diff --git a/.sops.yaml b/.sops.yaml index 1340556..5b0ddff 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,8 @@ keys: - &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w # lin-va-mbp-personal@evanreichard - SSH Derived - &user_lin-va-mbp-personal age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y + # mac-va-mbp-personal@evanreichard - SSH Derived + - &user_mac-va-mbp-personal age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -13,3 +15,8 @@ creation_rules: - age: - *admin_reichard - *user_lin-va-mbp-personal + - path_regex: secrets/mac-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_reichard + - *user_mac-va-mbp-personal diff --git a/README.md b/README.md index 8d4fbd0..e816c94 100755 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ sudo nixos-rebuild switch --flake .#lin-va-mbp-personal ### NixOS Generators ```bash -nix build .#vmwareConfigurations.rke2-node +nix build .#qcowConfigurations.lin-va-rke2 ``` ### Home Manager @@ -71,11 +71,11 @@ sudo nixos-rebuild switch ```bash # Update System Channels -sudo nix-channel --add https://nixos.org/channels/nixpkgs-24.11-darwin nixpkgs +sudo nix-channel --add https://nixos.org/channels/nixpkgs-25.05-darwin nixpkgs sudo nix-channel --update # Update Home Manager -nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz home-manager +nix-channel --add https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz home-manager nix-channel --update # Link Repo @@ -105,3 +105,14 @@ if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then fi # End Nix ``` + +# Nix Darwin + +```bash +# Install Nix Without Determinate +curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install + +# Switch Nix Darwin +sudo nix run nix-darwin#darwin-rebuild -- switch --flake .#mac-va-mbp-personal +sudo darwin-rebuild switch --flake .#mac-va-mbp-personal +``` diff --git a/flake.lock b/flake.lock index c277ec6..de94a17 100755 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,27 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1749744770, + "narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=", + "owner": "nix-darwin", + "repo": "nix-darwin", + "rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb", + "type": "github" + }, + "original": { + "owner": "nix-darwin", + "ref": "nix-darwin-25.05", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": "nixpkgs" @@ -239,6 +260,7 @@ "root": { "inputs": { "apple-silicon": "apple-silicon", + "darwin": "darwin", "disko": "disko", "firefox-addons": "firefox-addons", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 03bd012..1eb0aff 100755 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,10 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + darwin = { + url = "github:nix-darwin/nix-darwin/nix-darwin-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -60,6 +64,10 @@ disko.nixosModules.disko sops-nix.nixosModules.sops ]; + darwin = with inputs; [ + home-manager.darwinModules.home-manager + sops-nix.darwinModules.sops + ]; }; }; } diff --git a/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix b/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix index 496a366..1056267 100755 --- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix +++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix @@ -1,9 +1,9 @@ -{ lib, config, namespace, ... }: +{ lib, pkgs, config, namespace, ... }: let inherit (lib.${namespace}) enabled; in { - home.stateVersion = "24.11"; + home.stateVersion = "25.05"; reichard = { user = { @@ -49,6 +49,8 @@ in # tldr # ]; + home.packages = with pkgs; [ fastfetch ]; + # SQLite Configuration home.file.".sqliterc".text = '' .headers on diff --git a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix index e612ed8..26dc921 100755 --- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix +++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix @@ -3,7 +3,7 @@ let inherit (lib.${namespace}) enabled; in { - home.stateVersion = "24.11"; + home.stateVersion = "25.05"; reichard = { user = { diff --git a/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix b/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix index 8e28b73..146c85b 100755 --- a/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix +++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix @@ -3,7 +3,7 @@ let inherit (lib.${namespace}) enabled; in { - home.stateVersion = "24.11"; + home.stateVersion = "25.05"; reichard = { user = { diff --git a/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix b/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix index e3aa520..115178a 100755 --- a/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix +++ b/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix @@ -3,7 +3,7 @@ let inherit (lib.${namespace}) enabled; in { - home.stateVersion = "24.11"; + home.stateVersion = "25.05"; reichard = { user = { diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix new file mode 100644 index 0000000..649f021 --- /dev/null +++ b/modules/darwin/default.nix @@ -0,0 +1,8 @@ +{ + config = { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + }; + }; +} diff --git a/modules/darwin/nix/default.nix b/modules/darwin/nix/default.nix new file mode 100644 index 0000000..e031ff4 --- /dev/null +++ b/modules/darwin/nix/default.nix @@ -0,0 +1,102 @@ +{ config, lib, pkgs, inputs, namespace, host, ... }: +let + inherit (lib) types mkIf; + inherit (lib.${namespace}) mkBoolOpt mkOpt; + + cfg = config.${namespace}.nix; +in +{ + options.