From 742e432ce72368a35d3bf7e4e6f4a8931fd239e3 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 11 Aug 2023 18:50:10 +0200 Subject: [PATCH 1/4] feat(common/users): init module and add customization options --- nix/os/profiles/common/user.nix | 75 +++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 26 deletions(-) diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index a2447f9..b21cd4e 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,6 +1,7 @@ { config, pkgs, + lib, ... }: let keys = import ../../../variables/keys.nix; @@ -11,39 +12,61 @@ }) mkUser ; + + inherit (lib) types; + + cfg = config.users.commonUsers; in { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; + options.users.commonUsers = { + enable = lib.mkOption { + default = true; + type = types.bool; + }; + + enableNonRoot = lib.mkOption { + default = true; + type = types.bool; + }; + + rootPasswordFile = lib.mkOption { + default = config.sops.secrets.sharedUsers-root.path; + type = types.path; + }; }; + config = lib.mkIf cfg.enable { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; - users.mutableUsers = false; + users.mutableUsers = lib.mkForce false; - users.extraUsers.root = { - passwordFile = config.sops.secrets.sharedUsers-root.path; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + users.extraUsers.root = { + passwordFile = cfg.rootPasswordFile; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - }; + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + }; - users.extraUsers.steveej = mkUser { - uid = 1000; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; + users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser { + uid = 1000; + passwordFile = config.sops.secrets.sharedUsers-steveej.path; + }); }; } From 5de5e57518da3f425de012f2738988d5151f12b6 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 10 Aug 2023 21:45:49 +0200 Subject: [PATCH 2/4] feat(router0-dmz0): init bpir3 based router --- .sops.yaml | 18 +- flake.lock | 163 +++--- flake.nix | 16 +- nix/os/containers/backup-target.nix | 8 +- nix/os/containers/mailserver.nix | 8 - nix/os/containers/webserver.nix | 23 +- nix/os/devices/router0-dmz0/.gitignore | 1 + nix/os/devices/router0-dmz0/configuration.nix | 524 ++++++++++++++++++ nix/os/devices/router0-dmz0/default.nix | 39 ++ nix/os/devices/router0-dmz0/flake.lock | 205 +++++++ nix/os/devices/router0-dmz0/flake.nix | 93 ++++ nix/os/devices/sj-vps-htz0/pkg.nix | 26 - nix/os/devices/steveej-t14/system.nix | 4 + nix/os/lib/default.nix | 1 + nix/os/modules/ddclient-hetzner.nix | 25 - nix/os/modules/ddclient-ovh.nix | 11 - nix/os/profiles/containers/configuration.nix | 4 +- secrets/router0-dmz0/secrets.yaml | 41 ++ secrets/shared-users.yaml | 95 ++-- secrets/sj-vps-htz0/secrets.yaml | 37 ++ 20 files changed, 1133 insertions(+), 209 deletions(-) create mode 100644 nix/os/devices/router0-dmz0/.gitignore create mode 100644 nix/os/devices/router0-dmz0/configuration.nix create mode 100644 nix/os/devices/router0-dmz0/default.nix create mode 100644 nix/os/devices/router0-dmz0/flake.lock create mode 100644 nix/os/devices/router0-dmz0/flake.nix delete mode 100644 nix/os/devices/sj-vps-htz0/pkg.nix create mode 100644 secrets/router0-dmz0/secrets.yaml create mode 100644 secrets/sj-vps-htz0/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 00c147f..4ba5ffb 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,8 @@ keys: - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - + # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz + - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: @@ -19,10 +20,13 @@ creation_rules: - *steveej age: - *steveej-t14 - - *sj-vps-htz0 - - *srv0-dmz0 - *elias-e525 - *justyna-p300 + + - *srv0-dmz0 + - *router0-dmz0 + + - *sj-vps-htz0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: - pgp: @@ -46,4 +50,10 @@ creation_rules: - pgp: - *steveej age: - - *srv0-dmz0 \ No newline at end of file + - *srv0-dmz0 + - path_regex: ^secrets/router0-dmz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-dmz0 \ No newline at end of file diff --git a/flake.lock b/flake.lock index 69f97f8..b026e10 100644 --- a/flake.lock +++ b/flake.lock @@ -50,11 +50,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1688690832, - "narHash": "sha256-RJIYuOn9FaQWVzj6ytaKsHyur0KsYO9tOgaMz1XHtpQ=", + "lastModified": 1691423162, + "narHash": "sha256-cReUZCo83YEEmFcHX8CcOVTZYUrcWgHQO34zxQzy7WI=", "owner": "ipetkov", "repo": "crane", - "rev": "bfc1c3dca576e2f9e02eb0176e4058305192afe3", + "rev": "b5d9d42ea3fa8fea1805d9af1416fe207d0dd1dc", "type": "github" }, "original": { @@ -93,11 +93,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1688624761, - "narHash": "sha256-VMvhdWPCLUFhyssTSZXCxFkA9bZ05VgXZVsuYlJcZBg=", + "lastModified": 1691648495, + "narHash": "sha256-JULr+eKL9rjfex17hZYn0K/fBxxfK/FM9TOCcxPQay4=", "owner": "nix-community", "repo": "fenix", - "rev": "a2ea120926a1234ec804c090f90312e0ec2d4541", + "rev": "6c9f0709358f212766cff5ce79f6e8300ec1eb91", "type": "github" }, "original": { @@ -158,11 +158,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", "type": "github" }, "original": { @@ -234,11 +234,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -252,11 +252,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -298,11 +298,11 @@ "jay": { "flake": false, "locked": { - "lastModified": 1683988763, - "narHash": "sha256-vaHNBwCIMNf/rnnievmxhF5wxci0Rbu2IUXiUxxKF74=", + "lastModified": 1689440887, + "narHash": "sha256-+61dHuxk3FCP+H2PCoup6lZDlaTuJBqDzkiBNY6yaJ4=", "owner": "mahkoh", "repo": "jay", - "rev": "80dc8770c51c0409a32b212499e0803dd585cab1", + "rev": "eb83505e39ec8c2383ac233a8b8449803db52549", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1688299754, - "narHash": "sha256-ElNJ28wfORNv8JaCOFb/mniLiQe0cpuaj2DdD/dqdKw=", + "lastModified": 1691323683, + "narHash": "sha256-G7kMLDbYN03VNO+QYymFIp0o9jv+gflUpde8V4iYri8=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "6107c923522c233458760d0c7f31ad71bf1d2146", + "rev": "99d95d9ca592022832e9f1b4d2a8327b8d50eb60", "type": "github" }, "original": { @@ -349,14 +349,15 @@ "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1688608231, - "narHash": "sha256-RQeR/tirHIa5jhZYLCK7KnQiYTG/kq/vWdgDFLi+4+g=", + "lastModified": 1691371197, + "narHash": "sha256-YazAJxDjmAG9kiIEuqc+1CmmYIIt4wRIbEFb+TXf8WA=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "477d7196a493dd011f05704fc7b42cbe95f5b30d", + "rev": "b02b4e287fddc969fc490478b5666603f4ab0d3c", "type": "github" }, "original": { @@ -393,11 +394,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1687941964, - "narHash": "sha256-/Gr4tOq+tMBbE46njUt1aJGbsB9lpwnK99/oeC9uTXE=", + "lastModified": 1691224484, + "narHash": "sha256-0oodXqRRHXjUL7ssi1nIOKC8EzYD4f1e3eAaWexuF4M=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "22a2964bef34f92fe1c093ae54a8ab52eefdd5df", + "rev": "9df79870b04667f2d16f1a78a1ab87d124403fb7", "type": "github" }, "original": { @@ -434,11 +435,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688607075, - "narHash": "sha256-KDWpwZ4xl4au5R+A+Ka+uVbyiwMDVczjwRTSqBOyqWM=", + "lastModified": 1691370583, + "narHash": "sha256-LnKMx9NQ0Qx0DTYQVewkcRr+7uW5NY7xU9kjh+Lxnb0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff81c24d1dd4dc3698aeb27d2cc3991124e627e6", + "rev": "b51660a128c09baf31c614284b500eb53772496f", "type": "github" }, "original": { @@ -466,11 +467,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1688594934, - "narHash": "sha256-3dUo20PsmUd57jVZRx5vgKyIN1tv+v/JQweZsve5q/A=", + "lastModified": 1691592289, + "narHash": "sha256-Lqpw7lrXlLkYra33tp57ms8tZ0StWhbcl80vk4D90F8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e11142026e2cef35ea52c9205703823df225c947", + "rev": "9034b46dc4c7596a87ab837bb8a07ef2d887e8c7", "type": "github" }, "original": { @@ -483,11 +484,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", + "lastModified": 1690881714, + "narHash": "sha256-h/nXluEqdiQHs1oSgkOOWF+j8gcJMWhwnZ9PFabN6q0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", + "rev": "9e1960bc196baf6881340d53dccb203a951745a2", "type": "github" }, "original": { @@ -500,11 +501,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1688259758, - "narHash": "sha256-CYVbYQfIm3vwciCf6CCYE+WOOLE3vcfxfEfNHIfKUJQ=", + "lastModified": 1691282883, + "narHash": "sha256-YLu1Fs+J+hw0BebUhWIeFzSqhlsnf0K88RqhVJebF9E=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a92befce80a487380ea5e92ae515fe33cebd3ac6", + "rev": "b1d35b759161787e1cda815c460050142bda9adb", "type": "github" }, "original": { @@ -515,11 +516,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1688256355, - "narHash": "sha256-/E+OSabu4ii5+ccWff2k4vxDsXYhpc4hwnm0s6JOz7Y=", + "lastModified": 1690066826, + "narHash": "sha256-6L2qb+Zc0BFkh72OS9uuX637gniOjzU6qCDBpjB2LGY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f553c016a31277246f8d3724d3b1eee5e8c0842c", + "rev": "ce45b591975d070044ca24e3003c830d26fea1c8", "type": "github" }, "original": { @@ -531,11 +532,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1690179384, - "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", + "lastModified": 