merge: cube host

2026-03-30 01:29:04 +02:00
parent 18105107a6 cba2f63f01
commit 35d0db6bf0
5 changed files with 121 additions and 22 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,6 +5,7 @@ keys:
  - &tower age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
  - &fw16 age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
  - &floo age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
+  - &cube age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g

 creation_rules:
  # per-host secrets
@@ -23,8 +24,13 @@ creation_rules:
      - pgp: [*matej]
        age: [*floo]

+  - path_regex: ^secrets/cube\.yaml$
+    key_groups:
+      - pgp: [*matej]
+        age: [*cube]
+
  # shared secrets (all hosts)
  - path_regex: ^secrets/common\.yaml$
    key_groups:
      - pgp: [*matej]
-        age: [*tower, *fw16, *floo]
+        age: [*tower, *fw16, *floo, *cube]
--- a/flake/hosts.nix
+++ b/flake/hosts.nix
@@ -73,6 +73,18 @@ in
      ];
    };

+    cube = mkHost "cube" {
+      system = "x86_64-linux";
+      user = "matej";
+      features = [
+        "openssh"
+        "localisation"
+        "shell"
+        "tailscale"
+        "remote-base"
+      ];
+    };
+
    # nix run github:nix-community/nixos-anywhere -- --flake .#floo root@<ip>
    floo = mkHost "floo" {
      system = "x86_64-linux";
--- a/hosts/cube/configuration.nix
+++ b/hosts/cube/configuration.nix
@@ -0,0 +1,41 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/nvme0n1";
+    content = {
+      type = "gpt";
+      partitions = {
+        esp = {
+          size = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+
+  localisation = {
+    timeZone = "Europe/Ljubljana";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  system.stateVersion = "25.11";
+}
--- a/hosts/cube/hardware-configuration.nix
+++ b/hosts/cube/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -4,42 +4,51 @@ sops:
        - recipient: age1frwe9fpt9vh969aqnggvq8pfypp6hl98guwfmgttucp7gr55r42sqy2t65
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVzB0YkFIM3Y3KzVQMHZE
-            K3gzd2M3K0tKa2E3YmJKVVlSeG5hUkY0dnlFCkQrbDV6N0pMaWF3NHorTXRLdnAw
-            NEgydG9SMllSdnR4Vm1qSkR1Y2dKNVEKLS0tIE5TbllNTjQrWkFMQmIrODBWWjVF
-            ZmlCSzJvZ1p4eTR3OHNlcktaOE12T3MKUkhzkVqQ5P2+jD4BBHN/dFmoeK9oyAy/
-            9qO7miin10kHTGAOBWXybkt8jXdbY8+gvqjAIYqE/u0ESUW0z+UvKA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOU9BTksxbXdjTkExRDJV
+            aFhVbUFGd1ZSeHFBL0lJRjdSRDRjcjl6ZEQ0Cjg2TFlNZENUWTh5aWNGck52TWFx
+            SC9LS0FrelFCWUI3RUZjdCs3cXF6aDQKLS0tIEwwTWkzOXgxUC9iTFgrQ0szRW8v
+            cGFMa2Rqd1VvWjU3Z2pUdExsdnJUT1EK9iQiW5qZszu65b0wEeq+9JnzzhiAS7fo
+            BmR9OWbDA4GZJBEPBJFD8KxIcO/BYFOjfW2A9PZaTsTpa50Z6+zWxw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age19qj2aaryx869cvcqp77gs9x5hcv4dqjxunkmyre78upsxda6ss7s5vquz4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaXNCMEh1NUNsS2VacDI1
-            NFVsK1B6cjE0Y2gwbFA3NGN6aGdoSnBNcVM4Cnhzamx5bFY3UlV0VGRqdk1jN3A5
-            K3RFV2dGTi85cTZialB2THBuTEg5a2cKLS0tIFBWWW1waFdCWEFFNUhQa25nSDFE
