feat: init srv0-dmz0

2023-07-06 22:42:24 +02:00 · 2023-07-06 22:42:24 +02:00 · 4cb8e6df29
commit 4cb8e6df29
parent b481126ae2
16 changed files with 447 additions and 91 deletions
--- a/nix/os/devices/srv0-dmz0/README.md
+++ b/nix/os/devices/srv0-dmz0/README.md
@ -0,0 +1,7 @@
+## bootstrapping
+
+```
+# TODO: generate an SSH host-key and deploy it via --extra-files 
+nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life
+```
+
--- a/nix/os/devices/srv0-dmz0/configuration.nix
+++ b/nix/os/devices/srv0-dmz0/configuration.nix
@ -0,0 +1,133 @@
+{
+  modulesPath,
+  repoFlake,
+  pkgs,
+  config,
+  ...
+}: let
+  disk = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002051";
+in {
+  disabledModules = [];
+  imports = [
+    repoFlake.inputs.disko.nixosModules.disko
+    repoFlake.inputs.srvos.nixosModules.server
+    (modulesPath + "/profiles/all-hardware.nix")
+
+    repoFlake.inputs.srvos.nixosModules.mixins-terminfo
+    repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot
+
+    repoFlake.inputs.sops-nix.nixosModules.sops
+
+    ../../profiles/common/user.nix
+  ];
+
+  ## bare-metal machines
+  srvos.boot.consoles = ["tty0"];
+  boot.loader.grub.enable = false;
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  disko.devices.disk.main = {
+    device = disk;
+    type = "disk";
+    content = {
+      type = "table";
+      format = "gpt";
+      partitions = [
+        {
+          name = "boot";
+          start = "0";
+          end = "1M";
+          part-type = "primary";
+          flags = ["bios_grub"];
+        }
+        {
+          name = "ESP";
+          start = "1M";
+          end = "512M";
+          bootable = true;
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        }
+        {
+          name = "root";
+          start = "512M";
+          end = "100%";
+          part-type = "primary";
+          bootable = true;
+          content = {
+            type = "btrfs";
+            extraArgs = ["-f"]; # Override existing partition
+            subvolumes = {
+              # Subvolume name is different from mountpoint
+              "/rootfs" = {
+                mountpoint = "/";
+              };
+              "/nix" = {
+                mountOptions = ["noatime"];
+              };
+            };
+          };
+        }
+      ];
+    };
+  };
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.intel.updateMicrocode = true;
+
+  services.openssh.enable = true;
+
+  systemd.network.enable = true;
+  systemd.network.networks."10-lan" = {
+    matchConfig.Name = "eth*";
+    networkConfig = {
+      # enable DHCP for IPv4 *and* IPv6
+      DHCP = "yes";
+
+      # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
+      IPv6AcceptRA = true;
+    };
+  };
+  networking.dhcpcd.enable = false;
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    22
+
+    # iperf3
+    5201
+  ];
+  networking.firewall.logRefusedConnections = false;
+  networking.usePredictableInterfaceNames = false;
+
+  networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "eth0";
+  };
+
+  # Kubernetes
+  # services.kubernetes.roles = ["master" "node"];
+
+  # virtualization
+  # virtualisation = {docker.enable = true;};
+
+  nix.gc = {automatic = true;};
+
+  containers = {
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}
--- a/nix/os/devices/srv0-dmz0/default.nix
+++ b/nix/os/devices/srv0-dmz0/default.nix
@ -0,0 +1,30 @@
+{
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
+  system = "x86_64-linux";
+in {
+  meta.nodeSpecialArgs.${nodeName} = {
+    inherit repoFlake nodeName nodeFlake;
+    packages' = repoFlake.packages.${system};
+  };
+
+  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
+    inherit system;
+  };
+
+  ${nodeName} = {
+    deployment.targetHost = "srv0.dmz0.noosphere.life";
+    deployment.replaceUnknownProfiles = false;
+
+    imports = [
+      nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
+    ];
+
+    networking.hostName = nodeName;
+  };
+}
--- a/nix/os/devices/srv0-dmz0/flake.lock
+++ b/nix/os/devices/srv0-dmz0/flake.lock
@ -0,0 +1,83 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687871164,
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-23.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1688594934,
+        "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e11142026e2cef35ea52c9205703823df225c947",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1688668881,
+        "narHash": "sha256-q5QIxsX5UR+P2uq8RyaJA/GI5z3yZiKl3Q35gVyr9UM=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "0ffe9cc640d092e6abd8c0adec483acfd2ed7cda",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1688640665,
+        "narHash": "sha256-bpNl3nTFDZqrLiRU0bO6vdIT5Ww13nNCVsOLLKEqGuE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "88faf206ce0d5cfda760539a367daf6cde5b3712",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-master": "nixpkgs-master",
+        "nixpkgs-unstable": "nixpkgs-unstable"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nix/os/devices/srv0-dmz0/flake.nix
+++ b/nix/os/devices/srv0-dmz0/flake.nix
@ -0,0 +1,12 @@
+{
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+  inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
+  inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
+
+  inputs.home-manager = {
+    url = "github:nix-community/home-manager/release-23.05";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = _: {};
+}
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@ -24,22 +24,6 @@ in {
  };

