Add NixOS configuration for ringtail workstation (#207)

## Summary - NixOS flake for ringtail (gaming/compute workstation, RTX 4080) in `nixos/ringtail/` - Declarative disk partitioning via disko (GPT, 512M EFI + ext4 root on NVMe) - NVIDIA proprietary drivers, sway/Wayland desktop, greetd, PipeWire, Steam - Tailscale integration for tailnet connectivity - Ansible playbook + `mise run provision-ringtail` for ongoing management - Pulumi auth key (`tag:homelab`, `tag:blumeops`) for tailnet bootstrap ## Deployment Order 1. **Merge PR** 2. `pulumi up` in tailscale stack → creates auth key 3. Retrieve auth key: `pulumi stack output ringtail_authkey --show-secrets` 4. On ringtail NixOS installer: - `nix run github:nix-community/disko -- --mode disko /tmp/disk-config.nix` (or from cloned repo) - `nixos-install --flake github:eblume/blumeops?dir=nixos/ringtail#ringtail` 5. Reboot, `tailscale up --auth-key=<key>` 6. Verify: `tailscale status`, SSH from gilbert ## Test plan - [ ] Review NixOS configuration for completeness - [ ] Verify disko partition layout matches ringtail hardware - [ ] Run `pulumi preview` for tailscale stack - [ ] Install NixOS on ringtail - [ ] Confirm tailscale connectivity - [ ] Confirm sway desktop works - [ ] Test `mise run provision-ringtail` for ongoing management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/207
2026-02-18 08:24:25 -08:00 · 2026-02-18 08:24:25 -08:00 · b9d813cde1
commit b9d813cde1
parent 5f9b024b4a
9 changed files with 281 additions and 1 deletions
--- a/pulumi/tailscale/main.py
+++ b/pulumi/tailscale/main.py
@ -5,7 +5,7 @@ This program manages:
 - Device tags for infrastructure classification

 Devices are tagged based on their role:
- tag:homelab - Server infrastructure (indri)
+- tag:homelab - Server infrastructure (indri, ringtail)
 - tag:workstation - Development machines that can manage homelab (gilbert)
 - tag:nas - Network-attached storage (sifaka)
 - tag:blumeops - Resources managed by this IaC
@ -82,10 +82,23 @@ flyio_key = tailscale.TailnetKey(
    expiry=7776000,  # 90 days
 )

+# Auth key for ringtail (gaming/compute workstation, NixOS)
+# Used during bootstrap: `tailscale up --auth-key=<key>`
+# Once ringtail is on the tailnet, add DeviceTags resource for ongoing management.
+ringtail_key = tailscale.TailnetKey(
+    "ringtail-key",
+    reusable=False,
+    ephemeral=False,
+    preauthorized=True,
+    tags=["tag:homelab", "tag:blumeops"],
+    expiry=86400,  # 24 hours - single use for bootstrap
+)
+
 # ============== Exports ==============
 pulumi.export("acl_id", acl.id)
 pulumi.export("policy_hash", policy_hash)
 pulumi.export("flyio_authkey", flyio_key.key)
+pulumi.export("ringtail_authkey", ringtail_key.key)

 pulumi.export("indri_device_id", indri.node_id)
 pulumi.export("indri_tags", indri_tags.tags)