add secret scheme

3 files changed, 124 insertions, 2 deletions

diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix
new file mode 100644
index 0000000..58b019e
--- /dev/null
+++ b/machines/laptop/configuration.nix
@@ -0,0 +1,114 @@
+{
+  config,
+  lib,
+  machine,
+  ...
+}: {
+  age.secrets = {
+    secret0.file = ../../secrets/secret0.age;
+    secret1.file = ../../secrets/secret1.age;
+  };
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+    systemd-boot.enable = true;
+  };
+  environment.persistence."/nix/persist" = {
+    enable = true;
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/bluetooth"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/etc/NetworkManager/system-connections"
+      "/etc/ssh"
+    ];
+    files = [
+      "/etc/machine-id"
+      "/etc/ly/save.txt"
+    ];
+    users."andromeda" = {
+      directories = [
+        ".backups"
+        ".local/share/Anki2"
+        ".local/share/chat.fluffy.fluffychat"
+        ".local/share/zoxide"
+        ".ssh"
+        "conf"
+        "Downloads"
+        "pp"
+      ];
+      files = [
+        ".bash_history"
+        ".brush_history"
+      ];
+    };
+    users."mtgmonkey" = {
+      directories = [
+        ".local/share/zoxide"
+        ".ssh"
+      ];
+      files = [
+        ".bash_history"
+        ".brush_history"
+      ];
+    };
+  };
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+  i18n.defaultLocale = "de_DE.UTF-8";
+  networking = {
+    dhcpcd.enable = true;
+    firewall.enable = true;
+    hostName = machine.hostname;
+    networkmanager.enable = true;
+  };
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "steam"
+      "steam-original"
+      "steam-unwrapped"
+      "steam-run"
+    ];
+  programs = {
+    noshell.enable = true;
+    steam.enable = true;
+    sway.enable = true;
+  };
+  services = {
+    blueman.enable = true;
+    displayManager = {
+      enable = true;
+      ly.enable = true;
+    };
+    libinput.enable = true;
+    openssh.enable = true;
+    printing.enable = true;
+  };
+  system.stateVersion = "26.05";
+  time.timeZone = "Europe/Berlin";
+  users.users."andromeda" = {
+    isNormalUser = true;
+    description = "andromeda";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+  };
+  users.users."mtgmonkey" = {
+    isNormalUser = true;
+    description = "mtgmonkey";
+    hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+  };
+}
diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix
index bde1c83..8ebef80 100644
--- a/machines/laptop/hardware-configuration.nix
+++ b/machines/laptop/hardware-configuration.nix
@@ -21,7 +21,7 @@
     #device = "none";
     #fsType = "tmpfs";
     #options = ["defaults" "size=60%" "mode=755"];
-    device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7";
+    device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7";
     fsType = "btrfs";
     options = ["subvol=root"];
   };
@@ -48,6 +48,12 @@
     done
 
     btrfs subvolume create /btrfs_tmp/root
+    mkdir /btrfs_tmp/root/nix
+    mkdir /btrfs_tmp/root/etc
+    mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix
+    cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r
+    umount /btrfs_tmp/root/nix
+    rm -r /btrfs_tmp/root/nix
     umount /btrfs_tmp
   '';
 
diff --git a/machines/laptop/machine.nix b/machines/laptop/machine.nix
index d6b1e01..77c15b5 100644
--- a/machines/laptop/machine.nix
+++ b/machines/laptop/machine.nix
@@ -1,6 +1,8 @@
 {
   hostname = "lenovo";
-  usernames = ["andromeda"];
+  usernames = ["andromeda" "mtgmonkey"];
   system = "x86_64-linux";
+  configuration = ./configuration.nix;
   hardware-configuration = ./hardware-configuration.nix;
+  pub-keys.ssh = [];
 }