feat: add alsafi

allowed_signers

@@ -1,3 +1,4 @@
 nevivurn@taiyi namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUNr1fMh1l/hCfs/hjeT3AhBESCVq3QXgbQh/cTVRS3
 nevivurn@tianyi namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJ1U9//g+W2pRNdBaiADCMhAWlfWt3Ha1zwfR+iwMoZ
 nevivurn@grumium namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv9PT64MvppI1xPEs8CeZEzVrGl1nH+jRIwmBI5JMXS
+nevivurn@alsafi namespac="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMglmE8YhvAD8g74xCisFbRD/caAMQ0c7UV9s4hTldGT

flake.nix

@@ -203,6 +203,14 @@
           };
           modules = [ ./systems/iso ];
         };
+
+        alsafi = lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            inherit inputs;
+          };
+          modules = [ ./systems/alsafi ];
+        };
       };
       darwinConfigurations = {
         grumium = inputs.nix-darwin.lib.darwinSystem {

home/profiles/develop/default.nix

@@ -69,8 +69,9 @@
     enableSshSupport = true;
     pinentryPackage = pkgs.pinentry-gnome3;
     sshKeys = [
-      "9478FDDFE4E99B8BD79B4A0390432CE2B7E9F0B6"
-      "9AF5A517D9F1E5A7A0BE52B910C0773991A8AF6D"
+      "9478FDDFE4E99B8BD79B4A0390432CE2B7E9F0B6" # taiyi
+      "9AF5A517D9F1E5A7A0BE52B910C0773991A8AF6D" # tianyi
+      "2ED471433C747746BD3B710C02E9A3B5FE5122A5" # alsafi
     ];
   };
 

systems/alsafi/default.nix

@@ -0,0 +1,277 @@
+{
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  hostname = "alsafi";
+  machineId = "3c2580b354ca43d5a06646c2df8d9938";
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    inputs.self.nixosModules.default
+    inputs.self.nixosModules.graphical
+
+    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen5
+
+    ./services/monitoring.nix
+    ./services/openssh.nix
+  ];
+
+  ## Filesystems
+
+  fileSystems = {
+    "/" = {
+      device = "rpool/local/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+    "/boot" = {
+      device = "/dev/disk/by-id/nvme-KBG6AZNV256G_LA_KIOXIA_5E7PSJXAZ12K-part1";
+      fsType = "vfat";
+      options = [
+        "noatime"
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+
+    "/nix" = {
+      device = "rpool/local/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+    "/persist" = {
+      device = "rpool/persist";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+      neededForBoot = true;
+    };
+    "/persist/cache" = {
+      device = "rpool/persist/cache";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+      neededForBoot = true;
+    };
+  };
+  swapDevices = [
+    {
+      device = "/dev/disk/by-id/nvme-KBG6AZNV256G_LA_KIOXIA_5E7PSJXAZ12K-part2";
+      randomEncryption = {
+        enable = true;
+        allowDiscards = true;
+      };
+    }
+  ];
+
+  boot.supportedFilesystems = [ "nfs" ];
+  systemd.automounts = [
+    {
+      where = "/mnt/athebyne";
+      automountConfig.TimeoutIdleSec = "5min";
+
+      unitConfig.DefaultDependencies = false;
+      before = [
+        "unmount.target"
+        "remote-fs.target"
+      ];
+      after = [
+        "remote-fs-pre.target"
+        #"systemd-network-wait-online@wg\\x2dhome.service"
+      ];
+      #requires = [ "systemd-network-wait-online@wg\\x2dhome.service" ];
+      wantedBy = [ "multi-user.target" ];
+      conflicts = [ "unmount.target" ];
+    }
+  ];
+  systemd.mounts = [
+    {
+      type = "nfs";
+      what = "athebyne.nevi.network:/data";
+      where = "/mnt/athebyne";
+      options = "soft";
+    }
+  ];
+
+  ## Boot
+
+  boot.initrd.systemd = {
+    enable = true;
+    services."zfs-rollback" = {
+      wantedBy = [ "initrd.target" ];
+      requires = [ "zfs-import.target" ];
+      after = [ "zfs-import.target" ];
+      before = [ "sysroot.mount" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.zfs}/bin/zfs rollback rpool/local/root@empty";
+      };
+    };
+  };
+
+  ## Networking
+
+  environment.etc."machine-id".text = ''
+    ${machineId}
+  '';
+  networking.hostId = builtins.substring 0 8 machineId;
+  networking.hostName = hostname;
+  networking.domain = "nevi.network";
+  networking.timeServers = [ ];
+
+  #networking.firewall.checkReversePath = "loose";
+
+  systemd.network = {
+    #netdevs = {
+    #  "30-wg-home" = {
+    #    netdevConfig = {
+    #      Name = "wg-home";
+    #      Kind = "wireguard";
+    #    };
+    #    wireguardConfig = {
+    #      PrivateKeyFile = "/persist/secrets/wg-home-priv";
+    #      FirewallMark = 51820;
+    #      RouteTable = 51820;
+    #    };
+    #    wireguardPeers = [
+    #      {
+    #        Endpoint = "public.nevi.network:6666";
+    #        PublicKey = "/3jJJC13Q4co0mFo/DXFp7pch1a7jk7C+dHKu+DxDUg=";
+    #        PresharedKeyFile = "/persist/secrets/wg-home-athebyne-psk";
+    #        AllowedIPs = [
+    #          "0.0.0.0/0"
+    #          "::/0"
+    #        ];
+    #        PersistentKeepalive = 25;
+    #      }
+    #    ];
+    #  };
+    #};
+
+    networks = {
+      "20-wifi" = {
+        matchConfig.Type = "wlan";
+        networkConfig = {
+          DHCP = "ipv4";
+          IPv6AcceptRA = true;
+          #Domains = [ "~public.nevi.network" ];
+        };
+      };
+
+      #"30-wg-home" = {
+      #  matchConfig.Name = "wg-home";
+      #  linkConfig.RequiredForOnline = false;
+      #  networkConfig = {
+      #    Address = [
+      #      "10.42.42.2/24"
+      #      "fdbc:ba6a:38de:1::2/64"
+      #    ];
+      #    DNS = "192.168.2.1";
+      #    NTP = "funi.nevi.network";
+      #    Domains = [ "~." ];
+      #  };
+      #  routingPolicyRules = [
+      #    {
+
+      #      Family = "both";
+      #      FirewallMark = 51820;
+      #      InvertRule = true;
+      #      Table = 51820;
+      #    }
+      #  ];
+      #};
+    };
+  };
+
+  # rp mangling, copied from wg-quick
+  #boot.kernel.sysctl."net.ipv4.conf.all.src_valid_mark" = 1;
+  #networking.nftables.ruleset = lib.mkAfter ''
+  #  table inet wg-rpmangle {
+  #    chain premangle {
+  #      type filter hook prerouting priority mangle;
+  #      meta l4proto udp meta mark set ct mark
+  #    }
+  #    chain postmangle {
+  #      type filter hook postrouting priority mangle;
+  #      meta l4proto udp mark 51820 ct mark set mark
+  #    }
+  #  }
+  #'';
+
+  networking.wireless.iwd.enable = true;
+  networking.wireless.interfaces = [ "wlan0" ];
+
+  services.resolved.dnssec = "false";
+  # services.resolved.fallbackDns does not support empty lists
+  environment.etc."systemd/resolved.conf".text = lib.mkAfter ''
+    FallbackDNS=
+  '';
+
+  ## Basic config
+
+  time.timeZone = "Asia/Seoul";
+
+  ## Users
+
+  users.users.nevivurn = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "video"
+    ];
+    hashedPasswordFile = "/persist/secrets/passwd-nevivurn";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUNr1fMh1l/hCfs/hjeT3AhBESCVq3QXgbQh/cTVRS3 nevivurn@taiyi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJ1U9//g+W2pRNdBaiADCMhAWlfWt3Ha1zwfR+iwMoZ nevivurn@tianyi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMglmE8YhvAD8g74xCisFbRD/caAMQ0c7UV9s4hTldGT nevivurn@alsafi"
+    ];
+  };
+  home-manager.users.nevivurn = import ./home;
+
+  ## Persistence
+
+  environment.persistence = {
+    "/persist".directories = [ "/etc/nixos" ];
+    "/persist/cache".directories = [
+      "/home/nevivurn/.local/share/containers" # cannot be fuse
+      "/root/.cache"
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/iwd"
+      "/var/lib/systemd/timers"
+      "/var/log"
+    ];
+  };
+
+  ## Other hardware-specific configuration
+
+  services.tlp = {
+    enable = true;
+    settings = {
+      START_CHARGE_THRESH_BAT0 = 40;
+      STOP_CHARGE_THRESH_BAT0 = 80;
+    };
+  };
+
+  # Allow docking
+  services.logind = {
+    lidSwitchDocked = "lock";
+    lidSwitchExternalPower = "lock";
+  };
+
+  # Keyboard setup
+  services.xserver.xkb.options = "ctrl:swapcaps,korean:ralt_hangul";
+  console.useXkbConfig = true;
+
+  # podman requires system-level config
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+  };
+}

systems/alsafi/hardware-configuration.nix

@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}