  networking.extraHosts = ''
-    # qemu box
-    172.24.40.13 steveej-qemu.infra.holochain.org
-    172.24.40.13 steveej-qemu.d.dweb.city
-
-    # bare metal
-    192.168.14.117 steveej-hw1.infra.holochain.org
-    192.168.14.117 steveej-hw1.d.dweb.city
-    192.168.14.117 steveej-hw2.infra.holochain.org
-    192.168.14.117 steveej-hw2.d.dweb.city
-    192.168.14.117 steveej-hw3.infra.holochain.org
-    192.168.14.117 steveej-hw3.d.dweb.city
-    192.168.14.117 steveej-hw4.infra.holochain.org
-    192.168.14.117 steveej-hw4.d.dweb.city
-
-    172.24.135.11 emerge3.d.dweb.city
-    172.24.74.194 emerge4.d.dweb.city
  '';

  networking.bridges."virbr1".interfaces = [];
@ -150,17 +134,17 @@ in {
  };

  sops.secrets.nomad-holochain-agent-ca = {
-    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };

  sops.secrets.nomad-holochain-cli-cert = {
-    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };

  sops.secrets.nomad-holochain-cli-key = {
-    sopsFile =  ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
+    sopsFile = ../../../../secrets/holochain-infra/nomad.yaml;
    owner = config.users.extraUsers.steveej.name;
  };
 }
--- a/nix/os/devices/steveej-t14/user.nix
+++ b/nix/os/devices/steveej-t14/user.nix
@ -5,7 +5,7 @@
  ...
 }: let
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
+  inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
 in {
  users.extraUsers.steveej2 = mkUser {
    uid = 1001;
@ -14,4 +14,7 @@ in {
  };

  nix.settings.trusted-users = ["steveej"];
+
+  security.pam.u2f.enable = true;
+  security.pam.services.steveej.u2fAuth = true;
 }
--- a/nix/os/lib/default.nix
+++ b/nix/os/lib/default.nix
@ -1,7 +1,9 @@
 {
  lib,
-  keys ? import ../../variables/keys.nix,
-}: {
+  config,
+}: let
+  keys = import ../../variables/keys.nix;
+in {
  mkUser = args: (
    lib.attrsets.recursiveUpdate {
      isNormalUser = true;
@ -19,6 +21,11 @@
        "adbusers"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+
+      # TODO: investigate why this secret cannot be found
+      # openssh.authorizedKeys.keyFiles = [
+      #   config.sops.secrets.sharedSshKeys-steveej.path
+      # ];
    }
    args
  );
--- a/nix/os/modules/opinionatedDisk.nix
+++ b/nix/os/modules/opinionatedDisk.nix
@ -1,11 +1,12 @@
 {
  lib,
  config,
+  pkgs,
  ...
 }:
 with lib; let
  cfg = config.hardware.opinionatedDisk;
-  ownLib = import ../lib/default.nix {inherit lib;};
+  ownLib = pkgs.callPackage ../lib/default.nix {};
 in {
  options.hardware.opinionatedDisk = {
    enable = mkEnableOption "Enable opinionated filesystem layout";
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@ -4,11 +4,18 @@
  ...
 }: let
  keys = import ../../../variables/keys.nix;
-  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
+  inherit
+    (import ../../lib/default.nix {
+      inherit (pkgs) lib;
+      inherit config;
+    })
+    mkUser
+    ;
 in {
  sops.secrets.sharedUsers-root = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
+    format = "yaml";
  };

  sops.secrets.sharedUsers-steveej = {
@ -17,18 +24,26 @@ in {
    format = "yaml";
  };

+  sops.secrets.sharedSshKeys-steveej = {
+    sopsFile = ../../../../secrets/shared-users.yaml;
+    # neededForUsers = true;
+    format = "yaml";
+  };
+
  users.mutableUsers = false;

  users.extraUsers.root = {
    passwordFile = config.sops.secrets.sharedUsers-root.path;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+
+    # TODO: investigate why this secret cannot be found
+    # openssh.authorizedKeys.keyFiles = [
+    #   config.sops.secrets.sharedSshKeys-steveej.path
+    # ];
  };

  users.extraUsers.steveej = mkUser {
    uid = 1000;
    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
  };
-
-  security.pam.u2f.enable = true;
-  security.pam.services.steveej.u2fAuth = true;
 }