Commit c513bed

HPCesia <me@hpcesia.com>
2025-07-15 09:29:50
chore(host): add new host pardofelis
1 parent eb4bbc5
hosts/chaser-pardofelis/boot.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  boot.kernelParams = [
+    "audit=0"
+    "net.ifnames=0"
+  ];
+
+  boot.initrd = {
+    compressor = "zstd";
+    compressorArgs = ["-19" "-T0"];
+    availableKernelModules = ["virtio_blk" "virtio_pci" "virtio_scsi"];
+    systemd.enable = true;
+  };
+
+  boot.loader.grub = {
+    enable = true;
+    default = "saved";
+    # Force solve mirroredBoots error
+    # See https://github.com/nix-community/disko/issues/1068#issuecomment-2974926079
+    devices = lib.mkForce ["/dev/vda"];
+  };
+}
hosts/chaser-pardofelis/default.nix
@@ -0,0 +1,43 @@
+{
+  mylib,
+  myvars,
+  disko,
+  ...
+}:
+#############################################################
+#
+#  Pardofelis - NixOS running on a 2C4G VPS
+#  My main server hosted by Yecaoyun.
+#
+#############################################################
+let
+  hostName = "pardofelis"; # Define your hostname.
+in {
+  imports =
+    (mylib.scanModules ./.)
+    ++ [
+      disko.nixosModules.default
+    ];
+
+  modules.my-hosts.${hostName} = {
+    network = {
+      enable = "networkd";
+      iface = "eth0";
+      useDHCP = false;
+      nameservers = ["172.16.36.100"] ++ myvars.defaultNameservers;
+      search = ["local"];
+    };
+    hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO56HKTdzGulisPLhpfUmLQNEgwDqwD9SBLRb5aETffV root@pardofelis";
+    sshPorts = [23930];
+  };
+
+  systemd.network.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
hosts/chaser-pardofelis/disko-fs.nix
@@ -0,0 +1,41 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/vda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for grub MBR
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                # Btrfs subvolumes for better organization and snapshotting
+                subvolumes = {
+                  "/@" = {
+                    mountpoint = "/";
+                  };
+                  "/@home" = {
+                    mountpoint = "/home";
+                  };
+                  "/@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = ["compress=zstd" "noatime"];
+                  };
+                  "/@log" = {
+                    mountpoint = "/var/log";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
modules/base/users.nix
@@ -5,7 +5,11 @@
   ...
 }: let
   hosts = config.modules.my-hosts;
-  sshTargetHosts = lib.filterAttrs (n: v: !builtins.isNull v.hostPublicKey) hosts;
+  sshTargetHosts =
+    lib.filterAttrs (
+      n: v: !builtins.isNull v.hostPublicKey && !builtins.isNull v.network.ipv4
+    )
+    hosts;
 in {
   programs.ssh = {
     extraConfig =
@@ -15,7 +19,7 @@ in {
         + ''
           Host ${host}
             HostName ${val.network.ipv4}
-            Port ${val.sshPort}
+            Port ${lib.elemAt val.sshPorts 0}
         '')
       ""
       sshTargetHosts;
modules/nixos/base/ssh.nix
@@ -16,6 +16,12 @@
       PasswordAuthentication = false; # disable password login
     };
     openFirewall = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
   };
 
   # Add terminfo database of all known terminals to the system profile.
modules/nixos/server/x86_64.nix
@@ -0,0 +1,6 @@
+{lib, ...}: {
+  imports = [
+    ../base
+    ../../base
+  ];
+}
secrets/hosts/pardofelis/default.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  hostName,
+  ...
