From fd80b9de3a0dbb131b03cae4aa729057cddc0286 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Sun, 17 Dec 2023 16:17:28 +0100
Subject: [PATCH] added cherry machine

---
 flake.lock                                    |  8 +-
 flake.nix                                     |  3 -
 nixos/components/network/tinc/private.nix     |  2 +-
 nixos/machines/cherry/configuration.nix       |  5 ++
 nixos/machines/cherry/disko-config.nix        | 15 ++++
 .../cherry/hardware-configuration.nix         |  5 +-
 nixos/machines/cherry/tinc.nix                |  9 +--
 nixos/machines/cream/tinc.nix                 |  5 --
 nixos/system/all/defaults.nix                 |  2 +-
 scripts/nixos-anywhere-pet.sh                 | 76 -------------------
 10 files changed, 30 insertions(+), 100 deletions(-)
 delete mode 100755 scripts/nixos-anywhere-pet.sh

diff --git a/flake.lock b/flake.lock
index 9964a13..a81b7d3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1294,11 +1294,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1702813900,
-        "narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=",
+        "lastModified": 1702824777,
+        "narHash": "sha256-Lsa6g03o8Qd35C9I48WZ7GFB3c8nQyHgrI7oGseMV98=",
         "ref": "main",
-        "rev": "647d3f4ead533dc17be45504417acc4d1efe2d87",
-        "revCount": 56,
+        "rev": "fbe67abe5b5586d71f108a5214be28aeff49f4a3",
+        "revCount": 60,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index 35d045c..20b32bc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -335,11 +335,8 @@
           };
           cherry = nixosConfigurationSetup {
             name = "cherry";
-            host = "root@192.168.178.23";
             modules = [
               nixos-hardware.nixosModules.framework-13th-gen-intel
-              #retiolum.nixosModules.retiolum
-              #private_assets.nixosModules.jobrad
               homeManagerModules
               # { home-manager.users.root = import ./nixos/homes/root; }
               { home-manager.users.mainUser = import ./nixos/homes/palo; }
diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix
index f371320..da2fe9b 100644
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@@ -72,7 +72,7 @@ in
           settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
         };
         cherry = {
-          subnets = [{ address = hosts.cherry ; }];
+          subnets = [{ address = hosts.cherry; }];
           settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
         };
         sterni = {
diff --git a/nixos/machines/cherry/configuration.nix b/nixos/machines/cherry/configuration.nix
index 4d594d9..7613875 100644
--- a/nixos/machines/cherry/configuration.nix
+++ b/nixos/machines/cherry/configuration.nix
@@ -20,6 +20,11 @@
 
   ];
 
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
+
+
   components.gui.enable = true;
   components.mainUser.enable = true;
   components.media.enable = true;
diff --git a/nixos/machines/cherry/disko-config.nix b/nixos/machines/cherry/disko-config.nix
index 1bbe32f..0c64ed0 100644
--- a/nixos/machines/cherry/disko-config.nix
+++ b/nixos/machines/cherry/disko-config.nix
@@ -3,6 +3,11 @@
 { config, lib, ... }:
 {
 
+  boot.supportedFilesystems = [ "zfs" ];
+  # head -c4 /dev/urandom | od -A none -t x4
+  networking.hostId = "59e38471";
+  services.zfs.autoSnapshot.enable = true;
+
   # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
   # copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
   services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
@@ -37,6 +42,8 @@
               content = {
                 type = "luks";
                 name = "root";
+                settings.allowDiscards = true;
+                passwordFile = "/tmp/secret.key";
                 content = {
                   type = "zfs";
                   pool = "zroot";
@@ -64,6 +71,14 @@
               compression = "lz4";
             };
           };
+          "store" = {
+            type = "zfs_fs";
+            mountpoint = "/nix/store";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+            };
+          };
         };
       };
     };
diff --git a/nixos/machines/cherry/hardware-configuration.nix b/nixos/machines/cherry/hardware-configuration.nix
index 3a1f4a3..9d7c395 100644
--- a/nixos/machines/cherry/hardware-configuration.nix
+++ b/nixos/machines/cherry/hardware-configuration.nix
@@ -5,7 +5,8 @@
 
