Add aspi system, use sops

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

flake.lock

@@ -143,6 +143,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1717880976,
+        "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs-unstable": {
       "locked": {
         "lastModified": 1717196966,
@@ -166,7 +182,8 @@
         "nix-matlab": "nix-matlab",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "snowfall-lib": "snowfall-lib"
+        "snowfall-lib": "snowfall-lib",
+        "sops-nix": "sops-nix"
       }
     },
     "snowfall-lib": {
@@ -191,6 +208,27 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1718137936,
+        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -22,9 +22,13 @@
 
     nix-matlab.url = "gitlab:doronbehar/nix-matlab";
     nix-matlab.inputs.nixpkgs.follows = "nixpkgs";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = inputs:
+  outputs =
+    inputs:
     inputs.snowfall-lib.mkFlake {
       inherit inputs;
       # Must always be ./.

homes/x86_64-linux/julian@aspi/default.nix

@@ -23,9 +23,6 @@
   home.username = "julian";
   home.homeDirectory = "/home/julian";
 
-  # DO NOT CHANGE!!!
-  home.stateVersion = "23.11";
-
   modules = {
     non-nixos.is-nixos = false;
     shell = {
@@ -77,4 +74,8 @@
 
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
+
+  # ======================== DO NOT CHANGE THIS ========================
+  home.stateVersion = "23.11";
+  # ======================== DO NOT CHANGE THIS ========================
 }

modules/nixos/sops/default.nix

@@ -0,0 +1,46 @@
+{
+  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
+  # as well as the libraries available from your flake's inputs.
+  lib,
+  # An instance of `pkgs` with your overlays and packages applied is also available.
+  pkgs,
+  # You also have access to your flake's inputs.
+  inputs,
+
+  # Additional metadata is provided by Snowfall Lib.
+  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
+  system, # The system architecture for this host (eg. `x86_64-linux`).
+  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
+  format, # A normalized name for the system target (eg. `iso`).
+  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
+  systems, # An attribute map of your defined hosts.
+
+  # All other arguments come from the module system.
+  config,
+  ...
+}:
+
+let
+  cfg = config.modules.sops;
+in
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  options.modules.sops = { };
+
+  config = {
+    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+    sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt";
+
+    # List of defined secrets
+    sops.secrets."aspi/password" = {
+      neededForUsers = true;
+    };
+
+    # sops.secrets."aspi/syncthing/key" = {
+    #   neededForUsers = true;
+    # };
+    # sops.secrets."ngrok/terraria" = { };
+  };
+}

