add yodaHedgehog

README.md

@@ -347,7 +347,7 @@ Filtering:
 
 ## BTRFS swap file
 
-* https://nixos.wiki/wiki/Btrfs#Swap_file
+* Detailed instructions: https://nixos.wiki/wiki/Btrfs#Swap_file
 * https://wiki.archlinux.org/title/btrfs#Swap_file
 
 Summary:

assets/ssh/known_hosts

@@ -5,6 +5,12 @@
 [192.168.178.27]:2223 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0bfqbAh6E3sq82sg+ftcYLn7sPqCpPmPniL5Ey42Js
 [p1st.de]:2223        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0bfqbAh6E3sq82sg+ftcYLn7sPqCpPmPniL5Ey42Js
 
+# 2023-11 yodaHedgehog with NixOS
+[192.168.178.106]:2226 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZmR+z+5/7xdu8mbZ54/DoqiXzoKh8rtHBU52KhwWx4
+[p1st.de]:2226 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZmR+z+5/7xdu8mbZ54/DoqiXzoKh8rtHBU52KhwWx4
+[192.168.178.106]:2227 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOr6z4AcZelv08eY9TMHihlF+C1g8OBLldMvNz3TvXOr
+[p1st.de]:2227 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOr6z4AcZelv08eY9TMHihlF+C1g8OBLldMvNz3TvXOr
+
 # 2023-10 yodaHP with NixOS
 192.168.178.108 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy1mNvsCIyYW5rNkNcEUCGYlDdPUJ+SyzrASd+z8q2Z
 

hosts/yodaHedgehog/configuration.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./host-specific.nix
+      ../../modules/home-manager.nix
+      ../../modules/nur-and-unstable.nix
+      ../../modules/base.nix
+      ../../modules/headless.nix
+
+      #../../modules/gnome-base.nix
+      #../../modules/gnome-config.nix
+      #../../modules/gnome-extensions.nix
+      #../../modules/gnome-fractional-scaling.nix
+
+      #../../modules/programs.nix
+      #../../modules/boxes.nix
+      #../../modules/freetube.nix
+      #../../modules/vscodium.nix
+      #../../modules/signal-desktop.nix
+      #../../modules/element-desktop.nix
+      #../../modules/joplin-desktop.nix
+      #../../modules/tor-browser.nix
+      #../../modules/autostart.nix
+      #../../modules/wallpaper.nix
+      #../../modules/fwupd-gnome.nix
+      #../../modules/print-and-scan.nix
+      ../../modules/ssh-fde-unlock.nix
+      #../../modules/nextcloud-integration.nix
+      #../../modules/git.nix
+      ../../modules/zsh.nix
+      #../../modules/nitrokey-gpg-smartcard.nix
+      #../../modules/ssh-client.nix
+      ../../modules/ssh-server.nix
+      #../../modules/firefox.nix
+      #../../modules/thunderbird.nix
+      #../../modules/digikam-rawtherapee.nix
+      #../../modules/ghostwriter.nix
+      #../../modules/android.nix
+      #../../modules/pmbootstrap.nix
+      #../../modules/podman.nix
+      #../../modules/docker.nix
+      #../../modules/docker-pushrm.nix
+      #../../modules/lid-switch-handling.nix
+      #../../modules/sendmail-mta.nix # TODO
+      #../../modules/journalwatch.nix # TODO
+      #../../modules/waydroid.nix
+      #../../modules/ntfs.nix
+      #../../modules/veracrypt.nix
+      #../../modules/btrbk
+      #../../modules/spin-down.nix # TODO
+
+      ../../modules/btrfs-scrub.nix
+      ../../modules/btrfs-mount-options.nix
+    ];
+
+  networking.hostName = "yodaHedgehog";
+  boot.initrd.luks.devices."crypted".allowDiscards = true;
+  yoda.btrfsFileSystems = ["/"];
+  #yoda.btrfsMounts = yoda.btrfsFileSystems;
+
+  boot.kernelParams = [];
+
+  boot.kernelPackages = pkgs.linuxPackages;
+}

hosts/yodaHedgehog/hardware-configuration.nix

@@ -0,0 +1,46 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4d413255-2c52-4b69-9be1-179e28f1b67e";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+  boot.initrd.luks.devices."crypted".device = "/dev/disk/by-uuid/5ecf0d68-24fc-49ee-8a78-23b47f3c566c";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/81A5-B98A";
+      fsType = "vfat";
+    };
+
+  fileSystems."/swap" =
+    { device = "/dev/disk/by-uuid/4d413255-2c52-4b69-9be1-179e28f1b67e";
+      fsType = "btrfs";
+      options = [ "subvol=@swap" ];
+    };
+
+  swapDevices = [ { device = "/swap/swapfile"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/yodaHedgehog/host-specific.nix

@@ -0,0 +1 @@
+{}

modules/ssh-client.nix

@@ -74,6 +74,20 @@
           compression = true;
         };
 
+        # local IP: 192.168.178.106
+        "yodaHedgehog" = {
+          hostname = "p1st.de";
+          user = "yoda";
+          port = 2226;
+          compression = true;
+        };
+        "unlockYodaHedgehog" = {
+          hostname = "p1st.de";
+          user = "root";
+          port = 2227;
+          compression = true;
+        };
+
         # local IP: 192.168.178.27
         "yodaNas" = {
           hostname = "p1st.de";

modules/ssh-fde-unlock.nix

@@ -2,6 +2,7 @@
 {
   # Unlock encrypted root partition remotely with SSH.
   # TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys
+  # -> ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
   #
   # Additional references:
   # https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition
@@ -17,6 +18,8 @@
         then 2225
       else if (config.networking.hostName == "yodaNas")
         then 2223
+      else if (config.networking.hostName == "yodaHedgehog")
+        then 2227
       else throw "Please add initrd ssh port here"
     );
     shell = "/bin/cryptsetup-askpass";
@@ -34,7 +37,7 @@
   #   inxi -F
   #
   boot.initrd.availableKernelModules = (
-    if (config.networking.hostName == "yodaTux")
+    if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaHedgehog")
       then [ "r8169" ]
     else if (config.networking.hostName == "yodaYoga") || (config.networking.hostName == "yodaNas")
       then [ "e1000e" ]

modules/ssh-server.nix

@@ -10,6 +10,8 @@
         then [2224]
       else if (config.networking.hostName == "yodaNas")
         then [2222]
+      else if (config.networking.hostName == "yodaHedgehog")
+        then [2226]
       else throw "Please add ssh port here"
     );
     # Use authorized keys only.
@@ -19,10 +21,10 @@
   };
 
   # SSH public key(s) allowed to connect via SSH.
-  users.users.yoda.openssh.authorizedKeys.keys = [
+  users.users."yoda".openssh.authorizedKeys.keys = [
     (builtins.readFile ../assets/ssh/nitrokey.pub)
   ];
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users."root".openssh.authorizedKeys.keys = [
     (builtins.readFile ../assets/ssh/nitrokey.pub)
   ] ++ (
     if (config.networking.hostName == "yodaNas")