+}:
+lib.mkIf (hostName == "pardofelis") {
+  sops.secrets.pardofelis-network = {
+    format = "yaml";
+    key = "content";
+    sopsFile = ./secrets.yaml;
+    owner = "root";
+    group = "systemd-network";
+    mode = "0440";
+    path = "/etc/systemd/network/10-${config.modules.my-hosts.${hostName}.network.iface}.network.d/99-secret-ip.conf";
+  };
+  services.openssh.hostKeys = [
+    {
+      path = "/etc/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+  ];
+}
secrets/hosts/pardofelis/secrets.yaml
@@ -0,0 +1,28 @@
+content: ENC[AES256_GCM,data:GWb0KiK4qOIm4ht+kRyAwSZsIysP5d/4ijvxTUUtMSxOc5Mq0j8C24x1VbFWk5n2w6Bx0PSzZwiTL0fBivZRs9bEi0lQAoLiF6szftw2hGcqwoWmNFDajr4i5MaICG1nY/zFelWd7o+45/1Z003hpx8bZEfiTAY=,iv:FXPH4KlhbVFjVvr27jJlFbehYfNeUVqXXHOY0azAJYQ=,tag:R0JPMsSxxpXDt20wlc3W6Q==,type:str]
+sops:
+    age:
+        - recipient: age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dFhaaFpvZUx0cEExRVh1
+            eTBTQ2Z1RTZ6MjBwcEdNRElSdkNFL3FHbEQ4CkdPWGx6dkl6VHEwZ293SUpaTTZp
+            NGxGNnNMT2FjTUZSSGNkZEF6dWhQOXcKLS0tICtEQnRYclkxR21HaEpDZWwvSWIw
+            WUd6SkpZSHpEYXdyZm9uV2V5VDdTNXcKO1nnWK+udwvNl6b+mxyTspgpsGxSQ9YP
+            SpIglDs4+ya3n1UeoSg5JY6s7RjHQj9zFCL2b7FYUJgSrZ/XFVgS5g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-15T09:27:08Z"
+    mac: ENC[AES256_GCM,data:I+y24lmIiH1kYljzLr3rWfx/9e+YNK95v6RBfqrwZifKMJbgApwnPzvAhVeYmL2Cx25TV8TLdwS1gQWvi6vje/lrM9mmRNChbXIARqQ4E58oEDpGTX1OWPNYKTb+nFwYmfO+eX1l/NR9LhM75axhLse8nVBblspXdvrcpMAHFuM=,iv:iqFyXxrAYT79l9tiXGZ57XXXmGOiOjCVEDlr4TA4jo0=,tag:23dSgbtwl2WnOYxtXRZLaw==,type:str]
+    pgp:
+        - created_at: "2025-07-15T09:13:38Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dh4vQ8CmRuq4SAQdAd05YYzvqGt/lNWaFMVA2t5UNkDlUyqiMMGx7DFolKREw
+            p/qvmjf2WsT+mni7GZ+UVFG+nh0FL89iKT+tfJzJGZOrmEeyidzjScjO2gcnJz2v
+            0l4BFUeqnqFTtwNee28igk7nSQM/6+r9Rc60pyHRnRpmZ7g042uadYcpeIoTpD8u
+            8hrvgbuAKBuYz/zmo8d7Ko4GPnBl+Pd4mdFhEWWHOW4KcfjuyIDi3rAFrxgiJyRx
+            =9ewB
+            -----END PGP MESSAGE-----
+          fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
secrets/secrets.yaml
@@ -9,33 +9,33 @@ sops:
         - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNmtzTE1hNnhiZDVpMDd1
-            bHl4VnRmQjBhQnFjbE5wWHVkeFo1bWlMc1h3CmZPNVcxMGpFRENTeUJBMko2UlAw
-            QWFFN1gxU2NmWXRsU1d2Q1hPS2pCdUUKLS0tIElYOW4vOCt5bkFhVng1R0JPZGs5
-            VDZnMGVvYjVxYUFPMHZNU3UwbFpXNncKUiVCNLyEkSpXhke79nqn96FzuJiLII41
-            bYR/L23fhZ9FPCWed8iPGJQgDuWsCWwde7K1j+50g0L1RcNkONP0Wg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0azA1M0V0SURyM1FaSk5P
+            U1p6SkgrZ09qTi9VRmNta1FDdS9jWlYzVjJZCm5qYzdRRkpjZk1FZlhWYkxHcjlN
+            QW41MlN1ZDF0VVZyVWdLVC9XNElXQ1kKLS0tIHhjZDk0TnVBaTdGT2pNZUJtVGhh
+            UVh6UE5QSCttWndKNHZTbStCbWhPbkEKidPlEAGCeNrGynn4Hlds/JOFMyJEMTqz
+            jSAltW/lMjEb9L/N3L1yARwyxcrc58OOZO7bNLgBDSmYzWoKcwhRkA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1paj3ugpwg9l282ae7rm9t9kre5f4glljx5gj7ncthnzxfdxlcqas0jw6zx
+        - recipient: age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ2NqRVhTSE5oOXlTdEhk
-            ZG0rUCt4akdIc25LY0x0T0hlL2tjM1k2M0FBCkJPQWFBNHAxUDhySHFPL0xxRVY3