${namespace}.nix = { + enable = mkBoolOpt true "Whether or not to manage nix configuration."; + package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use."; + }; + + config = mkIf cfg.enable { + nix = + let + mappedRegistry = lib.pipe inputs [ + (lib.filterAttrs (_: lib.isType "flake")) + (lib.mapAttrs (_: flake: { inherit flake; })) + (x: x // { + nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable; + }) + (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x) + ]; + users = [ + "root" + "@wheel" + "nix-builder" + "evanreichard" + ]; + in + { + inherit (cfg) package; + + buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") { + hostName = "10.0.50.130"; + systems = [ "x86_64-linux" ]; + sshUser = "evanreichard"; + protocol = "ssh"; + sshKey = config.sops.secrets.builder_ssh_key.path; + supportedFeatures = [ + "benchmark" + "big-parallel" + "nixos-test" + "kvm" + ]; + }; + + checkConfig = true; + distributedBuilds = true; + optimise.automatic = true; + registry = lib.mkForce mappedRegistry; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + + settings = { + connect-timeout = 5; + allowed-users = users; + max-jobs = "auto"; + auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux; + builders-use-substitutes = true; + experimental-features = [ + "nix-command" + "flakes " + ]; + flake-registry = "/etc/nix/registry.json"; + http-connections = 50; + keep-derivations = true; + keep-going = true; + keep-outputs = true; + log-lines = 50; + sandbox = true; + trusted-users = users; + warn-dirty = false; + use-xdg-base-directories = true; + + substituters = [ + "https://anyrun.cachix.org" + "https://cache.nixos.org" + "https://hyprland.cachix.org" + "https://nix-community.cachix.org" + "https://nixpkgs-unfree.cachix.org" + "https://nixpkgs-wayland.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs=" + "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + }; + }; + }; +} diff --git a/modules/darwin/security/sops/default.nix b/modules/darwin/security/sops/default.nix new file mode 100644 index 0000000..7efad11 --- /dev/null +++ b/modules/darwin/security/sops/default.nix @@ -0,0 +1,31 @@ +{ config, lib, namespace, ... }: +let + inherit (lib.${namespace}) mkOpt; + + cfg = config.${namespace}.security.sops; +in +{ + options.${namespace}.security.sops = { + enable = lib.mkEnableOption "sops"; + defaultSopsFile = mkOpt lib.types.path null "Default sops file."; + sshKeyPaths = mkOpt (with lib.types; listOf path) [ + "/etc/ssh/ssh_host_ed25519_key" + ] "SSH Key paths to use."; + }; + + config = lib.mkIf cfg.enable { + sops = { + inherit (cfg) defaultSopsFile; + + age = { + inherit (cfg) sshKeyPaths; + + keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt"; + }; + }; + + sops.secrets.builder_ssh_key = { + sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml"; + }; + }; +} diff --git a/modules/darwin/services/openssh/default.nix b/modules/darwin/services/openssh/default.nix new file mode 100644 index 0000000..1ce9a75 --- /dev/null +++ b/modules/darwin/services/openssh/default.nix @@ -0,0 +1,20 @@ +{ config, namespace, lib, ... }: +let + inherit (lib.${namespace}) mkOpt; + + cfg = config.${namespace}.security.sops; +in +{ + options.