-            VnhJa1lhakxVQ3RWZi94K0IvUnN3QmsK/3FYCP5Py3G8NYsCAsKuHx2u4w5O/xBE
-            +PJD9Zan7CDurKVkGz/7QoCgD6OPQ7h+Mw1Px2iVKZ9RsfxCU7CF6g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPczdWeTRxalA1M3R0S0Qr
+            eGdtZnJxaHllZ2lKMXJUZTN3VWhhTnU1TFRnCjM5OHoxMnEzKzdQelZEQ3ZZRFpt
+            aWRzaTg4dUc5OXpQUngrVmtSRkk1Q3MKLS0tIEZOd0FyMFRlRElWbjlHOVVkZlZP
+            eEhwRVRrcVgvQUx6bi85YWxDYjJZa28K7Hrk4fAqbjeYJfPJODvsth1p8JYbsfMf
+            a6gTckyeQWTNlE+1Tw6g18lvMP1dzIAYRPHtyzmxeCaETVMmSn7XxQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hksdq2lc89thnpth49sw44f0pmkp950plrhhnttj4petvnfy04tsydz6fl
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QXRBdWNod3RvUmV5SUt2
-            TnVWbjVpODBwaHF5SDlqTFNqdFlKRlFvWEdRCnowbW1DSEViSXNoMlpQQ0tDZjhH
-            QVcwZytEYUhYZkw1R2N6QUk2Y3NkbGMKLS0tIDYwSU9SQzJEcm5abGR3TUtUTEpw
-            eVltZlM1c2d0OVZMWnRRL29ZWGZqRTAKujJHoH+wAB9NtzTF0i4nMIv6dHUXQ4mN
-            HJXXEAGRb7hAYRm2hn8ABtoqs61qvIqiOATcHSnE/NucOrQ68CidQA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbUh0U1ZDc0ZOKzhxZ3Yv
+            ZHRwbzBIdVNsbEJmU0h4ZnpuTlNHSFdwRlQ0Ck1BREhlVFQ3bnVKajVlTGUzRjhN
+            cWpna25Ya1hoZG1ybFZ0REpCNTFTZmcKLS0tIG5ZQzNIWmd4a3J6YWxDQjYyY2px
+            Y085TkhubS9MSjJtMmZDakdZd2RhR3cKlGH906WAhXNDKwaWqHRoYO9bgiZau0ay
+            8ph3OLOVmrENPW3Othf17NDRet/nATFYZghBU/CI5CvZjr9n9SDYMg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15cktenavt5v7zm84se36jtly740syca5nw8em8edx404n5x2ddws8jn29g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRG5zRkxOT0RyeXVpTDJu
+            TSt2SFFtSlFrSTk1YUZBMnAxTEM3dnFnQkFrClA0cnVpMkdsQWxCakNEZm16OEVG
+            dHFIUDA3TDJLdytySEJJMSsrMGZHcTgKLS0tIHhvdWNXaUthbDJqMWVYeWxuOGpL
+            L0lEZ3FVbmlOcndGUXUybXA4RDA2alUKQo5ctVmARPNY0POf2Ft6AxjwIN1N06C7
+            ft4YX+B4D61tUZ+uvFqHzmKsNpvDdoV81zxvGnnCnv0nSXwNghPFxw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-03-29T23:11:10Z"
    mac: ENC[AES256_GCM,data:XY5wElDn+YD4UHSIGd9Ru8ob39gJVE8VE5gqJJkmzF/xERXp7re/d/6RXxoYDgYS0qUnn8c2VFzJxCvakmV/lPLA8YulFk/ZDysEVn+U3CbfTIkjXcJzewJNz0N+hQKeVaCzPfWeB5oaGtB8bjxOg+GYz2TmSvEAT+kO1U/4Klg=,iv:QOlZ4O+eqvOS9/guc+RmWgVDgPzskb4WIlzyT/14MVM=,tag:ziJE9Yytlr680EpSnBGmdQ==,type:str]
    pgp:
-        - created_at: "2026-03-29T23:09:25Z"
+        - created_at: "2026-03-29T23:25:01Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hF4DPaEEpDtHdk8SAQdAeOAy5jmbFTr4UInI64Dwvb8hMTULgVAhqPPLZFOGTl4w
-            h0B0BzvOW52J67eWcvctbM1PFCmKX17JspnW/x1tEORFB9A9mR91DrgiMuLHVv5g
-            0l4BhWxhsMqsKkeCaNYLz7NfIG5FlolLJbZABKdRZs6xX6pAzkWxj3cLWkc4iuRF
-            rE8W2lGN5Yd+luFn7Uxjc8TbQ/dbQ2y5ln0lmxFhFc1+Ka8aQ7S6liNvEvKvK2t8
-            =gtNK
+            hF4DPaEEpDtHdk8SAQdAPlvxgVq9o2boPPXWWwV6X3TjHZEl3lm9OcOj7lbsQxsw
+            5PTrX1rIV73XbRQUdFlnoYpUAwxh3UPULyA4+19fvCooC3L0FxA8e4wTiAdw6SKE
+            0l4BImy4sTiM8hNHXqB6u4rj3LbykCjesQve5C3fut62RV8x4cqUJHAB/aumQINT
+            QRXErylKmqo3h7ReRrCm2oOELauv4JFKNPi/cTE0MNh1+w9JxjoASoBufozDOxe4
+            =vIK+
            -----END PGP MESSAGE-----
          fp: AF349EECC849D87B790E88FF6318FFB7DB374B7D
    unencrypted_suffix: _unencrypted