kaas

.sops.yml

@@ -1,8 +1,60 @@
 keys:
   - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
+  - home:
+    - &chris age
+  - system:
+    - &aule age
+    - &mandos age
+    - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
+    - &melkor age
+    - &orome age
+    - &tulkas age
+    - &varda age
+    - &yavanna age
 
 creation_rules:
-  - path_regex: secrets/secrets.yml$
+  - path_regex: secrets/secrets.ya?ml$
     key_groups:
       - age:
           - *primary
+
+  #===================================================================
+  # HOSTS
+  #===================================================================
+  - path_regex: systems/x64_86-linux/aule/secrets.yaml$
+    age: *aule
+
+  - path_regex: systems/x64_86-linux/mandos/secrets.yaml$
+    age: *mandos
+
+  - path_regex: systems/x64_86-linux/manwe/secrets.yaml$
+    age: *manwe
+
+  - path_regex: systems/x64_86-linux/melkor/secrets.yaml$
+    age: *melkor
+
+  - path_regex: systems/x64_86-linux/orome/secrets.yaml$
+    age: *orome
+
+  - path_regex: systems/x64_86-linux/tulkas/secrets.yaml$
+    age: *tulkas
+
+  - path_regex: systems/x64_86-linux/varda/secrets.yaml$
+    age: *varda
+
+  - path_regex: systems/x64_86-linux/yavanna/secrets.yaml$
+    age: *yavanna
+
+  #===================================================================
+  # USERS
+  #===================================================================
+  - path_regex: homes/x64_86-linux/chris@\w+/secrets.ya?ml$
+    age: chris
+          
+          
+          
+          
+          
+          
+          
+          

README.md

@@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal
 
 - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/)
 - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix)
+- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile)
 - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!)

flake.lock

@@ -67,6 +67,26 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "erosanix": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -881,6 +901,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "erosanix": "erosanix",
         "fenix": "fenix",
         "firefox": "firefox",

flake.nix

@@ -9,6 +9,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -103,7 +108,7 @@
       nix-minecraft.overlay
       flux.overlays.default
     ];
-
+    
     homes.modules = with inputs; [
       stylix.homeModules.stylix
       plasma-manager.homeManagerModules.plasma-manager

justfile

@@ -14,4 +14,8 @@ install profile host:
     nix run nixpkgs#nixos-anywhere -- \
     --flake .#{{profile}} \
     --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \
-    {{host}}
+    {{host}}
+
+[doc('builds the configuration for the host')]
+build host:
+    nh os build . -H {{host}}

modules/nixos/nix/default.nix

@@ -15,10 +15,10 @@ in
     nix = {
       package = pkgs.nixVersions.latest;
 
-      extraOptions = "experimental-features = nix-command flakes";
+      extraOptions = "experimental-features = nix-command flakes pipe-operators";
 
       settings = {
-        experimental-features = [ "nix-command" "flakes" ];
+        experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
         allowed-users = [ "@wheel" ];
         trusted-users = [ "@wheel" ];
 

modules/nixos/system/security/sops/default.nix

@@ -13,10 +13,11 @@ in
     environment.systemPackages = with pkgs; [ sops ];
 
     sops = {
+      age.keyFile = "/home/.sops-key.age";
+
       defaultSopsFile = ../../../../secrets/secrets.yaml;
       defaultSopsFormat = "yaml";
 
-      age.keyFile = "/home/";
     };
   };
 }

systems/x86_64-linux/manwe/disks.nix

@@ -1,34 +1,59 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, pkgs, modulesPath, inputs, ... }:
 let
   inherit (lib.modules) mkDefault;
 in
 {
-  # TODO :: Implement disko at some point
+  imports = [
+    inputs.disko.nixosModules.disko
+  ];
 
-  swapDevices = [];
+  config = {
+    swapDevices = [];
 
-  boot.supportedFilesystems = [ "nfs" ];
-  
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/nixos";
-      fsType = "ext4";
+    boot.supportedFilesystems = [ "nfs" ];
+
+    disko.devices = {
+      disk = {
+        main = {
+          device = "/dev/nvme0";
+          type = "disk";
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                size = "100M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "umask=0077" ];
+                };
+              };
+              root = {
+                size = "100%";
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
     };
+    
+    fileSystems = {
+      "/home/chris/media" = {
+        device = "ulmo:/";
+        fsType = "nfs";
+      };
 
-    "/boot" = {
-      device = "/dev/disk/by-label/boot";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-    "/home/chris/media" = {
-      device = "ulmo:/";
-      fsType = "nfs";
-    };
-
-    "/home/chris/mandos" = {
-      device = "mandos:/";
-      fsType = "nfs";
+      "/home/chris/mandos" = {
+        device = "mandos:/";
+        fsType = "nfs";
+      };
     };
   };
 }

systems/x86_64-linux/manwe/secrets.yaml

@@ -11,15 +11,15 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
-            ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
-            YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
-            dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
-            Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-            -----END AGE ENCRYPTED FILE-----
+      - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
+        enc: |
+          -----BEGIN AGE ENCRYPTED FILE-----
+          YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
+          ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
+          YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
+          dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
+          Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
+          -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-03-09T11:37:49Z"
     mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
     pgp: []