${namespace}.services.openssh = with lib.types; { + enable = lib.mkEnableOption "OpenSSH support"; + authorizedKeys = mkOpt (listOf str) [ ] "The public keys to apply."; + extraConfig = mkOpt str "" "Extra configuration to apply."; + port = mkOpt port 2222 "The port to listen on (in addition to 22)."; + }; + + config = lib.mkIf cfg.enable { + services.openssh = { + enable = true; + }; + }; +} diff --git a/modules/darwin/user/default.nix b/modules/darwin/user/default.nix new file mode 100644 index 0000000..1bc6478 --- /dev/null +++ b/modules/darwin/user/default.nix @@ -0,0 +1,23 @@ +{ config, lib, namespace, pkgs, ... }: +let + inherit (lib) types mkIf; + inherit (lib.${namespace}) mkOpt; + + cfg = config.${namespace}.user; +in +{ + options.${namespace}.user = with types; { + name = mkOpt str "evanreichard" "The name to use for the user account."; + email = mkOpt str "evan@reichard.io" "The email of the user."; + fullName = mkOpt str "Evan Reichard" "The full name of the user."; + uid = mkOpt (types.nullOr types.int) 501 "The uid for the user account."; + }; + + config = { + users.users.${cfg.name} = { + uid = mkIf (cfg.uid != null) cfg.uid; + shell = pkgs.bashInteractive; + home = "/Users/${cfg.name}"; + }; + }; +} diff --git a/modules/home/programs/graphical/ghostty/default.nix b/modules/home/programs/graphical/ghostty/default.nix index 0a763af..aee044a 100755 --- a/modules/home/programs/graphical/ghostty/default.nix +++ b/modules/home/programs/graphical/ghostty/default.nix @@ -18,6 +18,11 @@ in flush_dns = "sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder"; }; profileExtra = '' + # Source Nix daemon + # if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then + # . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' + # fi + SHELL="$BASH" PATH=~/.bin:$PATH bind "set show-mode-in-prompt on" diff --git a/modules/home/services/sops/default.nix b/modules/home/services/sops/default.nix index 4b4b12b..94f60cf 100644 --- a/modules/home/services/sops/default.nix +++ b/modules/home/services/sops/default.nix @@ -28,14 +28,6 @@ in keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths; }; - - # TODO - # secrets = { - # nix = { - # sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml"; - # path = "${config.home.homeDirectory}/.config/nix/nix.conf"; - # }; - # }; }; }; } diff --git a/modules/nixos/services/openssh/default.nix b/modules/nixos/services/openssh/default.nix index 17300a8..625e725 100644 --- a/modules/nixos/services/openssh/default.nix +++ b/modules/nixos/services/openssh/default.nix @@ -12,6 +12,8 @@ let authorizedKeys = [ # evanreichard@lin-va-mbp-personal "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY" + # evanreichard@mac-va-mbp-personal + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV" # evanreichard@lin-va-thinkpad "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz" ]; diff --git a/secrets/mac-va-mbp-personal/evanreichard/default.yaml b/secrets/mac-va-mbp-personal/evanreichard/default.yaml new file mode 100644 index 0000000..4e9c5e6 --- /dev/null +++ b/secrets/mac-va-mbp-personal/evanreichard/default.yaml @@ -0,0 +1,26 @@ +builder_ssh_key: ENC[AES256_GCM,data:1cYuaFJke/8GyqxPKp2zH/uARvW6Bqx6AsB16U8f3WkDpnxO6kym19MpDyQUBEjJ9Bj3RiBkSSL96jBv4YZfq+1cN8D6E14faKoYF5FZy5o1C+aTl+4L9zbrQIl/QDFh42qcJ6cYsOSjbEJv8kvZQBV7l+LNo8ZX07f76Kld3boouJJMMZWa9oaZgEifTxN4yDOPXTXNjCO3blGnsm+V3FPkba+EUASL9WH6+XLU2oW1Bc/sydOTiKGRJcs5eyqYvKi3evtxUUyqgdPVtUHNTsh6/B5kDLWFavfEfchPHT0LHIuqGJwGBglTp/NJThAoo5vNFAFIAUw9QWlY4alHhsi2L5g49r3s6i+3fGeyGCTP61uffY9HgF7nOdkTVMsRXacKh9fwgdsZAepcU+kJ3LJSdOaa4hUtCsZpFHUe4jA0kTHI1/V+7ak+iw92gNZTLKsCjIOzWFvEBVSXLctPdxQ8ezvF9ekvw5mkAwO7QYonlrQ3MUY/8b1DDOdjmfSwEyrLruew2KajFhm8/NM/2BOwcO/y+DbX2MSe5x0sx4HN79E=,iv:V25Tc7bOxc4wl5lf6gZOstN1InaCb3sfpCHMl65iwn8=,tag:mBFZcX2G3vpAOMw7V12d6w==,type:str] +rke2_kubeconfig: ENC[AES256_GCM,data:oTOBktUE71QNJXqy8l5hhYKF3mSQlLxXE7rjsctyJi4nIk4bhKACGdYkB8B37Ws9QHm5h9tAn9J/ehbWyBwsOFQIhX7S0kov8/HPlatbY3aJ+PiHO5GWRkJjbq+GZrJgdGeOCSRlA5C4lOy9cYbCqbsgfp42cNxOPhOQUyqFNCmsWJvBiJDuQX3Sqk2QoDtfTayho/v5IiJ9Xjms6m1ng98uXmANHK2wFAv4IZ2+7j14jy5RRKylTtjooJxTalSzdODV4wufHOLqFRCeGs9U4A/SEbRWacssdTWOp/wkaumruEpbuRaX33EwFzAxnawD0T/PBA1w9MfrXoz7bYaQ8S0fpWQHTr7xj79yrlJslBvTp/SzC+7LlpdsOtJr/2LpbzwFowMFPOGg0XJUWlkevIIObBuEYyAnlytxlys+2UNx+szOuUsUDTdZlEtTyJT+Xp8WjFlXkHsi66s+rDxDvUcMG6oLy3IYiYA4D7Q65aDgiy87kDmdfItf5koEEpHU2wV20EtAP2mRZ8UNYnDHd3ZV1L2gLXHGMA/sa0Tn0l4fhfr+6K0niQ9RaZxrVfqyChCw4bSCyZZFajZXcEDXsQB5UKsnMmZ3p5ZtRe/mqKydAz/xQc8mZPYFWwXN3uWgOWLRraRib0thg/PQzsbGNrKxoqc0sY3JbUSBcyhtz2x7b0Sj+g8ibtySmSEM1DrcYFdLG/QHbg8MaSOIIlZDDan2SJ0vAd432hI9BBIxj3L0EOfVBkbzEdtuuW7SSCG650X2u4Rd0Kkjc7HoB6pafJTWx2QZ/CMKIZFiHfMJ1zRyxco7SwZzsTRZ1Y0W7qgnssKpqtRNwCfRTdDM/6aZ1HorNP2NombuyGmfvD/EZSt4xxsOZIgioqfghbcsTCFZQPUvfBSZvJ5KBXS8qacBmsUxMLRMyzSbq0mM/S9Rz8oUxN587K7pLTNNiwFsQ9mXlGgh//rzhdAfzQZF/uuMrjqYgxt3iOAT3Nd34RbZ8YK31SRf6lFy7b+hafS1FFVUnW8jnC57eo2wNpHFBNA1y60dokx9P1dzZUVVYK5iCK+QFkUweD9WSo0al09E3By2pQxZ1OS9UOcTxFbpP/WakD57/tkOvmGIirqrexVecDcODelGXhCVeXb8zJQDz2PdXz3M4G0zIV2JcgJDjJy91Rx56vxRQv0/mvPfjexm9gQcTWOpIeUOBGRCfMXMh0g0AANHxDheRa9WzYQ10uDE3DsyMT53+FGW73PyPBk5MzRY/RQXjTEVbhO/e8Km7KOuhRxpohcLHCugEFMqjsW/c5b6GU24s3n69XPxMWtdtMmnf1FaGGufuOXyYd2s1vQqi+542x41HYnXiT6OQwsFttnlbwfrosl9qgSSgsfwXNv7qHQUBDg1KczwlPBZ3cMA/rQUqHL2N4vEp00JoJFjBTbWrin2FCOBafQmpKPv9j/nqiJROr3I93bSaodk0rFOUDWV3Sp/YepeuYb6wY+lMgysg4jDuJxEYQytFfNI2SBd7g4Xh6vBW/GS1/JdaHhh/Ub5/Cqa0Pxl5fBjV1HQIaM8mXi+V90zRVqzKm9vl9wXjXzAk8QvWRiW5ruP3IsMl5myL1KBuFIgZNPkbv8Nap3XDgmO2IvM6gWI3LHW81cgS6dDcsuC2C9zr291MAlYQiaotqQ33u0ga/y8DTXB3mcLTPLpkWWRY+Cc+qVAuD3LwCvd2StUhxUNwDbwVaxtuSk+uWMx1PCPPwHDVB3sm93wbnKrvj0TMHdkh0im+KzSplaMAsCgKJj1YO3Yhjg+E9CwIaYEDKcCE8FNqioSzzaXABQgpa4zUWkWC+D4iD/kSS3Z+BgB0VCytB705SMbmHmAlWnNayFgQLx3xo/TkgF51jEghj2w2gPyTM8gLqq8kvpXnDx95nhfStRu3KZCuCZKadrv0V5mSCCSzw0STDKZjfwYHHMWOnf41UDG7M9+vWHdtZdnJjLvw8gIqmLl0fkw75jFXYXQaNj4vh6MNSp7ABA8wY5Ala/EckHjx9R88czgyvHTLfVOiFgIiOLvldSYmDlaMcyPTVH7JSTiSoZ7aUwNROQE0/C9GyvZH8MGN9Iy6YQAUQYf5jjesoe3dPJf66