From 869aa0d2859234ce3f50824b1dbd68157e87e2b5 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 26 Jun 2024 20:37:40 +0200
Subject: [PATCH] Initialize nixos config for `dosei`

---
 .sops.yaml                             |  11 ++-
 README.md                              |   1 +
 flake.nix                              |  21 ++---
 hosts/dosei/configuration.nix          | 106 +++++++++++++++++++++++++
 hosts/dosei/hardware-configuration.nix |  40 ++++++++++
 hosts/dosei/services/avahi.nix         |  13 +++
 hosts/dosei/services/docker.nix        |   4 +
 hosts/dosei/services/jenkins.nix       |  23 ++++++
 secrets/common.yaml                    |  61 ++++++++------
 9 files changed, 237 insertions(+), 43 deletions(-)
 create mode 100644 hosts/dosei/configuration.nix
 create mode 100644 hosts/dosei/hardware-configuration.nix
 create mode 100644 hosts/dosei/services/avahi.nix
 create mode 100644 hosts/dosei/services/docker.nix
 create mode 100644 hosts/dosei/services/jenkins.nix

diff --git a/.sops.yaml b/.sops.yaml
index 86908f8..8d32cec 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &gpg_h7x4 F7D37890228A907440E1FD4846B9228E814A2AAC
   - &host_tsuki age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
   - &host_kasei age1eu2a6m3adakfzelfa9pqpl74a5dz0wkyr0v7gegm5ajnx7aqmqcqsp2ftc
+  - &host_dosei age179y7apa80p9unvyjtsphpzyhve90ex986vlxkx43xt9n6m7en3csqnug7c
 
 creation_rules:
   - path_regex: secrets/common.yaml
@@ -11,6 +12,7 @@ creation_rules:
         age:
         - *host_tsuki
         - *host_kasei
+        - *host_dosei
 
   - path_regex: secrets/kasei.yaml
     key_groups:
@@ -24,4 +26,11 @@ creation_rules:
       - pgp:
         - *gpg_h7x4
         age:
-        - *host_tsuki
\ No newline at end of file
+        - *host_tsuki
+
+  - path_regex: secrets/dosei.yaml
+    key_groups:
+      - pgp:
+        - *gpg_h7x4
+        age:
+        - *host_dosei
diff --git a/README.md b/README.md
index 9d970d2..d51e6c5 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ Here are some of the interesting files and dirs:
 |------|--------------|---------|
 | `Tsuki` | Dell Poweredge r710 server | Data storage / Build server / Selfhosted services. This server hosts a wide variety of services, including websites, matrix server, git repos, CI/CD and more. **This is probably the most interesting machine to pick config from** |
 | `Kasei` | AMD Zen 2 CPU / Nvidia GPU - desktop computer | Semi-daily driver. This is my main computer at home. Most of the configuration written in `/home` is made specifically for this computer, since `Eisei` is out of service at the moment. |
+| `Dosei` | Dell Optiplex | Work computer, mostly used for development and testing. |
 | `Eisei` | HP Laptop | At the moment, this laptop is not in use. I've found that I'm not able to use NixOS quickly enough in a university environment where I need to rapidly install software and maintain project configurations (Makefile, Maven, django, npm, etc...) for several subjects. In addition to the configurations, some of the software is not available on NixOS. As a result, I would the be forced to package or FHS a lot of stuff in order to do anything productive. I might return to using NixOS on my laptop in the future. |
 
 ## home-manager configuration
diff --git a/flake.nix b/flake.nix
index 59b64d4..46da3df 100644