1691565530, + "narHash": "sha256-qZZ6DxvS1X/tjxXNUwJrPiaIWLZyWUDM2gkJCi5uZpE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", + "rev": "e528fa15d5f740a25b5f536c33932db64cb10fc8", "type": "github" }, "original": { @@ -547,11 +548,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1691472822, - "narHash": "sha256-XVfYZ2oB3lNPVq6sHCY9WkdQ8lHoIDzzbpg8bB6oBxA=", + "lastModified": 1691644995, + "narHash": "sha256-/OL3sk+9iPv+pto8hs/3cPhGmcS+ugKowQ8FvopLMEA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41c7605718399dcfa53dd7083793b6ae3bc969ff", + "rev": "f6f59fdce76ca4ee03852417a642b77a960229cd", "type": "github" }, "original": { @@ -569,11 +570,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1688653033, - "narHash": "sha256-iRtkfin+7PLWd0ce/pQ8bDSo1v6N+nfgjFDFCFEKUCA=", + "lastModified": 1691518836, + "narHash": "sha256-sY9Unk1pCbMxMSX/SuoSUg8TY4TDN+edKY83cCEqb8g=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "bc84572c913933dbb49df2746dc8669f562da454", + "rev": "982c0c1ee398e8584d8c9cce011ec98392d2e3cc", "type": "github" }, "original": { @@ -584,11 +585,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1688590700, - "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "lastModified": 1691368598, + "narHash": "sha256-ia7li22keBBbj02tEdqjVeLtc7ZlSBuhUk+7XTUFr14=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "rev": "5a8e9243812ba528000995b294292d3b5e120947", "type": "github" }, "original": { @@ -647,11 +648,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1688576197, - "narHash": "sha256-flxGk5OXBfXqlS/ZWNyT23slfPjTCkza3CV/EIfvdSU=", + "lastModified": 1691604464, + "narHash": "sha256-nNc/c9r1O8ajE/LkMhGcvJGlyR6ykenR3aRkEkhutxA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "aa91eda9028758839487ad0f0eb120944a549ff3", + "rev": "05b061205179dab9a5cd94ae66d1c0e9b8febe08", "type": "github" }, "original": { @@ -673,11 +674,11 @@ ] }, "locked": { - "lastModified": 1688351637, - "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "lastModified": 1691029059, + "narHash": "sha256-QwVeE9YTgH3LmL7yw2V/hgswL6yorIvYSp4YGI8lZYM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "rev": "99df4908445be37ddb2d332580365fce512a7dcf", "type": "github" }, "original": { @@ -710,11 +711,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1688268466, - "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=", + "lastModified": 1690199016, + "narHash": "sha256-yTLL72q6aqGmzHq+C3rDp3rIjno7EJZkFLof6Ika7cE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957", + "rev": "c36df4fe4bf4bb87759b1891cab21e7a05219500", "type": "github" }, "original": { @@ -730,11 +731,11 @@ ] }, "locked": { - "lastModified": 1688619474, - "narHash": "sha256-mPPR4iZxOoq3LB2EZTgo72UunV4UWdtaBTiTc3x+iPI=", + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", "owner": "numtide", "repo": "srvos", - "rev": "bf8ce44e0d1a380565c51bd6a707a75ac21c1a9a", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", "type": "github" }, "original": { @@ -810,6 +811,28 @@ "type": "github" } }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs-wayland", + "nix-eval-jobs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690874496, + "narHash": "sha256-qYZJVAfilFbUL6U+euMjKLXUADueMNQBqwihpNzTbDU=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "fab56c8ce88f593300cd8c7351c9f97d10c333c5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "yofi": { "inputs": { "flake-utils": "flake-utils_4", diff --git a/flake.nix b/flake.nix index 7d7f0cd..3412ee3 100644 --- a/flake.nix +++ b/flake.nix @@ -100,15 +100,25 @@ repoFlakeWithSystem = withSystem; nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; }) [ - "sj-vps-htz0" "steveej-t14" - "srv0-dmz0" "elias-e525" "justyna-p300" + + "srv0-dmz0" + "router0-dmz0" + + "sj-vps-htz0" ]); # this makes nixos-anywhere work - flake.nixosConfigurations = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + flake.nixosConfigurations = + (inputs.colmena.lib.makeHive self.outputs.colmena).nodes + // (let + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in { + router0-dmz0 = router0-dmz0.native; + cross_router0-dmz0 = router0-dmz0.cross; + }); inherit systems; diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix index d1ff1f0..608ac47 100644 --- a/nix/os/containers/backup-target.nix +++ b/nix/os/containers/backup-target.nix @@ -17,10 +17,10 @@ networking.firewall.enable = false; - services.ddclientovh = { - enable = true; - domain = containerBackupCfg.addr; - }; + # services.ddclientovh = { + # enable = true; + # domain = containerBackupCfg.addr; + # }; services.openssh.enable = true; diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 79c6e55..d113925 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -43,14 +43,6 @@ }; # TODO: switch to something other than ddclient as it's no longer maintained - services.ddclient-hetzner = { - enable = false; - zone = "stefanjunker.de"; - domains = [ - "mailserver.svc.stefanjunker.de" - ]; - passwordFile = config.sops.secrets.hetznerDnsApiToken.path; - }; # TODO: switch to a let's encrypt certificate sops.secrets.dovecotSslServerCert = { diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index d3600a3..520aa30 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -5,7 +5,9 @@ httpPort ? 80, httpsPort ? 443, autoStart ? false, -}: { +}: let + domain = "www.stefanjunker.de"; +in { config = { config, pkgs, @@ -22,11 +24,6 @@ networking.firewall.enable = false; - services.ddclientovh = { - enable = true; - domain = "www.stefanjunker.de"; - }; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets.hedgedoc_environment_file = { sopsFile = ./webserver_secrets.yaml; @@ -35,30 +32,30 @@ services.caddy = { enable = true; - virtualHosts."${config.services.ddclientovh.domain}" = { + virtualHosts."${domain}" = { extraConfig = let port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; path = "${config.services.authelia.instances.default.settings.server.path}"; in '' - redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain} + redir /hedgedoc* https://hedgedoc.${domain} respond "Hi!" ''; }; - virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = { + virtualHosts."hedgedoc.${domain}" = { extraConfig = '' reverse_proxy http://[::1]:3000 ''; }; - virtualHosts."authelia.${config.services.ddclientovh.domain}" = { + virtualHosts."authelia.${domain}" = { extraConfig = '' reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} ''; }; - virtualHosts."lldap.${config.services.ddclientovh.domain}" = { + virtualHosts."lldap.${domain}" = { extraConfig = '' reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} ''; @@ -68,7 +65,7 @@ services.hedgedoc = { enable = true; settings = { - domain = "hedgedoc.${config.services.ddclientovh.domain}"; + domain = "hedgedoc.${domain}"; urlPath = ""; protocolUseSSL = true; db = { @@ -185,7 +182,7 @@ verbose = true; ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${config.services.ddclientovh.domain}"; + http_url = "https://lldap.${domain}"; ## Options to configure SMTP parameters, to send password reset emails. ## To set these options from environment variables, use the following format diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/router0-dmz0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix new file mode 100644 index 0000000..17f987d --- /dev/null +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -0,0 +1,524 @@ +{ + modulesPath, + repoFlake, + packages', + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + ... +}: let + inherit + (nodeFlake.inputs) + bpir3 + nixos-nftables-firewall + ; +in { + disabledModules = [ + # "services/networking/hostapd.nix" + ]; + + imports = [ + # nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + + "${bpir3}/lib/sd-image-mt7986.nix" + + nixos-nftables-firewall.nixosModules.default + + # TODO + # ./network.nix + # ./monitoring.nix + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = false; + + # No local firewall. + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + nftables = { + enable = true; + stopRuleset = ""; + firewall = { + enable = true; + zones = { + lan.interfaces = ["br-lan"]; + wan.interfaces = ["wan"]; + }; + rules = { + lan = { + from = ["lan"]; + to = ["fw"]; + verdict = "accept"; + }; + outbound = { + from = ["lan"]; + to = ["lan" "wan"]; + verdict = "accept"; + }; + nat = { + from = ["lan"]; + to = ["wan"]; + masquerade = true; + }; + + incoming-wan = { + from = ["wan"]; + to = ["fw"]; + verdict = "drop"; + }; + }; + }; + }; + }; + + systemd.network = { + wait-online.anyInterface = true; + netdevs = { + # Create the bridge interface + "20-br-lan" = { + netdevConfig = { + Kind = "bridge"; + Name = "br-lan"; + }; + }; + }; + networks = { + # Connect the bridge ports to the bridge + "30-lan0" = { + matchConfig.Name = "lan0"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = "br-lan"; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + }; + # Configure the bridge for its desired function + "40-br-lan" = { + matchConfig.Name = "br-lan"; + bridgeConfig = {}; + address = [ + "192.168.10.1/24" + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + }; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + + # wireless access point + services.hostapd = { + enable = true; + radios = { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS + + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + }; + networks = { + wlan0 = { + ssid = "justtestingwifi-wpa3"; + authentication = { + mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + }; + + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:40"; + settings = { + bridge = "br-lan"; + }; + }; + + wlan0-1 = { + ssid = "justtestingwifi-compat"; + authentication = { + mode = "wpa3-sae-transition"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; + saePasswords = [ + {password = "justtestingwifi";} + ]; + wpaPassword = "justtestingwifi"; + }; + + # generated with https://miniwebtool.com/mac-address-generator/ + bssid = "34:56:ce:0f:ed:41"; + settings = { + bridge = "br-lan"; + }; + }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = "br-lan"; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; + }; + }; + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = "br-lan"; + # }; + # }; + # }; + # }; + }; + }; + + services.resolved.enable = false; + + services.dnsmasq = { + enable = true; + settings = { + # upstream DNS servers + server = ["9.9.9.9" "8.8.8.8" "1.1.1.1"]; + # sensible behaviours + domain-needed = true; + bogus-priv = true; + no-resolv = true; + + dhcp-range = ["br-lan,192.168.10.50,192.168.10.254,24h"]; + interface = "br-lan"; + dhcp-host = "192.168.10.1"; + + # local domains + local = "/lan/"; + domain = "lan"; + expand-hosts = true; + + # don't use /etc/hosts as this would advertise surfer as localhost + no-hosts = true; + address = "/surfer.lan/192.168.10.1"; + }; + }; + + # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. + services.irqbalance.enable = true; + + # disko.devices = { + # disk = { + # nvme0n1 = { + # device = "/dev/nvme0n1"; + # type = "disk"; + # content = { + # type = "table"; + # format = "gpt"; + # partitions = [ + # { + # name = "var-log"; + # start = "1MiB"; + # end = "20G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var/log"; + # }; + # } + # { + # name = "tmp"; + # start = "20G"; + # end = "60G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/tmp"; + # }; + # } + # { + # name = "var"; + # start = "60G"; + # end = "100G"; + # content = { + # type = "filesystem"; + # format = "ext4"; + # mountpoint = "/var"; + # }; + # } + # { + # name = "swap"; + # start = "100G"; + # end = "100%"; + # content = { + # type = "swap"; + # randomEncryption = false; + # }; + # } + # ]; + # }; + # }; + # }; + # }; + + system.stateVersion = "23.05"; + + boot.kernelPackages = pkgs.linuxPackages_bpir3; + # boot.kernelPackages = bpir3.packages.aarch64-linux.linuxPackages_bpir3; + # We exclude a number of modules included in the default list. A non-insignificant amount do + # not apply to embedded hardware like this, so simply skip the defaults. + # + # Custom kernel is required as a lot of MTK components misbehave when built as modules. + # They fail to load properly, leaving the system without working ethernet, they'll oops on + # remove. MTK-DSA parts and PCIe were observed to do this. + boot.initrd.includeDefaultModules = false; + boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + boot.initrd.availableKernelModules = ["nvme"]; + + boot.kernelParams = ["console=ttyS0,115200"]; + hardware.enableRedistributableFirmware = true; + # Wireless hardware exists, regulatory database is essential. + hardware.wirelessRegulatoryDatabase = true; + + # Extlinux compatible with custom uboot patches in this repo, which also provide unique + # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test. + boot.initrd.compressor = "gzip"; + hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; + + hardware.deviceTree.overlays = [ + { + name = "bpir3-sd-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts"; + } + { + name = "bpir3-nand-enable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts"; + } + { + name = "bpi-r3 wifi training data"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts"; + } + { + name = "reset button disable"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts"; + } + { + name = "mt7986a efuses"; + dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts"; + } + ]; + + boot.initrd.preDeviceCommands = '' + if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then + if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then + # Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first + echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove + # Rescan brings PCI root back and brings the NVMe device in. + echo 1 > /sys/bus/pci/rescan + else + info "PCIe bridge missing" + fi + fi + ''; + + environment.systemPackages = [ + pkgs.ethtool + ]; +} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix new file mode 100644 index 0000000..e8d521a --- /dev/null +++ b/nix/os/devices/router0-dmz0/default.nix @@ -0,0 +1,39 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let + system = "aarch64-linux"; +in { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake system; + packages' = repoFlake.packages.${system}; + + inherit + (nodeFlake.inputs.bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; + }; + + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "router0.dmz0.noosphere.life"; + deployment.replaceUnknownProfiles = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock new file mode 100644 index 0000000..9ad07a0 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -0,0 +1,205 @@ +{ + "nodes": { + "bpir3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688620001, + "narHash": "sha256-8ACxxssPiQy/lsUsT8cAaT2te8p8d8ngmPwTc/erPnU=", + "owner": "nakato", + "repo": "nixos-bpir3-example", + "rev": "4210480bdebbf3a7953e22d5d9f183f47b725bff", + "type": "github" + }, + "original": { + "owner": "nakato", + "repo": "nixos-bpir3-example", + "type": "github" + } + }, + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691743546, + "narHash": "sha256-nS2uWOeEmMgUBEMDCvwLlXBBCLkW7agDcMtOXuf9PDc=", + "owner": "nix-community", + "repo": "disko", + "rev": "241c878d4b542fea7c61ed4421e9224af054ff56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1673819588, + "narHash": "sha256-gRtwKAlu4htvS6dxyZnW3n+vMS1acqnMGVHqxUdETeY=", + "owner": "ursi", + "repo": "get-flake", + "rev": "e0917b6f564aa5acefb1484b5baf76da21746c3c", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691672736, + "narHash": "sha256-HNPA/dKHerA0p4OsToEcW/DtTSXBcK5gFRsy/yPgV/Y=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "6e1eff9aac0e8d84bda7f2d60ba6108eea9b7e79", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677020959, + "narHash": "sha256-r06isoyASAIoYH+zcbb8jescQyYq+AYNccVPUlzivDk=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "6cb25335de6f1fe0722f02573d0cfbaea4cd7ecf", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1691654369, + "narHash": "sha256-gSILTEx1jRaJjwZxRlnu3ZwMn1FVNk80qlwiCX8kmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ce5e4a6ef2e59d89a971bc434ca8ca222b9c7f5e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1691753935, + "narHash": "sha256-fjH5oZ0g8Cb0vrJ8TlS4B7kaVr7YmEdee64ueQ6arAo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "650596759b8b38399a0c4d5e366847d190360e55", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1691703261, + "narHash": "sha256-jUzmIeh+F+XKkuEhfY+VRgbVitTOr5oh5Oi5p5kr9tQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "079f7bd05bf72641e3b5904ed891d44d21ea90ed", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "bpir3": "bpir3", + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691630941, + "narHash": "sha256-4+KVSa32impg0aBqXVEEty8uu3Urb64CjmseDkETofg=", + "owner": "numtide", + "repo": "srvos", + "rev": "b7407c2dc143402de6f140575398020175f3ae1a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix new file mode 100644 index 0000000..c934242 --- /dev/null +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -0,0 +1,93 @@ +{ + inputs = { + # nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/master"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + bpir3.url = "github:nakato/nixos-bpir3-example"; + bpir3.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = { + self, + get-flake, + nixpkgs, + bpir3, + ... + } @ attrs: let + system = "aarch64-linux"; + nodeName = "router0-dmz0"; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + inherit + (bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; + }; + + modules = + [ + ./configuration.nix + + # flake registry + { + nix.registry.nixpkgs.flake = nixpkgs; + } + + { + nixpkgs.overlays = [ + (final: previous: let + bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {}; + in { + inherit + (bpir3Pkgs) + linuxPackages_bpir3 + ; + }) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; + }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/sj-vps-htz0/pkg.nix b/nix/os/devices/sj-vps-htz0/pkg.nix deleted file mode 100644 index 11d8bad..0000000 --- a/nix/os/devices/sj-vps-htz0/pkg.