 {
   imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
@@ -25,6 +26,4 @@
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  # high-resolution display
-  hardware.video.hidpi.enable = lib.mkDefault true;
 }
diff --git a/nixos/machines/cherry/tinc.nix b/nixos/machines/cherry/tinc.nix
index e53ccfe..a2754ce 100644
--- a/nixos/machines/cherry/tinc.nix
+++ b/nixos/machines/cherry/tinc.nix
@@ -2,14 +2,9 @@
 {
 
   tinc.private.enable = true;
-  tinc.private.ipv4 = "10.23.42.27";
+  tinc.private.ipv4 = "10.23.42.29";
 
   tinc.secret.enable = true;
-  tinc.secret.ipv4 = "10.123.42.27";
-
-  # retiolum
-  #networking.retiolum.port = 720;
-  #sops.secrets.tinc_retiolum_ed25519_key = { };
-  #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
+  tinc.secret.ipv4 = "10.123.42.29";
 
 }
diff --git a/nixos/machines/cream/tinc.nix b/nixos/machines/cream/tinc.nix
index e53ccfe..105e956 100644
--- a/nixos/machines/cream/tinc.nix
+++ b/nixos/machines/cream/tinc.nix
@@ -7,9 +7,4 @@
   tinc.secret.enable = true;
   tinc.secret.ipv4 = "10.123.42.27";
 
-  # retiolum
-  #networking.retiolum.port = 720;
-  #sops.secrets.tinc_retiolum_ed25519_key = { };
-  #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
-
 }
diff --git a/nixos/system/all/defaults.nix b/nixos/system/all/defaults.nix
index a7b16ed..78db4cc 100644
--- a/nixos/system/all/defaults.nix
+++ b/nixos/system/all/defaults.nix
@@ -42,7 +42,7 @@
 
   # Machines should be fast by default
   # ----------------------------------
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  powerManagement.cpuFreqGovernor = lib.mkOverride 1001 "ondemand";
 
   # set vim to the default editor
   # -----------------------------
diff --git a/scripts/nixos-anywhere-pet.sh b/scripts/nixos-anywhere-pet.sh
deleted file mode 100755
index 772b3b0..0000000
--- a/scripts/nixos-anywhere-pet.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
-
-EXTRA_FILES=$( mktemp -d )
-LUKS_KEY=$( mktemp )
-SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
-
-cat <<EOF | boxes -d ian_jones
-- create ssh host keys
-- create age key from ssh host key (for sops)
-- create luks encryption key
-EOF
-
-# make sure you set
-# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
-mkdir -p "$( dirname "$SSH_HOST_KEY")"
-ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
-AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
-
-echo
-echo
-IFS= read -s -p 'LUKS Encryption Password please: ' password
-echo -n "$password" > "$LUKS_KEY"
-echo
-echo
-echo
-
-
-cat <<EOF | boxes -d shell
-put this in you .sops.yaml
-and run sops updatekeys secrets/<machine>.yaml
-EOF
-
-cat <<EOF
-
-keys:
-    - &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
-creation_rules:
-    - path_regex: secrets/<machine>.yaml
-      key_groups:
-      - age:
-        - *palo
-        - $AGE_KEY
-
-EOF
-
-
-
-echo
-echo make sure you configure services.openssh.hostKeys | boxes -d shell
-
-cat <<EOF
-
-services.openssh.hostKeys = [
-  {
-    bits = 4096;
-    path = /etc/ssh/ssh_host_ed25519_key;
-    rounds = 100;
-    type = "ed25519";
-  }
-];
-
-
-EOF
-
-echo
-echo add this to your nixos-anywhere options | boxes -d shell
-
-cat <<EOF
-
-nixos-anywhere \\
-  --extra-files $EXTRA_FILES \\
-  --disk-encryption-keys <remote_path> $LUKS_KEY
-
-
-EOF