initial setup for the framework destkop (named rivendell)

author: Franck Cuny <franck@fcuny.net> 2025-10-12 15:45:01 -0700
committer: Franck Cuny <franck@fcuny.net> 2025-10-12 15:45:01 -0700
commit: aa05056e55dfa143b38776737802b7dfb8a2c0e4 (patch)
tree: 9f4a2ce339355a8299e172e5512ac35c6b3c7d0f
parent: configure podman for all nixos machines (diff)
download: infra-aa05056e55dfa143b38776737802b7dfb8a2c0e4.tar.gz
8 files changed, 236 insertions, 0 deletions
diff --git a/docs/install.org b/docs/install.org
index d552513..b846cd3 100644
--- a/docs/install.org
+++ b/docs/install.org
@@ -19,3 +19,23 @@ You can then validate that they key is encrypted properly with =sudo agenix -i /
    1. Run =sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount nix/machines/vm-synology/disk.nix=
    2. Run =nixos-install --root /mnt/ --flake .#vm-synology=
 4. Reboot the VM
+* Create the nixos installer
+Run
+#+begin_src fish
+nix build .#nixosConfigurations.iso.config.system.build.isoImage
+#+end_src
+
+Then copy to a USB stick with:
+#+begin_src fish
+sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
+#+end_src
+* Bare metal machine
+We can install remotely a machine with =nixos-anywhere=, including full disk encryption.
+
+First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).
+
+#+begin_src fish
+set temp (mktemp -d)
+ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key"
+nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp"
+#+end_src
diff --git a/flake.lock b/flake.lock
index 406009f..7d43f82 100644
--- a/flake.lock
+++ b/flake.lock
@@ -478,6 +478,22 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1760106635,
+        "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1755274400,
@@ -683,6 +699,7 @@
         "home-manager": "home-manager_2",
         "my-go-tools": "my-go-tools",
         "my-site": "my-site",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_5",
         "nixpkgsUnstable": "nixpkgsUnstable",
         "nur": "nur",
diff --git a/flake.nix b/flake.nix
index 64f3d80..d4fa89e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,6 +21,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nixos-hardware = {
+      url = "github:NixOS/nixos-hardware/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/machines/nixos/x86_64-linux/installer/default.nix b/machines/nixos/x86_64-linux/installer/default.nix
new file mode 100644
index 0000000..e914571
--- /dev/null
+++ b/machines/nixos/x86_64-linux/installer/default.nix
@@ -0,0 +1,21 @@
+{ adminUser, modulesPath, ... }:
+{
+  # run `nix build .#nixosConfigurations.iso.config.system.build.isoImage` to build the image
+  imports = [
+    "${modulesPath}/installer/cd-dvd/channel.nix"
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+    {
+      home-manager.users.${adminUser.name} = {
+        imports = [
+          { home.stateVersion = "25.05"; }
+        ];
+      };
+    }
+  ];
+
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.device = "nodev";
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
new file mode 100644
index 0000000..8c71cbf
--- /dev/null
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -0,0 +1,62 @@
+{
+  lib,
+  adminUser,
+  config,
+  ...
+}:
+{
+  imports = [
+    ./disks.nix
+    ./hardware-configuration.nix
+    {
+      home-manager.users.${adminUser.name} = {
+        imports = [
+          ./home.nix
+          { home.stateVersion = "25.05"; }
+        ];
+      };
+    }
+  ];
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "rivendell";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  users.users.builder = {
+    openssh.authorizedKeys.keys = [
+      # my personal key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # remote builder ssh key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
+    ];
+    isNormalUser = true;
+    group = "nogroup";
+  };
+
+  boot.kernelParams = [
+    "ip=dhcp"
+  ];
+
+  boot.initrd.network = {
+    enable = true;
+    postCommands = "echo 'cryptsetup-askpass' >> /root/.profile";
+    flushBeforeStage2 = true;
+    ssh = {
+      enable = true;
+      port = 911;
+      hostKeys = [
+        "/etc/initrd/ssh_host_ed25519_key"
+      ];
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      ];
+    };
+  };
+
+  nix.settings.trusted-users = [ "builder" ];
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/rivendell/disks.nix b/machines/nixos/x86_64-linux/rivendell/disks.nix
new file mode 100644
index 0000000..8cb1f32
--- /dev/null
+++ b/machines/nixos/x86_64-linux/rivendell/disks.nix
@@ -0,0 +1,67 @@
+let
+  btrfsopt = [
+    "compress=zstd"
+    "noatime"
+  ];
+in
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "2G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [
+                  "fmask=0022"
+                  "dmask=0022"
+                ];
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "nixos";
+                passwordFile = "/tmp/pass";
+                settings = {
+                  allowDiscards = true;
+                };
+                content = {
+                  type = "btrfs";
+                  extraArgs = [ "-f" ];
+                  subvolumes = {
+                    "@root" = {
+                      mountpoint = "/";
+                      mountOptions = btrfsopt;
+                    };
+                    "@home" = {
+                      mountpoint = "/home";
+                      mountOptions = btrfsopt;
+                    };
+                    "@nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = btrfsopt;
+                    };
+                    "@data" = {
+                      mountpoint = "/data";
+                      mountOptions = btrfsopt;
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix b/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix
new file mode 100644
index 0000000..02de536
--- /dev/null
+++ b/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  inputs,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
+  ];
+
+  services.fwupd.enable = true;
+  hardware.enableRedistributableFirmware = true;
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "r8169" # ethernet driver
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/machines/nixos/x86_64-linux/rivendell/home.nix b/machines/nixos/x86_64-linux/rivendell/home.nix
new file mode 100644
index 0000000..8f0935e
--- /dev/null
+++ b/machines/nixos/x86_64-linux/rivendell/home.nix
@@ -0,0 +1,6 @@
+{ self, ... }:
+{
+  imports = [
+    "${self}/home/programs/bat.nix"
+  ];
+}
author	Franck Cuny <franck@fcuny.net>	2025-10-12 15:45:01 -0700
committer	Franck Cuny <franck@fcuny.net>	2025-10-12 15:45:01 -0700
commit	aa05056e55dfa143b38776737802b7dfb8a2c0e4 (patch)
tree	9f4a2ce339355a8299e172e5512ac35c6b3c7d0f
parent	configure podman for all nixos machines (diff)
download	infra-aa05056e55dfa143b38776737802b7dfb8a2c0e4.tar.gz