GmeCKKlAcO1aK91XXow+pWrYJBZilhXJgPNTKltP2ObDLeJ/30KYF7Gee9GvtJaKzBGjYFZZz9nj8ixIBymS+M7N65U8Sw+/37qCnkSDe6VgkMoXXijaPgfToR4yb6FdZOqRlvynbyC+lSO44l2S1CkKbUxrqzZX2pQ6iB1eJdaHmIBYawVg7tJOO3snPXYMiMAgmojrH1BUUpbQRRvG4BTrUOES4N+2etytiZ7N4GEDzshosVaf9NeFBWRGC58siec/BtKwo7HGcsc0zDvcq8MFJ6rEUDbuZuWn3+CvxC9fi4+CzDP3j3K9lOUiXJ6vxv+1eImFMVgQUiV4g2M/JMTv6+Ix8U9dHoaNVjQlnL1NZRo92C/T2WRx42V97hJOe81CXqRLY8mW30MXat7KK+n92bNsWTKZrNsKnzVb+i1YwMAiwG1bw0OCcmfVojozZ4wjUNkFJI2K0v0CCvwVIl9yUKMkCvo+I1m2ZInOXRme2HK82YFg6JxitlQvovdlUndN1Lo4PhaxbW3BNwJSn81FxJ4yh+d34eawZlsQ4l+er2CyWrXSOvQnK1F8UwDB5xgPb8TBj5FD4IZM+op2LPQiaPQZ7bShzpN20W413lBvauirbD8EaZqt2QExmDnYHs1EMcj10bvu7IyKwZTlBqOa/LpyUH/imY4DTB0aYHby+xnLX7760S0sJfKuJ7omQ4QBgz+NSZ/aFfPicugkPsCZI0lS9WCcczvHgbFRzB6YQ5uJEoK5o5SdVTpYWUBvuLbJ6IOKNKWxlBcrsj4aPm+AAsxRc9cHPbrCns6y01K2wCYCL5nzK7jnneQiR4edtfnwMlUoo3c6/vzwiof4EVVrN29QxVsIA/9yqk375mKlI/l7/eOf083Kbad215wvZ+0U7cgI0oaaVvapj3Ni3e3Es8XUIQCua5HRE6d4M6A7P+Ye1Wkt+8oTpKJzd9Hn/ITwCYVssdpMSwF2ARHgmTtq+sacvkR9gojG/LAJMUwA48Sc4M5rn+5vTCRTvuKXDFphLSUwNzqd58YENC/HJjZS8+co+BN7AaafrybfA0QQrXkY7f+elsAFmNfho+taMpkfQZCmmgfoHPVPYR0pxkV1czCymm5lTjgkC7e4ydngcyJSrUzrXrWREkEcEdXoSRt1/JHABKRbvRuTbuUlah1xS1pvffosnA7KJL+aTLErkWwww3WUPMRrvmhVlWZqHGqE8lCRyMUPny7li3I2IB+aHFXepYwZSMMQPIOIiE19Oz7MsaIrMknqfTtdc58McEPGUPKiVO8x+nfRQPY45jFF60XtiK+yemYDicUGMSkWdtVLXgDCD+KAJz5YzBl5YbnPD9L1X9pB8P0vEpnKC6X+GGiaPflVGiNAKRTUyVv8CJ+Yh+KEfJw8og/P6d/7dSKheBeAdaliigZ9qG8xfyY0jE++xedaxIcOBObBu6j70j+Tpp5bUPN25FyVR2GqG4xz5YbuhnrRjhA6lAh0nppPlP+Oz/j9pPvPaDGESLZ/WM6MWru7R8DrHePBtulRvhvwUsmrjosPXuCNGU4sd1MFh6kNyyJH3W1quy3IopUij0Amu40mmd8XEzsN2nmT2Eh3NCd/r/2yj/t+xwxNcQZ+bfxeMFOiEfX5RU2paKNrRIDUEbgR1rS8A3PEUPTxwTP10IuY+IMToCSgZkVIq7UjXg0Bx9QdwvXcN74ADwkD0Un5+jLf4mo43QacwnBLpm24XqDzO09vKOzA9XU5fdC6AJ4mqAJ5J/XU8bC1RWiSCul6NekoJAPVgMlpWTPCAdSrWeYoE0d7lVkl+g+nEIS4sb,iv:mC5XSWReVzjwheF1IzCzp34JRvL/vJipyaKhptkH+cU=,tag:SDoNiaWaPKzruj+HPv5jbw==,type:str] +sops: + age: + - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVWFObG51K2lTYlZidXBU + aW55RnpkVDExbVBkNDl4NkV3MFNkNThjbWdZCklhWkVSaWpPSE1VY09iWGlPVE9Q + bW1SY05jK3BwcDIwSHdMZjJHdWQyQkkKLS0tIHZYS2c2U2xtQ1QxajlKeWpmNXZW + bmdpcTl2NjRWM3F3Q2RHbk1rTEFvZEkKWag1nmqFZMRjwFtIo6oqs+9UI/Mer5bK + Ax7P7uwoZdiMN2g84W1pNTjj6GktFn3jrBaE+MxY6NUBr02apkRYZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cURST1FTbVk4RGZTaitF + MEt3Z2U0a004Zmo0VG1BN29DUnBLNGxPMEJFCkcyL1JrMkZsSTM5WCtZSldSeGZw + SmdpV3AxRDJyVW1WMXBuclhBSDkvTXcKLS0tIDZsU2pBbEFHNkdqWW1CZW1hdVN3 + eW9OdlJmS21IVDNVNk9OMjZBT21PUTAK+lpsdEp2uvg8nFWu/hPtK0+Ahi5J//5d + NB6JJ7lwRWKy2NppFf9sy20Y1Z0Z5Ui40nbnURRzYgtsqbKBveUDcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-29T23:30:28Z" + mac: ENC[AES256_GCM,data:x3dnanNbIX0fippbbFqOSR9ptZGdAwWuyn7hf3z6i43rk8Nk9p9EVqmE4/Guz2QY2tG/cph/5/nwX4UCO4ixAdB7pAWZa6lI1JdFzMBfW1IGeXOLyprDt6xdFnCVXjy64HgNWiVOPUS4+olxNZ0LPmCof7odqn+Axj+icFK3N34=,iv:OyFac4TxnKXwJ0l7LcJTqVyl11gIpw8fvEAEQTrEBc0=,tag:zMOGwIwAZmel+4EIqy9/tQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix new file mode 100644 index 0000000..09e8b22 --- /dev/null +++ b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix @@ -0,0 +1,20 @@ +{ namespace, lib, ... }: +let + inherit (lib.