added ssh key for morpheus

.gitignore

@@ -4,3 +4,6 @@ result-*
 
 # Ignore automatically generated direnv output
 .direnv
+
+# Ignore VM disk images
+*.qcow2

README.md

@@ -1,2 +1,16 @@
 # matrix
 Who needs something else?
+
+# Nixos Setup
+
+## Automatic Tests
+
+Using the nixos framework, tests can be written and performed. See https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests
+
+Perform all tests using `nix flake check`. Call a specific test using `nix build .#checks.x86_64-linux.test1`
+
+## Testing the VM
+
+The VM can be build using `nixos-rebuild build-vm --flake .#matrix` and started using `result/bin/run-nixos-vm`.
+
+See also https://gist.github.com/FlakM/0535b8aa7efec56906c5ab5e32580adf

flake.lock

@@ -0,0 +1,86 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758287904,
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1759735786,
+        "narHash": "sha256-a0+h02lyP2KwSNrZz4wLJTu9ikujNsTWIC874Bv7IJ0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "20c4598c84a671783f741e02bf05cbfaf4907cff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1759831965,
+        "narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "c9b6fb798541223bbb396d287d16f43520250518",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "sops": "sops"
+      }
+    },
+    "sops": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759635238,
+        "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,53 @@
+{
+  description = "Flake to setup server using matrix communication protocol";
+
+  inputs = {
+
+    # stable and unstable nixpkgs
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; 
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    
+    # partitioning and disk management
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # secret management
+    sops = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, disko, sops, ... }@inputs: {
+    nixosConfigurations = {
+      # TODO replace hostname
+      matrix = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          disko.nixosModules.disko
+          sops.nixosModules.sops
+          ./nix/configuration.nix
+          ./nix/disko.nix
+        ];
+        specialArgs = { inherit inputs; };
+      };
+    };
+
+    # Add this section
+    checks.x86_64-linux = {
+      test1 = import ./nix/tests/test1.nix {
+        pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      };
+    };
+
+    # Development shell for working with the configuration
+    # execute: nix develop or use direnv
+    devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
+      buildInputs = with nixpkgs.legacyPackages.x86_64-linux; [
+        # git
+      ];
+    };
+  };
+}

nix/configuration.nix

@@ -0,0 +1,108 @@
+{ config, pkgs, inputs, lib, ... }:
+
+{
+  imports = [
+    ./users/users.nix
+    ./modules/security.nix
+    ./vps/hetzner/hardware-configuration.nix
+    ./modules/zsh.nix
+   ];
+
+  # nix settings
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.download-buffer-size = 524288000; # 500MB
+
+  # Bootloader to work with LUKS
+  boot.loader.grub = {
+    enable = true;
+    # https://github.com/NixOS/nixpkgs/issues/55332
+    device = "nodev";                    # Don't install to MBR
+    efiSupport = true;                   # Enable EFI support
+    enableCryptodisk = true;             # Enable LUKS support
+  };
+  
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # LUKS configuration
+  boot.initrd.luks.devices."crypted" = {
+    device = "/dev/disk/by-partlabel/luks";
+    allowDiscards = true;
+  };
+
+  
+  boot.initrd.kernelModules = [ "virtio_gpu" ];
+  boot.kernelParams = [ "console=tty" ];  
+
+  networking.hostName = "matrix";
+
+  # time zone
+  time.timeZone = "Europe/Zurich";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "de_DE.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+
+  # Allow unfree packages
+  # nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  environment.systemPackages = with pkgs; [
+  ];
+
+  virtualisation.vmVariant = {
+    # following configuration is added only when building VM with build-vm
+    virtualisation = {
+      memorySize = 4000;
+      cores = 2;
+      graphics = false;
+      diskSize = 5000; # 5GB, needed to prevent docker error running out of space
+
+      # Networking configuration
+      forwardPorts = [
+        { from = "host"; host.port = 2222; guest.port = 22; }
+      ];
+    };
+
+    # this is related to luks remote unlock via ssh
+    # Disable initrd secrets for VM builds to avoid secret error 
+    # Error is not present in real depolyments
+    boot.initrd.secrets = lib.mkForce {};
+
+    # Add VM-specific users
+    users.users.smith = {
+      isNormalUser = true;
+      description = "VM Test User";
+      extraGroups = [ "wheel" "networkmanager" ];
+      shell = pkgs.zsh;
+      initialPassword = "smith";
+      packages = with pkgs; [  ];
+    };
+
+    # VM-specific packages
+    environment.systemPackages = with pkgs; [
+    ];
+
+    # in order to build VM on x86_64 host
+    nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}

