feat: add apollo nixos configuration

2025-03-30 04:17:26 +08:00 · 2025-03-30 04:17:26 +08:00 · 00c219cb05
commit 00c219cb05
parent 7db5d93409
5 changed files with 51 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -33,7 +33,27 @@ wpa_cli
 ip addr
 ```

-On the host machine, run the command `deploy --flake .#<hostname> --target-host <username>@<ip_address>` to build the new system configuration and copy it over SSH along with the sops age key and ssh keys.
+On the host machine, run the following command to build the new system configuration and copy it over SSH along with the sops age key and ssh keys.
+
+```bash
+# WARNING: You must use the IP address of the machine.
+# The hostname will not suffice as it will boot into a NixOS installer through kexec.
+deploy --flake .#<hostname> --target-host <username>@<ip_address>
+```
+
+Complete the setup by running the following on the target system once it is booted into the new install.
+
+```bash
+# On the target machine:
+sudo rm /etc/ssh/ssh_host_*
+sudo ssh-keygen -A
+cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
+
+# On the host machine:
+# Add the host age public key to .sops.yaml
+sops updatekeys secrets.yaml
+
+```

 # Acknowledgements

--- a/configs/default.nix
+++ b/configs/default.nix
@ -40,5 +40,13 @@
      })
      ./hardware/cpu_intel.nix
    ])
+    (lib.optionals (hostname == "apollo") [
+      ./bootloaders/systemd-boot.nix
+      (import ./filesystems/impermanence.nix {
+        inherit inputs lib;
+        device = "/dev/disk/by-id/nvme-eui.002538d221b47b01";
+      })
+      ./hardware/cpu_intel.nix
+    ])
  ];
 }
--- a/configs/secrets/.sops.yaml
+++ b/configs/secrets/.sops.yaml
@ -1,9 +1,11 @@
 keys:
  - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
  - &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
+  - &apollo age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9
 creation_rules:
  - path_regex: .(yaml|json|env|ini)$
    key_groups:
      - age:
          - *admin
          - *nemesis
+          - *apollo
--- a/configs/secrets/secrets.yaml
+++ b/configs/secrets/secrets.yaml
@ -11,20 +11,29 @@ sops:
        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh
-            QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r
-            UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU
-            K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn
-            JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBangwRmZaTTlKblBKTXRx
+            N0lrZWNRa0pHUkF6NjFpVElKY0VwZTZtQWpNCjFUdUppN1N3dUtMSUkvUEZkYzA3
+            SGZPWEhtemYvdDZwVjZodlFadlF4Q0UKLS0tIDZMRUdBaERoYy9tNE1HUmIxYTky
+            SlFXVERmUHhYZnFXWjlHMUwzbnk0dGsKLF6YDj04hdVC8ghgvtYDbHwi4bsDxdxE
+            Xv+7GZYPcoMajldKjlxkSeLC0y/PYG44QtJZqdn7ji9N/+iODpmZow==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u
-            Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2
-            ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z
-            WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7
-            v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcnFOdkVuemVPRXVGVmpy
+            QjZMQzEySjZKdmJWUjVocjVOd2JEcnFEeWlnCkNwWUxVejlMVnIrUExXS2ExdnBC
+            K3dIS1ZJMExpaUk4OFIvZ3dVZ3czLzgKLS0tIFc4dVNFcWdTS0JUVGZHUXd6UE9m
+            eDhza1RVOEpqcmhTUVJjcXNtbEF2UlkKziDZm9BOS6xScCKqLYnutscGuduH8OLu
+            xZLP6Wy+Y2MBsSrIs32470308CMsmbv4p8l8/vBf6FjwSvow7kboIg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV0NSc1Evd2x4cytNYXVx
+            ZG15NGxaSVduT2Z2TTViVkx3Yk1MNFE3eXpJCmx2VGhTY0Ryam1XbnkwY3F2QzJL
+            R0N2ODF3azJBKzh1cVN6SjRML3R0VW8KLS0tIFQwTEd2MHZWdXBVT3lOa2kzVEha
+            cTFJZ3ZBTG12enVWbmQrc3JNTjY3akEKSzjApYoZ0i70DBc7/IHo1giziDgVcRNi
+            E6roLPPJjM+n7ZhEielnc+PjsQZ74ZX6z2D4UY5AGOYY3BOmmTF51g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-03-27T13:04:25Z"
    mac: ENC[AES256_GCM,data:6eINPO68OJGMhWhORC4MfBiA4Qax30UYzZBGdeqsDsRfjFZ7TCCiLrdHOdGWOr0S9nCelXm9VnTjIjFGudpZ2k3vQ5lM9bt1DZ19Y2XbeHhC7jZJP51ql9NexNMlT10zLdWWUWhxoow8avAszAguUc0nmWgi+R9N+ctrtwAWpmw=,iv:OYBn6dYDZJrJJ6xXUXoK5Ml3fHBULMYnQXAfqM+1rUU=,tag:ScVH3GRaMAKNnLQNNNDgtw==,type:str]
--- a/flake.nix
+++ b/flake.nix
@ -30,6 +30,7 @@
      nixosConfigurations = builtins.listToAttrs [
        (mkSystem "desktop" "nemesis")
        (mkSystem "desktop" "mellinoe")
+        (mkSystem "headless" "apollo")
      ];
    };