Commit c513bed
Changed files (12)
hosts
chaser-pardofelis
modules
base
nixos
base
server
secrets
hosts
pardofelis
hosts/chaser-pardofelis/boot.nix
@@ -0,0 +1,25 @@
+{
+ config,
+ lib,
+ ...
+}: {
+ boot.kernelParams = [
+ "audit=0"
+ "net.ifnames=0"
+ ];
+
+ boot.initrd = {
+ compressor = "zstd";
+ compressorArgs = ["-19" "-T0"];
+ availableKernelModules = ["virtio_blk" "virtio_pci" "virtio_scsi"];
+ systemd.enable = true;
+ };
+
+ boot.loader.grub = {
+ enable = true;
+ default = "saved";
+ # Force solve mirroredBoots error
+ # See https://github.com/nix-community/disko/issues/1068#issuecomment-2974926079
+ devices = lib.mkForce ["/dev/vda"];
+ };
+}
hosts/chaser-pardofelis/default.nix
@@ -0,0 +1,43 @@
+{
+ mylib,
+ myvars,
+ disko,
+ ...
+}:
+#############################################################
+#
+# Pardofelis - NixOS running on a 2C4G VPS
+# My main server hosted by Yecaoyun.
+#
+#############################################################
+let
+ hostName = "pardofelis"; # Define your hostname.
+in {
+ imports =
+ (mylib.scanModules ./.)
+ ++ [
+ disko.nixosModules.default
+ ];
+
+ modules.my-hosts.${hostName} = {
+ network = {
+ enable = "networkd";
+ iface = "eth0";
+ useDHCP = false;
+ nameservers = ["172.16.36.100"] ++ myvars.defaultNameservers;
+ search = ["local"];
+ };
+ hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO56HKTdzGulisPLhpfUmLQNEgwDqwD9SBLRb5aETffV root@pardofelis";
+ sshPorts = [23930];
+ };
+
+ systemd.network.enable = true;
+
+ # This value determines the NixOS release from which the default
+ # settings for stateful data, like file locations and database versions
+ # on your system were taken. It‘s perfectly fine and recommended to leave
+ # this value at the release version of the first install of this system.
+ # Before changing this value read the documentation for this option
+ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+ system.stateVersion = "25.05"; # Did you read the comment?
+}
hosts/chaser-pardofelis/disko-fs.nix
@@ -0,0 +1,41 @@
+{
+ disko.devices = {
+ disk = {
+ main = {
+ device = "/dev/vda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ size = "1M";
+ type = "EF02"; # for grub MBR
+ };
+ root = {
+ size = "100%";
+ content = {
+ type = "btrfs";
+ # Btrfs subvolumes for better organization and snapshotting
+ subvolumes = {
+ "/@" = {
+ mountpoint = "/";
+ };
+ "/@home" = {
+ mountpoint = "/home";
+ };
+ "/@nix" = {
+ mountpoint = "/nix";
+ mountOptions = ["compress=zstd" "noatime"];
+ };
+ "/@log" = {
+ mountpoint = "/var/log";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
modules/base/users.nix
@@ -5,7 +5,11 @@
...
}: let
hosts = config.modules.my-hosts;
- sshTargetHosts = lib.filterAttrs (n: v: !builtins.isNull v.hostPublicKey) hosts;
+ sshTargetHosts =
+ lib.filterAttrs (
+ n: v: !builtins.isNull v.hostPublicKey && !builtins.isNull v.network.ipv4
+ )
+ hosts;
in {
programs.ssh = {
extraConfig =
@@ -15,7 +19,7 @@ in {
+ ''
Host ${host}
HostName ${val.network.ipv4}
- Port ${val.sshPort}
+ Port ${lib.elemAt val.sshPorts 0}
'')
""
sshTargetHosts;
modules/nixos/base/ssh.nix
@@ -16,6 +16,12 @@
PasswordAuthentication = false; # disable password login
};
openFirewall = true;
+ hostKeys = [
+ {
+ path = "/etc/ssh/ssh_host_ed25519_key";
+ type = "ed25519";
+ }
+ ];
};
# Add terminfo database of all known terminals to the system profile.
modules/nixos/server/x86_64.nix
@@ -0,0 +1,6 @@
+{lib, ...}: {
+ imports = [
+ ../base
+ ../../base
+ ];
+}
secrets/hosts/pardofelis/default.nix
@@ -0,0 +1,23 @@
+{
+ config,
+ lib,
+ hostName,
+ ...
