEHYR1igyZ6wlfbr3xcTvPY
+-> O-grease
+m5D7+NoQaIInhzyfV0EylS1d7c+CbV9Zd+cgTeNQJ6j/yYKB5Zy3MjPriUAZ1xkX
+SBDaXekeAJNNT73+F6QsVmoN3TB2NZhpKlspmM8h40BmH4M+lPgC
+--- Ug7/z36ERkXTM5Kh2gtBgxiB3IGy8Sj2+cWJGQTsYTw
+©æÆ]Lüƒ¦eóÄ<>ËÙ8)XȤã˜Zï€?ÖQø‡k"Í΢Իþ<C2BB>öâ}.ÙÙ%Ä$ƒ$ÿi[|=p“ü“*dзnpuu µöÂ