nix/disko.nix

@@ -0,0 +1,41 @@
+# other examples, see https://github.com/nix-community/disko/blob/master/example/
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/sda";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              label = "boot";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            luks = {
+              size = "100%";
+              label = "luks";
+              content = {
+                type = "luks";
+                name = "crypted";
+                settings.allowDiscards = true; # Enable SSD TRIM support
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nix/modules/security.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # providing an ssh configuration
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";                    # Disable root login
+      PasswordAuthentication = false;            # Force SSH key auth only
+      PubkeyAuthentication = true;               # Enable SSH keys
+    };
+    ports = [ 22 ];
+    # using the same key as for initrd
+    hostKeys = [
+      { path = "/etc/secrets/initrd/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+
+  # remote unlock for luks via ssh
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd = {
+    availableKernelModules = [ "virtio-pci" ];
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ 
+          (builtins.readFile ../users/keys/neo.pub) 
+        ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  # Generate SSH host key for initrd
+  system.activationScripts.initrd-ssh-key = {
+    text = ''
+      mkdir -p /etc/secrets/initrd
+      if [ ! -f /etc/secrets/initrd/ssh_host_ed25519_key ]; then
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key -N ""
+        chmod 600 /etc/secrets/initrd/ssh_host_ed25519_key
+        chmod 644 /etc/secrets/initrd/ssh_host_ed25519_key.pub
+      fi
+    '';
+    deps = [ ];
+  };
+
+  # other security hardening options can go here
+  security.sudo.wheelNeedsPassword = false;
+}

nix/modules/zsh.nix

@@ -0,0 +1,40 @@
+{ lib, config, pkgs, ... }:
+
+{
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+    autosuggestions.enable = true;
+    syntaxHighlighting.enable = true;
+    enableLsColors = true;
+
+    histSize = 10000;
+    histFile = "$HOME/.zsh_history";
+  
+    shellAliases = {
+      ll = "ls - l";
+    };
+
+    ohMyZsh = {
+      enable = true;
+      plugins = [
+        "sudo"
+        #"direnv"
+        #"fzf"
+      ];
+      theme = "terminalparty";
+    };
+
+    # custom zsh options
+    setOptions = [
+      "HIST_IGNORE_DUPS" # do not write dupes
+      "HIST_SAVE_NO_DUPS"
+      "HIST_IGNORE_ALL_DUPS"
+      "HIST_FIND_NO_DUPS"
+      "APPEND_HISTORY" # append rather than overwrite ...?
+      "SHARE_HISTORY" # all zsh sessions share history file
+      "HIST_FCNTL_LOCK" # useful to prevent lockups ...? see github
+      "HIST_IGNORE_SPACE" # add space before command to not write to history
+    ];
+  };
+}

nix/tests/test1.nix

@@ -0,0 +1,25 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.nixosTest {
+  name = "matrix-login-test";
+  
+  nodes = {
+    machine = { config, pkgs, ... }: {
+      imports = [
+        ../configuration.nix
+      ];
+      
+      # Test configuration
+      virtualisation.memorySize = 2048;
+    };
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+
+    with subtest("SSH service test"):
+        machine.wait_for_unit("sshd.service")
+        machine.wait_for_open_port(22)
+  '';
+}

nix/users/keys/morpheus.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkZY9rUTaN7LrmA5MVU+I+at1YV+i2e3EkGfCIt4M2 robin@thor

nix/users/keys/neo.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtePfzkSorgiFNuol/pEYlR0HToDCy9fk8PPfZWMuf3 henrik@strange

nix/users/users.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, inputs, ... }:
+
+{
+  # Define user accounts
+  users.defaultUserShell = pkgs.zsh;
+  users.users.neo = {
+    isNormalUser = true;
+    description = "Neovim only user";
+    extraGroups = [ "networkmanager" "wheel" ];
+    shell = pkgs.zsh;
+    packages = with pkgs; [ ];
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/neo.pub
+    ];
+  };
+
+  users.users.morpheus = {
+    isNormalUser = true;
+    description = "I'm colorblind";
+    extraGroups = [ "networkmanager" "wheel" ];
+    shell = pkgs.zsh;
+    packages = with pkgs; [ ];
+    openssh.authorizedKeys.keyFiles = [
+      ./keys/morpheus.pub
+    ];
+  };
+
+  users.users.trinity = {
+    isNormalUser = true;
+    description = "Named after an atom bomb test";
+    extraGroups = [ "networkmanager" "wheel" ];
+    shell = pkgs.zsh;
+    packages = with pkgs; [ ];
+  };
+}

nix/vps/hetzner/aarch64.nix

@@ -0,0 +1,11 @@
+{ config, lib, ... }:
+
+{
+  # Specific settings for Hetzner Cloud AArch64 instances
+  # https://wiki.nixos.org/wiki/Install_NixOS_on_Hetzner_Cloud#AArch64_(CAX_instance_type)_specifics
+  boot.initrd.kernelModules = [ "virtio_gpu" ];
+  boot.kernelParams = [ "console=tty" ];  
+
+  # aarch64-linux
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

nix/vps/hetzner/hardware-configuration.nix

@@ -0,0 +1,10 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./aarch64.nix
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+}