move secrets to its own module

hosts/l003/configuration.nix

@@ -0,0 +1,8 @@
+{
+  ...
+}:
+{
+  networking.hostName = "l003";
+  boot.loader.grub.enable = true;
+  system.stateVersion = "24.11";
+}

hosts/l003/flake.nix

@@ -0,0 +1,77 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
+    mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
+    mod_common.inputs.nixpkgs.follows = "nixpkgs";
+    mod_common.inputs.ragenix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      ...
+    }@inputs:
+    let
+      configuration_name = "l003";
+      lib = nixpkgs.lib;
+    in
+    {
+      nixosConfigurations = {
+        nixos = self.nixosConfigurations.${configuration_name};
+        "${configuration_name}" =
+          let
+            auto_modules = builtins.concatMap (
+              input:
+              lib.optionals
+                (builtins.hasAttr "nixosModules" input && builtins.hasAttr "default" input.nixosModules)
+                [
+                  input.nixosModules.default
+                ]
+            ) (builtins.attrValues inputs);
+          in
+          (lib.nixosSystem {
+            modules = [
+              ./configuration.nix
+              ./hardware-configuration.nix
+              ./linode.nix
+              ./common.nix
+              (
+                { pkgs, ... }:
+                {
+                  users.users.root.openssh.authorizedKeys.keys = [
+                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJN2nsLmAlF6zj5dEBkNSJaqcCya+aB6I0imY8Q5Ew0S nix2lio"
+                  ];
+                  mods = {
+                    common = {
+                      flakeLocationOverride = "/home/luser/.config/nixos-config";
+                      disableRemoteBuildsOnLio = true;
+                      systemName = configuration_name;
+                      allowUnfree = true;
+                      primaryUser = "luser";
+                      docker = true;
+                      users = {
+                        luser = {
+                          extraGroups = [
+                            "wheel"
+                            "networkmanager"
+                          ];
+                          isNormalUser = true;
+                          openssh.authorizedKeys.keys = [
+                            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
+                          ];
+                        };
+                      };
+                    };
+                  };
+                }
+              )
+            ] ++ auto_modules;
+            specialArgs = {
+              inherit inputs;
+            };
+          });
+      };
+    };
+}

hosts/l003/hardware-configuration.nix

@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3612d65e-719c-4b33-af08-561b790d6d33";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
+

hosts/l003/linode.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+{
+  # https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos
+  boot.kernelParams = [ "console=ttyS0,19200n8" ];
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+
+  boot.loader.grub.forceInstall = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.timeout = 10;
+
+  # TODO disable after first startup with ssh keys
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    settings.PasswordAuthentication = false;
+  };
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.luser.openssh.authorizedKeys.keys;
+
+  networking.usePredictableInterfaceNames = false;
+  networking.useDHCP = false; # Disable DHCP globally as we will not need it.
+  # required for ssh?
+  networking.interfaces.eth0.useDHCP = true;
+
+  environment.systemPackages = with pkgs; [
+    inetutils
+    mtr
+    sysstat
+  ];
+}

hosts/l003/readme.md

@@ -0,0 +1,17 @@
+# Linode setup
+
+https://www.linode.com/docs/guides/install-nixos-on-linode/#prepare-your-linode
+https://nixos.org/download/
+
+`export HOSTNAME=NAME && sudo nixos-rebuild switch --flake ~/.config/nixos-config`
+
+# My config
+
+```sh
+rsync -e "ssh -i /run/agenix/nix2l002" -Pahz \
+  --delete-after \
+  --exclude 'flake.lock' \
+  ~/.config/nixos-config/hosts/l003/ \
+  luser@172.234.26.141:~/.config/nixos-config/
+```
+