--- a/flake.nix
+++ b/flake.nix
@@ -97,6 +97,10 @@
       config = {
         allowUnfree = true;
         android_sdk.accept_license = true;
+        segger-jlink.acceptLicense = true;
+        permittedInsecurePackages = [
+          "segger-jlink-qt4-794l"
+        ];
       };
 
       overlays = let
@@ -218,22 +222,7 @@
       tsuki = nixSys "tsuki";
       Eisei = nixSys "eisei";
       kasei = nixSys "kasei";
-      home-manager-tester = nixpkgs-unstable.lib.nixosSystem {
-        inherit system;
-        pkgs = unstable-pkgs;
-        inherit (unstable-pkgs) lib;
-        modules = [
-          "${home-manager-local}/nixos"
-          ./hosts/special/home-manager-tester/configuration.nix
-          {
-            config._module.args = {
-              pkgs = unstable-pkgs;
-              # inherit (self) extendedLib;
-              # secrets = secrets.outputs.settings;
-            };
-          }
-        ];
-      };
+      dosei = nixSys "dosei";
     };
   };
 }
diff --git a/hosts/dosei/configuration.nix b/hosts/dosei/configuration.nix
new file mode 100644
index 0000000..e189580
--- /dev/null
+++ b/hosts/dosei/configuration.nix
@@ -0,0 +1,106 @@
+{ config, lib, pkgs, inputs, specialArgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    ./services/avahi.nix
+    ./services/docker.nix
+    ./services/jenkins.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+    "armv7l-linux"
+  ];
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  services.udev.packages = with pkgs; [
+    segger-jlink
+  ];
+
+  system.stateVersion = "24.05";
+
+  machineVars = {
+    headless = false;
+    gaming = false;
+    development = true;
+    creative = true;
+
+    dataDrives = let
+      main = "/data";
+    in {
+      drives = { inherit main; };
+      default = main;
+    };
+
+    screens = {
+      DP-1 = {
+        primary = true;
+        frequency = 60;
+      };
+      DP-2 = {
+        frequency = 60;
+        position = "1920x0";
+      };
+    };
+  };
+
+  systemd.targets = {
+    sleep.enable = false;
+    suspend.enable = false;
+    hibernate.enable = false;
+    hybrid-sleep.enable = false;
+  };
+
+  # security.pam.services.login.unixAuth = true;
+
+  systemd.network = {
+    enable = true;
+    # broken
+    wait-online.enable = false;
+  };
+
+  networking = {
+    hostName = "dosei";
+    # networkmanager.enable = true;
+    # TODO: reenable
+    firewall.enable = false;
+    # hostId = "";
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      settings.X11Forwarding = true;
+    };
+    # xserver = {
+    #   # displayManager.gdm.enable = true;
+    #   # desktopManager.gnome.enable = true;
+    #   # videoDrivers = [ "nvidia" ];
+    # };
+    # tailscale.enable = true;
+  };
+
+  hardware = {
+    bluetooth.enable = true;
+    # cpu.amd.updateMicrocode = true;
+    enableRedistributableFirmware = true;
+    keyboard.zsa.enable = true;
+    opengl = {
+      enable = true;
+      driSupport = true;
+      driSupport32Bit = true;
+    };
+
+    # nvidia = {
+    #   modesetting.enable = true;
+    #   nvidiaSettings = true;
+    # };
+  };
+
+  programs.usbtop.enable = true;
+}
diff --git a/hosts/dosei/hardware-configuration.nix b/hosts/dosei/hardware-configuration.nix
new file mode 100644
index 0000000..9ff7cf4
--- /dev/null
