phoenix: create host

2 files changed, 133 insertions, 0 deletions

diff --git a/hosts/phoenix/configuration.nix b/hosts/phoenix/configuration.nix
new file mode 100644
index 0000000..45007dc
--- /dev/null
+++ b/hosts/phoenix/configuration.nix
@@ -0,0 +1,79 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware.nix
+    ../../core
+    ../../roles
+  ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  environment.persistence."/persist/system" = {
+    hideMounts = true;
+    
+    directories = [
+      "/etc/nixos"
+      "/var/log"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+    ];
+
+    files = [
+      "/etc/machine-id"
+    ];
+  };
+
+  programs.fuse.userAllowOther = true;
+
+  networking = {
+    hostName = "phoenix";
+    hostId = "d62900ff";
+
+    useDHCP = true;
+  };
+
+  time.timeZone = "America/Los_Angeles";
+
+  users.users = {
+    root.hashedPasswordFile = "/secrets/passwords/root";
+
+    "c" = {
+      isNormalUser = true;
+      hashedPasswordFile = "/secrets/passwords/c";
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDO8JxqS7B2n3YlNtlVMZGARi+GG/z7wLiiyl52qSZc caroline@larimo.re" ];
+    };
+  };
+
+  roles = {
+    
+  };
+
+  programs = {
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+
+  services = {
+    pcscd.enable = true;
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "no";
+        PasswordAuthentication = false;
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    (writeShellScriptBin "rb" "sudo nixos-rebuild switch --flake /etc/nixos")
+    (writeShellScriptBin "rbf" "sudo nixos-rebuild switch --flake path:/etc/nixos")
+
+    ffmpeg
+  ];
+
+  system.stateVersion = "24.05";
+}
diff --git a/hosts/phoenix/hardware.nix b/hosts/phoenix/hardware.nix
new file mode 100644
index 0000000..3057c0e
--- /dev/null
+++ b/hosts/phoenix/hardware.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    loader.grub = {
+      enable = true;
+
+      zfsSupport = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      
+      mirroredBoots = [
+        { devices = [ "nodev" ]; path = "/boot"; }
+      ];
+    };
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+      kernelModules = [ ];
+
+      postDeviceCommands = lib.mkAfter ''
+        zfs rollback -r zpool/root@blank && zfs rollback -r zpool/home@blank
+      '';
+
+      postMountCommands = lib.mkAfter ''
+        chmod u=rw,g=,o= /secrets
+      '';
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+
+    supportedFilesystems = [ "ntfs" ];
+  };
+
+  fileSystems = {
+    "/"        = { fsType = "zfs"; device = "zpool/root"; };
+    "/nix"     = { fsType = "zfs"; device = "zpool/secure/nix"; };
+    "/home"    = { fsType = "zfs"; device = "zpool/home"; };
+    "/persist" = { fsType = "zfs"; device = "zpool/secure/persist"; neededForBoot = true; };
+    "/secrets" = { fsType = "zfs"; device = "zpool/secure/secrets"; neededForBoot = true; };
+
+    "/boot"    = { fsType = "vfat"; device = "/dev/disk/by-uuid/C48C-5EE1"; };
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}