+}:
+lib.mkIf (hostName == "pardofelis") {
+ sops.secrets.pardofelis-network = {
+ format = "yaml";
+ key = "content";
+ sopsFile = ./secrets.yaml;
+ owner = "root";
+ group = "systemd-network";
+ mode = "0440";
+ path = "/etc/systemd/network/10-${config.modules.my-hosts.${hostName}.network.iface}.network.d/99-secret-ip.conf";
+ };
+ services.openssh.hostKeys = [
+ {
+ path = "/etc/ssh/ssh_host_ed25519_key";
+ type = "ed25519";
+ }
+ ];
+}
secrets/hosts/pardofelis/secrets.yaml
@@ -0,0 +1,28 @@
+content: ENC[AES256_GCM,data:GWb0KiK4qOIm4ht+kRyAwSZsIysP5d/4ijvxTUUtMSxOc5Mq0j8C24x1VbFWk5n2w6Bx0PSzZwiTL0fBivZRs9bEi0lQAoLiF6szftw2hGcqwoWmNFDajr4i5MaICG1nY/zFelWd7o+45/1Z003hpx8bZEfiTAY=,iv:FXPH4KlhbVFjVvr27jJlFbehYfNeUVqXXHOY0azAJYQ=,tag:R0JPMsSxxpXDt20wlc3W6Q==,type:str]
+sops:
+ age:
+ - recipient: age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dFhaaFpvZUx0cEExRVh1
+ eTBTQ2Z1RTZ6MjBwcEdNRElSdkNFL3FHbEQ4CkdPWGx6dkl6VHEwZ293SUpaTTZp
+ NGxGNnNMT2FjTUZSSGNkZEF6dWhQOXcKLS0tICtEQnRYclkxR21HaEpDZWwvSWIw
+ WUd6SkpZSHpEYXdyZm9uV2V5VDdTNXcKO1nnWK+udwvNl6b+mxyTspgpsGxSQ9YP
+ SpIglDs4+ya3n1UeoSg5JY6s7RjHQj9zFCL2b7FYUJgSrZ/XFVgS5g==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-07-15T09:27:08Z"
+ mac: ENC[AES256_GCM,data:I+y24lmIiH1kYljzLr3rWfx/9e+YNK95v6RBfqrwZifKMJbgApwnPzvAhVeYmL2Cx25TV8TLdwS1gQWvi6vje/lrM9mmRNChbXIARqQ4E58oEDpGTX1OWPNYKTb+nFwYmfO+eX1l/NR9LhM75axhLse8nVBblspXdvrcpMAHFuM=,iv:iqFyXxrAYT79l9tiXGZ57XXXmGOiOjCVEDlr4TA4jo0=,tag:23dSgbtwl2WnOYxtXRZLaw==,type:str]
+ pgp:
+ - created_at: "2025-07-15T09:13:38Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4Dh4vQ8CmRuq4SAQdAd05YYzvqGt/lNWaFMVA2t5UNkDlUyqiMMGx7DFolKREw
+ p/qvmjf2WsT+mni7GZ+UVFG+nh0FL89iKT+tfJzJGZOrmEeyidzjScjO2gcnJz2v
+ 0l4BFUeqnqFTtwNee28igk7nSQM/6+r9Rc60pyHRnRpmZ7g042uadYcpeIoTpD8u
+ 8hrvgbuAKBuYz/zmo8d7Ko4GPnBl+Pd4mdFhEWWHOW4KcfjuyIDi3rAFrxgiJyRx
+ =9ewB
+ -----END PGP MESSAGE-----
+ fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
+ unencrypted_suffix: _unencrypted
+ version: 3.10.2
secrets/secrets.yaml
@@ -9,33 +9,33 @@ sops:
- recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNmtzTE1hNnhiZDVpMDd1
- bHl4VnRmQjBhQnFjbE5wWHVkeFo1bWlMc1h3CmZPNVcxMGpFRENTeUJBMko2UlAw
- QWFFN1gxU2NmWXRsU1d2Q1hPS2pCdUUKLS0tIElYOW4vOCt5bkFhVng1R0JPZGs5
- VDZnMGVvYjVxYUFPMHZNU3UwbFpXNncKUiVCNLyEkSpXhke79nqn96FzuJiLII41
- bYR/L23fhZ9FPCWed8iPGJQgDuWsCWwde7K1j+50g0L1RcNkONP0Wg==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0azA1M0V0SURyM1FaSk5P
+ U1p6SkgrZ09qTi9VRmNta1FDdS9jWlYzVjJZCm5qYzdRRkpjZk1FZlhWYkxHcjlN
+ QW41MlN1ZDF0VVZyVWdLVC9XNElXQ1kKLS0tIHhjZDk0TnVBaTdGT2pNZUJtVGhh
+ UVh6UE5QSCttWndKNHZTbStCbWhPbkEKidPlEAGCeNrGynn4Hlds/JOFMyJEMTqz
+ jSAltW/lMjEb9L/N3L1yARwyxcrc58OOZO7bNLgBDSmYzWoKcwhRkA==
-----END AGE ENCRYPTED FILE-----
- - recipient: age1paj3ugpwg9l282ae7rm9t9kre5f4glljx5gj7ncthnzxfdxlcqas0jw6zx
+ - recipient: age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ2NqRVhTSE5oOXlTdEhk
- ZG0rUCt4akdIc25LY0x0T0hlL2tjM1k2M0FBCkJPQWFBNHAxUDhySHFPL0xxRVY3
- ajRuVGJSUEJMejcxWUxkQWFNS0FrUUUKLS0tIFd6ck80UjRXYzBzODFLQXlNV2tI