+++ b/hosts/dosei/hardware-configuration.nix
@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e7f7bd86-0634-48f2-ab7c-f19b72ee47ab";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/ABFF-19E8";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/28225b33-ef40-4ff3-8d1b-7163d8cc3faa"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/dosei/services/avahi.nix b/hosts/dosei/services/avahi.nix
new file mode 100644
index 0000000..9eba86f
--- /dev/null
+++ b/hosts/dosei/services/avahi.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+{
+  services.avahi = {
+    enable = true;
+    publish.enable = true;
+    publish.addresses = true;
+    publish.domain = true;
+    publish.hinfo = true;
+    publish.userServices = true;
+    publish.workstation = true;
+    extraServiceFiles.ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
+  };
+}
diff --git a/hosts/dosei/services/docker.nix b/hosts/dosei/services/docker.nix
new file mode 100644
index 0000000..24bd360
--- /dev/null
+++ b/hosts/dosei/services/docker.nix
@@ -0,0 +1,4 @@
+{ config, pkgs, lib, ... }:
+{
+  virtualisation.docker.enable = true;
+}
diff --git a/hosts/dosei/services/jenkins.nix b/hosts/dosei/services/jenkins.nix
new file mode 100644
index 0000000..79a3793
--- /dev/null
+++ b/hosts/dosei/services/jenkins.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+{
+  services.jenkins = {
+    enable = true;
+    withCLI = true;
+    # extraJavaOptions = [
+    #   "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.LAUNCH_DIAGNOSTICS=true"
+    # ];
+    packages = with pkgs; [
+      stdenv
+      jdk17
+      nix
+      docker
+      git
+      bashInteractive # 'sh' step requires this
+      coreutils
+      which
+      procps
+    ];
+  };
+
+  users.groups.docker.members = [ "jenkins" ];
+}
diff --git a/secrets/common.yaml b/secrets/common.yaml
index fe912f0..57e4abd 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -23,42 +23,51 @@ sops:
         - recipient: age1c92j4w0gqh32hwssl5m2mfrggssxax9pge8qxwytv9lmrnfttcvqdrgsst
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cmVUbVJLNTcrWElnRFV5
-            djNBRlg1SUE1UDJHaXRXSkxoZXpZbGpySVhzCnNDVG5iM0VmMmF6NFArNDUweXBq
-            dFZ1L0RRSVlSa1hlMGNMaXpzdFNTVWsKLS0tIHpFR2dmaTFIaVNaOFZMeVRUejVs
-            bHJvenMwME1Gd1Z1Qm9kYVNkYkVsVVkKPCph78R5qMrKaofPpW6O5mjEcIPVvlwG
-            nIv679EhVUgUR3Zln/egICOj20SzzZzmDdBc7VbaZDiz3dyRbe5D8g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTis4dldlaGJmVjN3dUU0
+            UHZHaXRHWU9wRWo5OVlVRitnV1NrKzBxb1RzCjhhMWxzbGczdDNmSTUvZis5SWp5
+            b2lTNC9MTFRDSnl2UGVoTjRoRFFSaEUKLS0tIFZkNEk2aGIwZm1XR1BJYUNkZE8z
+            U0RoMVNmUGwrV0J0UlJTK2ppdzNDMlUKaUuklGVibBHi4OAowm5vwZHTVapcCgfN
+            y7r2/9aDZ5BGsLu2syTnEaRvbvTwABUUbwLlVR0a27xdvn81m0G5sA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1eu2a6m3adakfzelfa9pqpl74a5dz0wkyr0v7gegm5ajnx7aqmqcqsp2ftc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL0tDUDhibEplaERzQThG
-            ZElwM0V2MTJROEtucWdFdTR5bHE1cktGYkZzCnVDd0lZdmZNWUtYeHV4dG9GVEsy
-            dzBnd0szakNjZWpSVWtQY0tZTWZncEEKLS0tIE1aWkE4S3VBblFSVjMranNSYWoz
-            cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
-            rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMFFZbk14YnJvcWNLNGV3
+            NUhhMXpRWEhoRXZqaDNEMnF0YjYrMWxQTlV3CjBNUEpUeHpiWEVwMHFSMHlNVXNC
