flake: add machine Halcyon

Renna42 · Renna42 · commit 4f3c13154c4b · 2026-02-09T05:06:04.000+08:00
diff --git a/flake.nix b/flake.nix
@@ -70,7 +70,11 @@
         secretsPath
         ;
     };
-    nixosMachines = ["Mizuka" "Quebec"];
+    nixosMachines = [
+      "Mizuka"
+      "Quebec"
+      "Halcyon"
+    ];
     darwinMachines = ["Schwarzschild"];
   in
     flake-parts.lib.mkFlake {inherit inputs;} ({
diff --git a/nixos/configurations/Halcyon/default.nix b/nixos/configurations/Halcyon/default.nix
@@ -0,0 +1,16 @@
+{
+  lib,
+  hostname,
+  ...
+}: {
+  imports = [
+    ../../roles/server
+    ../../disk-layouts/simple.nix
+  ];
+
+  networking.hostName = hostname;
+
+  services.qemuGuest.enable = true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/nixos/roles/server/default.nix b/nixos/roles/server/default.nix
@@ -0,0 +1,69 @@
+_: {
+  # Boot
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.configurationLimit = 5;
+
+  # No need for fonts and documentation on a server
+  documentation.man.enable = true;
+  documentation.dev.enable = false;
+  documentation.doc.enable = false;
+  documentation.nixos.enable = false;
+  fonts.fontconfig.enable = false;
+
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+  programs.git.enable = true;
+
+  users.mutableUsers = false;
+
+  # Access
+  users.users.root = {
+    initialHashedPassword = "$y$j9T$KHYs8lBhE5S.gupM7N/QE/$zurxi/XMT5n6aACZu9tz3RBLBQ6Ge/eCUwODOjRMqe0";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL5pMTK8LGrizHB2VvgL1RG9cNKxAhYXb59NqSyAwpw"
+    ];
+  };
+  networking.firewall = {
+    enable = true;
+  };
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "prohibit-password";
+  };
+
+  systemd = {
+    # Given that our systems are headless, emergency mode is useless.
+    # We prefer the system to attempt to continue booting so
+    # that we can hopefully still access it remotely.
+    enableEmergencyMode = false;
+
+    # For more detail, see:
+    #   https://0pointer.de/blog/projects/watchdog.html
+    settings.Manager = {
+      # systemd will send a signal to the hardware watchdog at half
+      # the interval defined here, so every 10s.
+      # If the hardware watchdog does not get a signal for 20s,
+      # it will forcefully reboot the system.
+      RuntimeWatchdogSec = "20s";
+      # Forcefully reboot if the final stage of the reboot
+      # hangs without progress for more than 30s.
+      # For more info, see:
+      #   https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog
+      RebootWatchdogSec = "30s";
+      # Forcefully reboot when a host hangs after kexec.
+      # This may be the case when the firmware does not support kexec.
+      KExecWatchdogSec = "1m";
+    };
+  };
+
+  # use TCP BBR has significantly increased throughput and reduced latency for connections
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "fq";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+}