- VlhsclVpbUtQMk45YUx0OXJocHpycUkKQl63KY0SqgDHaG+VlfsnczVZ7PH520EE
- vUrAq1GKMbouZmIv3Yn952jIzgUudvZXcTP7NAFehE96LQxig9S+Zw==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NU51Z2p2SUFtSDJ5L2Ra
+ VkdNcWpzSHpkek95bUNZRVhnYmt6dlR1ckM4CkloVlZ2UUFQQmpWYk92ZmJYdWlH
+ OFJ5MkExeWRXR1JuMUlud0s1T2JqRFUKLS0tIHY3U3JNN21qMjY4amhKRXJuK21h
+ TE44VlBtZjJHbDR0eFlHUDFDN0JjZG8KVgM+r7pLSJAnaHcyVF4TfkRCTk0EkHlu
+ TpZ9r+JFVToXp0QXXMoQeGHo8LhKhrztiK2YvQ2czXY6QO4MpqwfOQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-14T08:59:30Z"
mac: ENC[AES256_GCM,data:9r7iPa/5jOobUGHnLZvBPp1nbUBl+Buc84B+2au/GS37xKnfR0gLas1cKb9P6F1NLmQ+wqZMqp1J4HgkYZOJsPGr9Nq8Xw/7dW8rOdr0LIFzARug4XDml7shYd4xu5+jHoS4pC5Wl0Wpj76c0a11chTFsllUXVjnajoFWCBGGYM=,iv:dh+C4uOHe59WAfJuFv7GCaTeBGhWIad1xv3W5Eq611s=,tag:2r3CZZAEr1gXQ4oTazi7+A==,type:str]
pgp:
- - created_at: "2025-07-14T09:17:48Z"
+ - created_at: "2025-07-15T09:13:43Z"
enc: |-
-----BEGIN PGP MESSAGE-----
- hF4Dh4vQ8CmRuq4SAQdAvuP3lTA11ezSlVRzvARkjKWEyXq55memX6VcnF1GaBow
- YgRdrJxH7FZh1qUbGQ9+T6e3NUMhOHVHunmuZ5U5fohqmyrprZts1cY/qfl8/9zb
- 0l4BPmwpi8sHg+YVEuyXHrTRLMcFABLcD2d5AQiae1LDTxZWzaWJt3VVyNpyCFcG
- 3uVYvhFpeQhDCNPh1l6MtaTnCIYeXaUr7JPn/vFk5yg38HQmbE+lwlvxxF87vgPn
- =0q2P
+ hF4Dh4vQ8CmRuq4SAQdAK7rA+S3yPZ1LKlkrm4xY7R9v6zXi1gV3Npk6Qf2C1AYw
+ mw6axdrxt89gCAkml9u6wJX0c6ZtExUa+XDUU0BzIq3thnTo7ZnaqFVxdqVyMEaz
+ 0l4BdgXy7VoEUBNnSfvcd2pKQ2vlB+om/tsR7bq8Fa/UAtmaxoVn1VIe6sCczpst
+ qFdOEmdiQqOSFsSuZmvYUDdc3OWoncbqa0UiSEGOimNXxquXpJ5K+7vyfsT2ux7d
+ =y3pz
-----END PGP MESSAGE-----
fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
unencrypted_suffix: _unencrypted
.sops.yaml
@@ -1,6 +1,7 @@
keys:
- &admin_hpcesia 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
- &chaser_kevin age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
+ - &chaser_pardofelis age1l9acz0cuy455nprryeqyv6ckfqgv3tekuk0kxvvxyunsapwmpvnsmaazhy
creation_rules:
- path_regex: ^secrets/secrets\.yaml$
key_groups:
@@ -8,3 +9,10 @@ creation_rules:
- *admin_hpcesia
age:
- *chaser_kevin
+ - *chaser_pardofelis
+ - path_regex: ^secrets/hosts/pardofelis/secrets\.yaml$
+ key_groups:
+ - pgp:
+ - *admin_hpcesia
+ age:
+ - *chaser_pardofelis
flake.lock
@@ -42,6 +42,27 @@
"type": "github"
}
},
+ "disko": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1736864502,
+ "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+ "owner": "nix-community",
+ "repo": "disko",
+ "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nix-community",
+ "ref": "v1.11.0",
+ "repo": "disko",
+ "type": "github"
+ }
+ },
"flake-compat": {
"flake": false,
"locked": {
@@ -337,6 +358,7 @@
"inputs": {
"catppuccin": "catppuccin",
"colmena": "colmena",
+ "disko": "disko",
"haumea": "haumea",
"home-manager": "home-manager",
"nixos-hardware": "nixos-hardware",
flake.nix
@@ -43,6 +43,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
+ disko = {
+ url = "github:nix-community/disko/v1.11.0";
+ inputs.nixpkgs.follows = "nixpkgs";
+ };
+
nu-scripts = {
url = "github:nushell/nu_scripts";
flake = false;