${namespace}) enabled; +in +{ + system.stateVersion = 6; + + # System Config + reichard = { + nix = enabled; + + security = { + sops = { + enable = true; + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = lib.snowfall.fs.get-file "secrets/mac-va-mbp-personal/default.yaml"; + }; + }; + }; +} diff --git a/systems/aarch64-linux/lin-va-mbp-personal/default.nix b/systems/aarch64-linux/lin-va-mbp-personal/default.nix index 242953e..60a2756 100755 --- a/systems/aarch64-linux/lin-va-mbp-personal/default.nix +++ b/systems/aarch64-linux/lin-va-mbp-personal/default.nix @@ -7,7 +7,7 @@ in ./hardware-configuration.nix ]; - system.stateVersion = "24.11"; + system.stateVersion = "25.05"; time.timeZone = "America/New_York"; # System Config diff --git a/systems/x86_64-linux/lin-va-nix-builder/default.nix b/systems/x86_64-linux/lin-va-nix-builder/default.nix index 36b7141..e08fc0c 100755 --- a/systems/x86_64-linux/lin-va-nix-builder/default.nix +++ b/systems/x86_64-linux/lin-va-nix-builder/default.nix @@ -4,7 +4,7 @@ let in { time.timeZone = "America/New_York"; - system.stateVersion = "24.11"; + system.stateVersion = "25.05"; reichard = { system = { @@ -33,6 +33,8 @@ in authorizedKeys = [ # evanreichard@lin-va-mbp-personal "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY" + # evanreichard@mac-va-mbp-personal + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV" # evanreichard@lin-va-thinkpad "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz" # NixOS Builder @@ -47,6 +49,8 @@ in authorizedKeys.keys = [ # evanreichard@lin-va-mbp-personal "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY" + # evanreichard@mac-va-mbp-personal + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV" # evanreichard@lin-va-thinkpad "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz" # NixOS Builder diff --git a/systems/x86_64-linux/lin-va-thinkpad/default.nix b/systems/x86_64-linux/lin-va-thinkpad/default.nix index 61abcfa..2a71136 100755 --- a/systems/x86_64-linux/lin-va-thinkpad/default.nix +++ b/systems/x86_64-linux/lin-va-thinkpad/default.nix @@ -3,7 +3,7 @@ let inherit (lib.${namespace}) enabled; in { - system.stateVersion = "24.11"; + system.stateVersion = "25.05"; time.timeZone = "America/New_York"; hardware.enableRedistributableFirmware = true; hardware.bluetooth.enable = true; diff --git a/systems/x86_64-qcow/lin-va-rke2/default.nix b/systems/x86_64-qcow/lin-va-rke2/default.nix index a73bf58..00cd408 100755 --- a/systems/x86_64-qcow/lin-va-rke2/default.nix +++ b/systems/x86_64-qcow/lin-va-rke2/default.nix @@ -9,7 +9,7 @@ in config = { # Basic System - system.stateVersion = "24.11"; + system.stateVersion = "25.05"; time.timeZone = "UTC"; reichard = {