+            V1JxTDhhSWtIcjc2c2NwTWxLS1gxVk0KLS0tIDZFb2hzdEdNbkNkYmxieVVUdmV4
+            WDdGRUtDWmxIRkNDM0FjMWdFdXFDSDAKPbMyMqNDmpA92Gzpafd3Z+H85Gn/OSz+
+            GZ1IpfWSdF9RWRmuHxGIqiNXK53Us+YR7GVhqduwY0ueAh3wMCYyGw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age179y7apa80p9unvyjtsphpzyhve90ex986vlxkx43xt9n6m7en3csqnug7c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eml4UFJ1dVdmUjROZGxv
+            akRzWmV2ZWlNak9IV2hVUnI1YW5Nazk5RzJVCm5ab0YwQTdUWlU5OW9nTlI4N2pK
+            RXBrQWhYN29OSEVCL21MZ25ZRXN4VjAKLS0tIE5WM2xkaVY0bEVwVUNsUXdnU0ta
+            UllPc1JCTXoxUERMM05abjhnR0g0d2sK/wyBVH6Dxris4TF05POtYQbWj4DWOeID
+            RAdf30dDVtmg4qPwsHiIQ8f10gA1DrgIrcae0JS5VZcRLRw5/4+g9Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-06-25T18:25:28Z"
     mac: ENC[AES256_GCM,data:GGjXTEHVHAWrr0QHc3O4bMpGi1wFge6AbK7XEwRiOqh4W1Zow2CEcfGZxW5TLLayfB9lXemeKtrZWsqBOCXtHkd670KbxxKInE3FvJbjME8ZODAMpknYX4BXBGt6ksC03Tm4ri1JIy1OxDVXG4qb8skNtna4YkIiUf+ErTihakA=,iv:YGKnVl9QCLLTqdQfpiTbv31vEGEoolzMWtyEFvJekYI=,tag:8j+dnOqHfupKTAl1GQ09Mg==,type:str]
     pgp:
-        - created_at: "2023-05-08T00:49:52Z"
-          enc: |
+        - created_at: "2024-06-26T07:42:59Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+Oh1FcH1sA8Rf0R/38u5mFgAW2uRdC2KeUNh2qtBtwmTf
-            W3r9vmD+9UUlppxk2/o82yIecXsv8Bz4/e/04Xo8b0sfBB+l+odVY72mTBUGYQjQ
-            +7B9PT5ZGBuWXOTTWmaYX11CFPw7KaPjS7k2Z3VoZXaOMa5vQUUzjCdw9N/y8nnV
-            Gl3ThHd0CEJ95iemV/CPS72h2Yf4jbk4WVdqDBtYxkv0VWMMOfjeaOPqQJKVDWDv
-            Bg9TQEoucfi4kYG5pR1NY5S0W73XU4ND+V9laeKdW47TUAtw56ajWAglTUZZ6+I8
-            xtm25neL90VIKQrKJTzp9IynjdDpuD9ZVNCQLg4UqbxTAcvLNgXGG5iDpr72asUO
-            kOg1dCT00o++7SsGp9cA3+0Z1H5QKnJ3ekt2XyyD5pEDCdLwbotaDZEdST3usWR7
-            k80Q5GfkBdE5RwvqfPEIDhwwtLnvI/lgyq1l4S/g3dNzV8vQauBQKcDWy+ZT8Kdk
-            u5DdfL4hxA04/a7VORFzwQMdm97VRIfOXA2pscDX+83drwtvdmTbvReigLHkS2pz
-            Xq1IDJSlJjJX0Yb2vbIXwLrfXrIbarnft0tb3TTZAK0B7yvLKbvLT0EZWAndssUw
-            Utymmi2S6NvomebjAanqlWOTvgFaSBiG/tlILFPSBeAl1/mD9ijVgMq+QfdtoyHS
-            XAHkesaQ2U2HmuObPQioIYYvfMCSuFEClqgumWSSa4nLNmSulW3DYlvnKZJ17iAI
-            1p9X1xYS00t3dmbne7Q2DAkPBqB0JbgMBpJ9RNfyJdBAdNrRh3+x1k2mTA0I
-            =wF/N
+            hQIMA0av/duuklWYAQ//UQlQMjOkq53Ic8HTVTF+1594HNJKq75t6ewgSNVJy0yd
+            spwqbnmZooQRvhK0ewnFQMldmsD/7NwnLJmV/ARUaJJRXGTltWnh5oxvPKB7b4Qw
+            9oxk8gOPyiBHq/oBMsrS1F5uYRd+/HliHcKR37PdXchEpy1CzuASjJ8fv+pUCy/1
+            jiuHiZEK5yLhjAMb7UsXVZXit1jP+VMBZJk3qzTXTRqewF+Rea2P6BXo5RQAyF9M
+            xv6q+SItFPHglmyzkHvO1gg7lisohTY9fv51M9tcmPtUWnAeGywik8xT2RA5l5w2
+            WPf7g0QIqWC6FmybsWdcBAWJCGKvsfCveEtY5J+29BYfCkPlhuKmou8CZwzIB66p
+            AsQMmu8JwbGSEYe78r/zy379ybQ/H7j/8uGDsJmAJqKvJfG1o6QsAlpj+fSoSU/5
+            k9E5OyEdRyws4W1CoaAvyTML8gSXBXpA9oIZx5WYYh6mJ+ETNfDlaIAGXY2Sbdr+
+            IGkLhvGETQGbCW4EZB0hDEE3QmzNolYR6YybL74HtGQT2XOWg0+UkTZZ1ZRw+jHk
+            bY6XQbloTQpSI6tFCGq5hQeVQDH17lTb/sEh0qAZkdAguvUgPlO6PHV5cS3SXAS7
+            Ga7vllL8VOq/dbJ5ll7xbnxwBxkDrVqu2fCnS9L3P/biteafB/d0gRhjhFEhaUHS
+            XAGVZdphiKbcydow/ucviT2TlZVmi7yWLcfk+uEPxf0mb5FMFRSasSmAvp4b7Wcz
+            lNBuJPjOnYrkootAaLSUAdMukfAin1HGWxmINsybPzuPFlTxR3RSgjBQn/2w
+            =kNmC
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted