Add comet

common/.sops.yaml

@@ -1,5 +1,6 @@
 keys:
   - &blitzar age1mc72my8whm2fm3wjg2ucvckx27dyp09urdgs9lpzqswl5pa5py8sfwszt9
+  - &comet age18e4ttr7k6r7j662a6pvgrvsptuhsvffq70z4westqs3gfx7804fq0ewfaa
   - &macronova age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
   - &nebula age1vyq4xceveer87xt506yl59lh82dmeuagzlmnk87augfvqry7vqaq5hwy33
   - &singularity age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu
@@ -13,5 +14,6 @@ creation_rules:
   - path_regex: auths.yaml$
     key_groups:
     - age:
+      - *comet
       - *macronova
       - *singularity

common/auths.yaml

@@ -12,23 +12,32 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
+        - recipient: age18e4ttr7k6r7j662a6pvgrvsptuhsvffq70z4westqs3gfx7804fq0ewfaa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVnJ0T3dQM1g3UllYVTZN
+            bkhON2RRTElDMUtBaTFhRkpTWHorbnVOdkFRCjl5cWM2NmtPRzdlT1pRaXNmOXND
+            RTBlT3ZmYW1sQlkyOXRNek5BS0lySVUKLS0tIERKM201ZzFZZHgrZjVPQTA1SWh2
+            Y2ljQzNBQnhwdzlEZGJLVFZreWJkN3cK90kk2p+kOag2IaY0QWbiUVerfq18TNax
+            4ashMrFV5trh0Uq+/9Nob2MqSTVbmIC3UtP4m7x1j1TzpDuT+nEzPA==
+            -----END AGE ENCRYPTED FILE-----
         - recipient: age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRDcyaExMVktDMjQ1dWZL
-            VHUvYVNUWDV5UEpRVlAwMEdMVHRGMWRmQVUwCjI5VzBhY1RjQm9LeEtXbFpGK29p
-            cm5icTg3OHp1QTZ4NnhSMGtmbHh6eTAKLS0tIDBrN00rSUxiLzFFMWNZSldESmxU
-            b3hEc3lScGl3UTRGNjQvZTFQYzMzQncKr9RA+wl52Ul+BiTq+0UrSBrd0QrWsfNs
-            fMiGMUrp+dxjBoG4S0oYJbXdoPJb+us4a+YZzsmraWbwbqph5vOXQg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cnJybjArb0ZtZkFyUjln
+            cDVGbVdJcFpRdVRUd1lkMkJuME5vS2tBZjFnCldXODdiaFQzb1JHZHJycUNtMUo5
+            L3E5c1VZL3lYOXZDVUxsaEMwcXJJRXMKLS0tIHlQcmVjcVBZcTFwV2dZM1UrWlN0
+            Q0hMWlVWSmtqa083dTBzT252UjRGMWMK0lxWqBpx0zvH6HkGjatBS4rv9/7+0ZLr
+            5m0kWm9bOQXhpy26IljNnx4nbMSuSO/bmLnVIst62pLFkHq+SjoYAQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUdCMmlmL3I1YUJYcDQ2
-            Z0pyUTkzS0RMcGFvODBNUnNscGg3Ykp0WHpnCjQ1NnlWMXhtZnA3NUNiVXRFM05F
-            Yk9Jb0lmRjVINXdBTVlpUVErODZlbFEKLS0tIDhheE9OSXJUcktMRGpaejRKOVNn
-            ZW9EMlgrMnFHaHdQSWgvM25ocmNoVEkKo7H1Y+kZrtmk58Oe6d51wJQLF5T7OZtX
-            0LgNOjevRPfxG4FpNk9yhLyrelpHkiSmBFTGHqbnouFE54L1eot/UQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYWxtTWxad0V6cklxZm8y
+            Wmh0dld6Y0FPRVU4Zk5pN1hsT1hRWmhha3gwCkFISjlEK1QxaVBPcVVPWXZmdk1m
+            Ymw1UHhveTN1R0VDdXJYRHNvczcxQTQKLS0tIFN1UDdqYXNGY29QS0pMYmJac055
+            VHRRUnRpQzE3L0V4OVpGM0krOW9KWVUK3c8IH6tD2f8WKFm+yeVF3hP/UFvr4n1/
+            rqTt3cILSurq62MjtzU/F4+FC9/Le5j1xlDh075EuH+M/ewm65POSw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-11-28T05:25:46Z"
     mac: ENC[AES256_GCM,data:e6p67apo/byZ1dNhvHqcbcUOnTFInoL9t2RGki8Wd114w+1IZxfPAmXzvoea3txXWnrvCuuZBVD+RglcWjbkvE54J8YfACgRN5+93NLWVVHrgbwL7WiI+W+rpzUqiWxByD72ee9rvG1dehAEAT0QEARVehIHpPK8F9/i/a3F+IA=,iv:rjtqpbKe4FyrX4RdVMwyqkCDMSP1rUaZoC9U9CAlzR0=,tag:4KSAB5eooNTdd/2ff9zL5Q==,type:str]

flake.nix

@@ -29,6 +29,7 @@
               ({ pkgs, ... }: {
                 networking.hostName = instance;
                 nix = {
+                  binaryCaches = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ];
                   gc = {
                     automatic = true;
                     options = "--delete-older-than 30d";

linux/comet/configuration.nix

@@ -0,0 +1,40 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ pkgs, ... }:
+
+{
+
+  # Configure boot loader
+  boot.loader = {
+    grub = let yorha = pkgs.yorha-grub-theme; in {
+      enable = true;
+      device = "nodev";
+      splashImage = "${yorha}/background.png";
+      theme = yorha;
+    };
+    timeout = 3;
+  };
+
+  # Change secrets file
+  constants.sopsFile = ../../common/auths.yaml;
+
+  # Disable sudo password
+  security.sudo.wheelNeedsPassword = false;
+
+  # Set time zone.
+  time.timeZone = "Asia/Shanghai";
+
+  # Enable zram
+  zramSwap.enable = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}

linux/comet/default.nix

@@ -0,0 +1,14 @@
+{ inputs, ... }:
+
+{
+  imports = with inputs; [
+    disko.nixosModules.disko
+    hardware.nixosModules.common-cpu-intel
+  ] ++ [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./network.nix
+    ./tailscale.nix
+    ../../common
+  ];
+}

linux/comet/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "uas" "sd_mod" "sdhci_acpi" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/9f65c4b3-1c87-42a0-8c1d-f3c1ff2e71b1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1C5A-E5B5";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

linux/comet/network.nix

@@ -0,0 +1,27 @@
+{ config, ... }:
+
+let hn = config.networking.hostName; in {
+  networking = {
+    domain = config.constants.domain;
+    firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    hostId = "3ddd2ad2";
+    nftables.enable = true;
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      hostKeys = [{
+        comment = "host@${hn}";
+        path = "/etc/ssh/host";
+        rounds = 100;
+        type = "ed25519";
+      }];
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    resolved.enable = true;
+  };
+}

linux/comet/tailscale.nix

@@ -0,0 +1,7 @@
+{ ... }: {
+  services.tailscale = {
+    enable = true;
+    port = 12765;
+    useRoutingFeatures = "both";
+  };
+}