secrets/secrets.yaml

@@ -0,0 +1,24 @@
+aspi:
+    syncthing:
+        cert: ENC[AES256_GCM,data:AByFKHdW0/kW5LdMdAlvB8O0OBtTSolnIs1o8V94b5H/Mqyy52HwaxTLu4I5BttlK4dd43dCRploUs7LwBiilmI5SlO1RFU2MupzBlGMiun4UbXC9dFW7iDY+lfX3fwlR6uUfmkm+iW8tSAii+G8KS7eBjyq2EqJ2KzXuEBS74pDJKQ5+hlKWa3dBSCfz3o+on1lfQYqjD9Sgf5x/irEhdCsGFTRM7pnEqdwHhJ87mrv//qrGU9ZWgvOEAQc3mJClGZniF1ePAGnCa9fMu3JKXbsKzLKC2QgIa576k0pgnIK5dEyLUaUemnS2fidbRGz6rAp0tPK8Nm/pbROjkReCfPZ2IjKHX8CAG7VcZokJX8pry+NWCq2/vRnkz6tgAIZu1nykVcRTM0TGDNlXNolK1tCycx3BDRzKFQunp0FdvcN3QTrVsA1sRInZve5x3Y1XVukQjgMk/uyfvQ4ktt3io5PcVmeTWBugJaNC6WlCUwee2o7b2kJGsshk2N+FgfAWZS9bGIxi/ijC87IGZu0bSvqlg4D1bsTCfODte/l+bTW+CZ96eu/8fbcQ+S4ClDeqzzjvIjFiGxSq/KXB3RLGP8aORbdI6y6AkLdwzhb2icFGzVHo/pU3VqHGYhFHbxbpRBs8iJ+EBMoL9AZJi/wh9Hg/gWHtpfWr06nySIEjQkqzEgTzC5O3A1mltkBaHP0XXp1WxyHq2id2dehB+xFpwA8h+Yg25HXMgJowNPpU0Z9a4BNmjdQl9cMWBytGP/20wwQEc9gwweFw5/kFRV0BVtfKUHYerwNoR+yWWURhPl0eUgn3tt77vVhwsuJcKlzbu8XRe0fj/1CFV8mmR8T3zBss4K7sZiDGAWgknRUAdhBV3HincmXdwkT4HWfgT4OSKk156BJof40xJNMpkk+CXFd2M0Trb9UcQQEneldnnvvDe1rML2FFrURRwTCKekCr7Wfsij6cvfz90Qs8NqkfWiAhwsZLwlfHcQrZn1gYHepW6OY/5knB5QWUuexGgRKUQmPQsiaVOgcz8zmSBWtYhLQEXenTg==,iv:n/8CkSiZu666RcOtMXB+Fg5rU2Un77OhxD0wtwfRNYc=,tag:Gy5i2UbBpckO6beyn8gv6Q==,type:str]
+        key: ENC[AES256_GCM,data:81YkG2zWuYIrpC9BMm/+79Ad7gXLHqHqtxnNbUox7E/oii9nNlbR4YqQJfegkDijrV/PK+UjgeiySHfxUzH0MFnVQ4XTDVFiuQ31s1ft/TZlZmOs7JmElc2i8AbdJM31+NCLoH8nDxGOcoqfErFmf4hbRFprnamItYrDqjq/vIbtPbpjm2cTZw3qwKT1HTPpZfvM6b2xDBd9BqjaoOqwhRUVg45Z0gjKXyKqMv0d9JfpoY5lGp6x6SoSlIzM+a5CpKM3v5I1lxN6DtAlh8hO/dCJZCkXCjuIgWWhl3DVol3h6XzDeNsUvgmjhMSjMmEg4utpIMAYzDCTF5GzHyogPdrhqSejnHG1Y6GQnYqniwobabU/6tcY/6nTkLjMpSbM,iv:Nn5LpyxvsvHnxY39Bg205chZ4nhNsHbBstGcJ2Nf2mc=,tag:fslhHkp3gspRnNZNlA7fbg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12x3jgpq5j83rhvxmuu90z99rwnpf8ntu3m87strf856syr6alv2q379k9w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByL0l4a0ZHcjFEQk5ETXk0
+            dlZJWktVS2pQVjBoZkxyNlo0R3pMM2JkdTNJCk11VEs0U0xleFI3dGkrZEVwWWtz
+            S1dOV1NYcEtOMFFkMWVhM3poNXhTdVkKLS0tIEp2Zk4wanp2M0pIT1Y1eDBYbW1y
+            NUNKTTA1VGhOVFRiV0RDSDJGREgzWFUKvW4A3/CPoTGb6gdrbEQN9NgXSQ+L4wXp
+            NOxR56TemX6fmSZhQU7wyxMmD1rZ64b9cIedauEWr91iYbKjhNpw2A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-12T17:14:51Z"
+    mac: ENC[AES256_GCM,data:XiTeyln5B9lpxUr903mSNBlCw9EsJwQEDVV18NMdHJ3e6Ryq+VkSVYOB60rl2E4C9KiFnh+ibU6KnSmi+bpWBKZ2KjkqxK7jhLnD3FdWFvruJKwf+SZxhd1UAKYjT7yssvQLc971ExVk18zFHRLJwPoPE8ukU9cixlA5PjDUbbY=,iv:w1t+4noBUhirZCcp4FgNQw6Ip+P58OW7HgR39vcOjoY=,tag:bZWznsdm3edevNyZSeQLgQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