-            ajRuVGJSUEJMejcxWUxkQWFNS0FrUUUKLS0tIFd6ck80UjRXYzBzODFLQXlNV2tI
-            VlhsclVpbUtQMk45YUx0OXJocHpycUkKQl63KY0SqgDHaG+VlfsnczVZ7PH520EE
-            vUrAq1GKMbouZmIv3Yn952jIzgUudvZXcTP7NAFehE96LQxig9S+Zw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NU51Z2p2SUFtSDJ5L2Ra
+            VkdNcWpzSHpkek95bUNZRVhnYmt6dlR1ckM4CkloVlZ2UUFQQmpWYk92ZmJYdWlH
+            OFJ5MkExeWRXR1JuMUlud0s1T2JqRFUKLS0tIHY3U3JNN21qMjY4amhKRXJuK21h
+            TE44VlBtZjJHbDR0eFlHUDFDN0JjZG8KVgM+r7pLSJAnaHcyVF4TfkRCTk0EkHlu
+            TpZ9r+JFVToXp0QXXMoQeGHo8LhKhrztiK2YvQ2czXY6QO4MpqwfOQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-07-14T08:59:30Z"
     mac: ENC[AES256_GCM,data:9r7iPa/5jOobUGHnLZvBPp1nbUBl+Buc84B+2au/GS37xKnfR0gLas1cKb9P6F1NLmQ+wqZMqp1J4HgkYZOJsPGr9Nq8Xw/7dW8rOdr0LIFzARug4XDml7shYd4xu5+jHoS4pC5Wl0Wpj76c0a11chTFsllUXVjnajoFWCBGGYM=,iv:dh+C4uOHe59WAfJuFv7GCaTeBGhWIad1xv3W5Eq611s=,tag:2r3CZZAEr1gXQ4oTazi7+A==,type:str]
     pgp:
-        - created_at: "2025-07-14T09:17:48Z"
+        - created_at: "2025-07-15T09:13:43Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4Dh4vQ8CmRuq4SAQdAvuP3lTA11ezSlVRzvARkjKWEyXq55memX6VcnF1GaBow
-            YgRdrJxH7FZh1qUbGQ9+T6e3NUMhOHVHunmuZ5U5fohqmyrprZts1cY/qfl8/9zb
-            0l4BPmwpi8sHg+YVEuyXHrTRLMcFABLcD2d5AQiae1LDTxZWzaWJt3VVyNpyCFcG
-            3uVYvhFpeQhDCNPh1l6MtaTnCIYeXaUr7JPn/vFk5yg38HQmbE+lwlvxxF87vgPn
-            =0q2P
+            hF4Dh4vQ8CmRuq4SAQdAK7rA+S3yPZ1LKlkrm4xY7R9v6zXi1gV3Npk6Qf2C1AYw
+            mw6axdrxt89gCAkml9u6wJX0c6ZtExUa+XDUU0BzIq3thnTo7ZnaqFVxdqVyMEaz
+            0l4BdgXy7VoEUBNnSfvcd2pKQ2vlB+om/tsR7bq8Fa/UAtmaxoVn1VIe6sCczpst
+            qFdOEmdiQqOSFsSuZmvYUDdc3OWoncbqa0UiSEGOimNXxquXpJ5K+7vyfsT2ux7d
+            =y3pz
             -----END PGP MESSAGE-----
           fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
     unencrypted_suffix: _unencrypted
.sops.yaml
@@ -1,6 +1,7 @@
 keys:
   - &admin_hpcesia 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
   - &chaser_kevin age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
+  - &chaser_pardofelis age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
 creation_rules:
   - path_regex: ^secrets/secrets\.yaml$
     key_groups:
@@ -8,3 +9,10 @@ creation_rules:
           - *admin_hpcesia
         age:
           - *chaser_kevin
+          - *chaser_pardofelis
+  - path_regex: ^secrets/hosts/pardofelis/secrets\.yaml$
+    key_groups:
+      - pgp:
+          - *admin_hpcesia
+        age:
+          - *chaser_pardofelis
flake.lock
@@ -42,6 +42,27 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.11.0",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -337,6 +358,7 @@
       "inputs": {
         "catppuccin": "catppuccin",
         "colmena": "colmena",
+        "disko": "disko",
         "haumea": "haumea",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
flake.nix
@@ -43,6 +43,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    disko = {
+      url = "github:nix-community/disko/v1.11.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     nu-scripts = {
       url = "github:nushell/nu_scripts";
       flake = false;