systems/x86_64-linux/aspi/default.nix

@@ -0,0 +1,247 @@
+{
+  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
+  # as well as the libraries available from your flake's inputs.
+  lib,
+  # An instance of `pkgs` with your overlays and packages applied is also available.
+  pkgs,
+  # You also have access to your flake's inputs.
+  inputs,
+
+  # Additional metadata is provided by Snowfall Lib.
+  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
+  system, # The system architecture for this host (eg. `x86_64-linux`).
+  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
+  format, # A normalized name for the system target (eg. `iso`).
+  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
+  systems, # An attribute map of your defined hosts.
+
+  # All other arguments come from the system system.
+  config,
+  ...
+}:
+{
+  imports = [ ./hardware-configuration.nix ];
+
+  nix.buildMachines = [
+    {
+      hostName = "192.168.3.118";
+      system = "x86_64-linux";
+      protocol = "ssh";
+      # if the builder supports building for multiple architectures,
+      # replace the previous line by, e.g.
+      # systems = ["x86_64-linux" "aarch64-linux"];
+      maxJobs = 4;
+      speedFactor = 3;
+      supportedFeatures = [
+        "nixos-test"
+        "benchmark"
+        "big-parallel"
+        "kvm"
+      ];
+      mandatoryFeatures = [ ];
+    }
+  ];
+  nix.distributedBuilds = true;
+  # optional, useful when the builder has a faster internet connection than yours
+  nix.extraOptions = "  builders-use-substitutes = true\n";
+
+  # Bootloader
+  # Use this for simple nix boot menu, if no dual boot required
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+
+  boot.supportedFilesystems = [
+    "btrfs"
+    "ntfs"
+    "nfs"
+    "cifs"
+  ];
+
+  networking.hostName = "aspi";
+  networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Set location used by redshift
+  location.provider = "manual";
+  location.latitude = 47.92;
+  location.longitude = 10.12;
+
+  modules = {
+    locales.enable = true;
+  };
+
+  nix.settings.auto-optimise-store = true;
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+    ];
+    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
+  };
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  hardware.opengl.enable = true;
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  # Enable the XFCE Desktop Environment.
+  services.xserver.displayManager.lightdm.enable = true;
+  services.xserver.desktopManager = {
+    xterm.enable = false;
+    xfce = {
+      enable = true;
+      noDesktop = true;
+      enableXfwm = false;
+    };
+  };
+  services.displayManager.defaultSession = "none+i3";
+  services.xserver.windowManager.i3.enable = true;
+  services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+
+  # Configure keymap in X11
+  services.xserver = {
+    xkb.layout = "de";
+    xkb.variant = "";
+  };
+
+  # Configure console keymap
+  console.keyMap = "de";
+
+  # Enable sound with pipewire.
+  sound.enable = true;
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.xserver.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.julian = {
+    isNormalUser = true;
+    description = "Julian";
+    uid = 1000;
+    group = "julian";
+    shell = pkgs.fish;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+      "docker"
+    ];
+  };
+
+  # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system
+  # home-manager.useUserPackages = true;
+
+  programs.fish.enable = true;
+
+  programs.nix-ld.enable = true;
+
+  users.groups.julian = {
+    gid = 1000;
+  };
+
+  # List services that you want to enable:
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = false;
+
+  services.syncthing.enable = true;
+  services.syncthing.user = "julian";
+  services.syncthing.group = "julian";
+  services.syncthing.key = config.sops.secrets."aspi/syncthing/key".path;
+  services.syncthing.cert = config.sops.secrets."aspi/syncthing/cert".path;
+  # overrideDevices = true; # overrides any devices added or deleted through the WebUI
+  # overrideFolders = true; # overrides any folders added or deleted through the WebUI
+  # settings = {
+  #   devices = {
+  #     "device1" = {
+  #       id = "DEVICE-ID-GOES-HERE";
+  #     };
+  #     "device2" = {
+  #       id = "DEVICE-ID-GOES-HERE";
+  #     };
+  #   };
+  #   folders = {
+  #     "Documents" = {
+  #       # Name of folder in Syncthing, also the folder ID
+  #       path = "/home/myusername/Documents"; # Which folder to add to Syncthing
+  #       devices = [
+  #         "device1"
+  #         "device2"
+  #       ]; # Which devices to share the folder with
+  #     };
+  #     "Example" = {
+  #       path = "/home/myusername/Example";
+  #       devices = [ "device1" ];
+  #       ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
+  #     };
+  #   };
+  # };
+
+  services.redshift.enable = true;
+
+  services.flatpak.enable = true;
+
+  xdg.portal.enable = true;
+  xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+
+  # services.emacs.enable = true;
+
+  # services.gnome.gnome-keyring.enable = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+
+  # Packages needed as root
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    mc
+  ];
+
+  virtualisation.docker.enable = true;
+
+  virtualisation.virtualbox.host.enable = true;
+  # virtualisation.virtualbox.host.enableExtensionPack = true;
+  # virtualisation.virtualbox.guest.enable = true;
+  # virtualisation.virtualbox.guest.x11 = true;
+  users.extraGroups.vboxusers.members = [ "julian" ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # ======================== DO NOT CHANGE THIS ========================
+  system.stateVersion = "24.05";
+  # ======================== DO NOT CHANGE THIS ========================
+}

systems/x86_64-linux/kardorf/default.nix

@@ -7,6 +7,7 @@
   inputs,
   config,
   pkgs,
+  systems,
   ...
 }:
 {
@@ -161,7 +162,6 @@
       "wheel"
       "docker"
     ];
-    packages = with pkgs; [ ]; # Using home-manager instead
   };
 
   # home-manager.useGlobalPkgs = true; # make overlays for nixpkgs work for home-manager, not only the system

systems/x86_64-linux/kardorf/home.nix

@@ -1,37 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # Home Manager needs a bit of information about you and the
-  # paths it should manage.
-  home.username = "julian";
-  home.homeDirectory = "/home/julian";
-
-  # This value determines the Home Manager release that your
-  # configuration is compatible with. This helps avoid breakage
-  # when a new Home Manager release introduces backwards
-  # incompatible changes.
-  #
-  # You can update Home Manager without changing this value. See
-  # the Home Manager release notes for a list of state version
-  # changes in each release.
-  home.stateVersion = "23.05";
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  home.packages = [
-    # pkgs.cowsay
-  ];
-
-  # home.file
-  # home.sessionVariables
-
-  gtk = {
-    enable = true;
-    theme.name = "Adwaita-dark";
-    # theme.package = pkgs.materia-theme;
-    # cursorTheme.name = "Bibata-Modern-Ice";
-    # iconTheme.name = "GruvboxPlus";
-  };
-
-}