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - extraPackages = [ - # required by vscode's remote-ssh plugin - pkgs.nodejs - - # allow clipboard exchanges - pkgs.xsel - pkgs.xclip - ]; - }; -} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 9ced0b4..c2cd584 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -132,4 +132,8 @@ in { sopsFile = ../../../../secrets/zerotierone.txt; format = "binary"; }; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 0554d6e..5ed886d 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -19,6 +19,7 @@ in { "video" "cdrom" "adbusers" + "dialout" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 75765d1..893620a 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -11,29 +11,4 @@ in { domains = mkOption {type = types.listOf types.str;}; passwordFile = mkOption {type = types.path;}; }; - - config = lib.mkIf cfg.enable { - users.groups.ddclient = {}; - users.users.ddclient = { - isSystemUser = true; - group = "ddclient"; - }; - - services.ddclient = { - enable = cfg.enable; - verbose = true; - protocol = "hetzner"; - - # see https://github.com/ddclient/ddclient/blob/a4eab34ab4719d1e2146d8c9c4449b70dd7e0163/ddclient.in#L775 - username = "token"; - - inherit (cfg) zone domains passwordFile; - - extraConfig = '' - ''; - }; - - systemd.services.ddclient.serviceConfig.User = config.users.users.ddclient.name; - systemd.services.ddclient.serviceConfig.Group = config.users.groups.ddclient.name; - }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 7ac124c..9b0321d 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -9,15 +9,4 @@ in { enable = mkEnableOption "Enable ddclient-ovh"; domain = mkOption {type = types.str;}; }; - - config = lib.mkIf cfg.enable { - services.ddclient = { - enable = true; - protocol = "dyndns2"; - server = "www.ovh.com"; - ssl = true; - domains = [cfg.domain]; - use = "web"; - }; - }; } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 4a3e475..edf3974 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -14,7 +14,7 @@ }; imports = [ - ../../modules/ddclient-ovh.nix - ../../modules/ddclient-hetzner.nix + # ../../modules/ddclient-ovh.nix + # ../../modules/ddclient-hetzner.nix ]; } diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml new file mode 100644 index 0000000..ee184e9 --- /dev/null +++ b/secrets/router0-dmz0/secrets.yaml @@ -0,0 +1,41 @@ +#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment] +passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str] +ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] +ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] +ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] +ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk + REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P + T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r + THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv + J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:46:38Z" + mac: ENC[AES256_GCM,data:W9aRsPPRKro6rGbNvBV8bftPklQn6LN6Lq+G45vYTVRZs5t0F1qFqUpXDXKTrZ040mkYnECi7JSRWeJvyfGqHK5KPY1uWtBxDoghYfO/J7VXBNv+NbROO4KoAKYAoOpZSECVqXgm6U69G1GGu8yyrDPDFAcfbFXivXqH+e7t42A=,iv:uUndgDmUHBYCKvb2LHC9zRp+eBwcy6107ocaJFniV6o=,tag:VGKODnvz107hvEoCT0risw==,type:str] + pgp: + - created_at: "2023-08-11T16:15:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ + NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 + pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 + ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a + 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB + 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY + pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O + v5QlxcXSMuOeGygclwHdxzs+ + =NQjH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index f64bef7..abd3292 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,64 +16,73 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RUdSYmxFdXI2R25OZ0ov - TlEwOStVeUxkbE1sbTJWZG5VZFRPNkNOeWlnCm0xMWFCdm4zMjVlcjB1ZXFZVVho - TCtVYW84WGh2ZmdsWHBlUFJVcm8vZFkKLS0tIGFYaWptakozYVVvQ0ZmbUFjMFR3 - b0VBVTV3R2tlckJLQzlvWFVKK1h6aGsKCekGZ/RZ7nNa5yXHfgXGpSrh3J3C95mh - 7YFgjgd9ey3BGNoMNxm5E++JzxBN0d2tY7sW/G6ub+kOJIt0rAEAkg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYy9FL3pnNmdUa0VEdlV4 - aFVNTkhGWTZJcUo0YTlORmdINGkxMTlVdHkwClVyakJoZTdxVlF6UTVBbm45d1Bo - RUl2S3BaU0NYYmtsSGhHWGxrWjVuemcKLS0tIHlqbXhXN0RUbm9sL09mbjhaSnBP - V0hQTUJuUnlOQ1hycDJ4RlY1aCtjOFEKuDt6KRxX7+yYIHxtD0prLdxJSlHwQtxH - 8U/Q8hoE+L3lBFSE3+syMt1/pu5vHrreIOVTXAxSENsDxcE6noxQvA== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK080NlJKYkZyREFpc1JM - ZWxlV2Z5YjZRSnBFMy9CbUs2aHJkcjNVR2dJCjN5SXQzbWtiZlZBK0g0Y1ZPcHJK - cXRCTStRSG1lamUvOFBxSFViWmFVeW8KLS0tIDFUNlRkS2RLMGdULzhzdSt5Uk02 - TjZZN1lFZ3g3YzVxQUlyQ1Y5S1NWeFEKGjqEPuxaUR/WQc+4OhUzLgtSCatVmtx+ - q4Y/wC1eqUKJHzqIMa3qeWXwrGbf6ScL3s0bNc9sxvPmWQ3NLvjUfg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVEs2NzlqWnExV28vOG9j + Zjc0QXgrc2M3SkkvS3dyL3QrSHFYa0JSRmhZCmZFd3EzcURSWmRvK3VIakQyNFhR + dWN0c1FqR09XSkFUV3pEOFpsRlZhVlUKLS0tIDVDb25JMUh3TkJYa0pTdDUrYnpl + R3RVdkdvVnhIc2ZKUldGYjlnMzdicHcKL0Bcw6N93/v32cqFuoalcdmTv8/MLs7f + 9EgegS0+/xOriZmrwel6kNZlcoBR1JbC9qZO6s0D1B5nA1QLHnwvRw== -----END AGE ENCRYPTED FILE----- - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Uk9zWHJCY2dnamN1S1hU - ZWhoTkptaVArOGlHZ01Nd0ZkaGpFQ2dUU0hzCnR3WGtCVkJtSzlncVVhVU11K2d1 - SVpHa1RXN1dWMDE4cExiV2ordkhTSTAKLS0tIFBkV3oyS2VVVU92b0hnRG1nQytW - QU5IR2FaVGswZkhIOWhzWGh4YmUyMk0KVJEFNmm57SSUreilhuzLofZIlnILnO7F - rWASlGDi4YSGquM3lEfdn5rwqqJ3d77hSeRQEnaGhnClDYSH3nzjZQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MFg3TkhOY3hNZE9Uc1pF + OWJGWHh2cHJDUlhJUmVSMlFGR0lxSG1pcVRjCjZqMTdOTkJyT2N1QWdBOC9sbVo2 + NnIvRUtqUTZkbFI3WGZJaHg5M01DUnMKLS0tIGY1eG44NHlSY2RPeVFWWlpaQ2w5 + dGNsUHhEYjhkTVY1bFdpQmJMSzh5aVkKK6t7EUzhCUNjxl5dFXPezX53EVCworvn + NMaDqS5RgwQhILl04/eGyb5KcQksGQBdN5MacXX872BlOUeuWOez2g== -----END AGE ENCRYPTED FILE----- - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldnVDczdmVUd3OS9jTnpB - dDkrQS9JcUY5b3YxY0lzVFEyUTlPNk5rM1VVCk9qMzJHWitrY0pjU0NCMWI0ODhG - S29DL0tPNWtkTStPTWRZdzlQWFJsTWcKLS0tIDdWZ1lVejcyVW5mcTgyR3ZMWlJq - RTdBNkRINWN3MTZOSXdPMXovNDNSQUEKJZhJFN6zmdCtzoCdKiKfYQf4vU8AXRvz - wHnPO2H8SAMK8XqjdXvIrRK6iXQIjonHO2ilTDxAGNPAFN5BpbGrWQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdXA0SllGSjZRMDhXajFK + REp4RzBjQ3pqYnRZLzRMb0NGQVJyeDJYa2dRCk4ydjFmU0pEazJaUTNDV2pKQUUr + cExrU09iTHFWdXB1UGJBcnRsd3VraGcKLS0tIHVid2dhUWpSN09uU0IwUVFBcmdM + OGxuOTZJR3JnVUFGbjczYzQwSGc1Sm8KhzJ0+4No3Z8sAshkEIj5/4Sz3rJxC7Ki + 0VTPwftdnPcnOAhZ3z8xrZILeOPjzHwCC4N45vAvYbiNOXCr8VF5NA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZEFoTWFWMHl0dkoycXU5 + TmhYU3hCWENGMzRqdnZNckVhODhzUUFlcWpFCldBYkkveTBPSGkvSEVrUXRXcE5E + UnFkNnB4TjZBN2Z1ODZVOHlacHZkc0EKLS0tIEI3Vjhzb2FXU05aSTNpT2pzWndV + NEdsK2xDaEkwekR2SS9DUmxzc2pKdTQKq/blmeAXpmo9Gmh8Ws1kLuio+sJUZXaC + BOBc0m4Dp5y+lTpqvyA9jA9sAZngPo502B+M9tY5rdIxkAR+aCbVUQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUGorR0ZIa3hNRWJvc0Zl + a1pPRExtbWc3a0VRS2duamZKTVBvL2FtaTFFCkpyTzdoRTh1bHJTclNFQXJBdDlw + M3RSQk9jMWh5ODdxY3FRamw1eWYwcFEKLS0tIHRIVk1ESk4yNkZ0MGxBTmtUVTJB + czlMQml3R1FlNEh6cnNoaGxXQk5jSk0KWuhdW4hVOTHaLwmmlnUazb5XLQdRcZRz + aN2qDOsAnSOqPgE/iXp4+88Y3iu05dWHgbMuWpS1lAFN+bv4s0zxCg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5VG5odWxKdkN5NFRUcnA3 + ZFZpWDl3MGlzUmVrWVBEaWhrczVDdDgrM0FVCk5pOFJYSlcyclE1V3lUT1JWY01a + czVHcnlMcVZISFprdEZvRGxKditsVlUKLS0tIGJmZVVnTngyZWZaSkoyZ0doa0VD + bkIzU1ZCV20wRHhNaWtFcTMrNlQvSUEKrd4c5oMU+UqxbDM4sc2JVmlK+Qmoj/zp + 2Qc29mNIxP98cjfiPKe3IHidXIbzH0OluYfeFTfBCclbsn3mLpvltg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-07-10T08:17:16Z" + - created_at: "2023-08-11T16:15:15Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf8DDe0qysI5DL1xc6IbIQ+a2oKtiNyL0P4pwrdfsCcudMm - dfhnap8JHPfVssucbA7Gicpg8iZxy9+M1o5E4es1EUBWun+tf+9utHmRKLkAJb98 - OPm+vvp/fzRU0bAtvwchskCc4REWbsq82UQdQl8uPhGoCweyWDusmAmXjjECBWmP - sW1pSb0tGvtHM7m0cpLYepWHUZ/VOcNBeuv3fGDuI3M0fv+lCTgYQJOtIrJv+xFf - q9dB1HGJaePsKLxmQTJW1gFdoWkc3ndfBwytY00iho1xPbrKAPSZojE0Wj227DPx - YynEy8ruLWIVcFZsjfEm961kRiwb8MwK1xB7ov/d79JRAXrovFTT3EfFZ+2pY2FW - w8TKQjGol/+vJ2mzlQV0LFtAxjUvgNgoAC/cJgl5c+N4qXz4ChgiT38yZ7JW2e2c - OUwOtIhmRp4PNBU+402xfgYI - =X23Q + wcBMA0SHG/zF3227AQf/aAO5OvMbhN/6/U9b1gj415csZ/PYBB8GJuQ+disXV/Tp + mTMdzmsQVcfefdVoBhd2HUfLv/OlcM2eF4751eu6NP7MBDad5XHZpYON0SCRjiJv + vG0xl+KwI/AQYUWQjBhyMcECqjRLJL6EyyW37ykSGMLNMjbdDCISkVniNYFt9pRE + XkuWQNnDF++vDSZtVxDZvuCIXNZC7isSh5UNjtFdGpc9nMcAra/ALuWx2NjOTKpG + QJ4Ilic2mrE4PIQuf60MnC5lfOJWWbKgR832Sik+ZY/2Nocp2KYsrDyrKRglUu2S + AGdmQrPl3nq0yp1zCGujYFQIQmCQKLPTcoz99x5xR9JRAeK6e/xKJcCM5UgRk6IK + ULdIYK3EGv432KHj6DJFhW6lYWJBnZwkcNsVhxS3qbuccP7CJr51UDZ4ipfoQQtV + irHq+0IfShQpgoPu8YJ+A1T1 + =qLIi -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml new file mode 100644 index 0000000..6f888b6 --- /dev/null +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -0,0 +1,37 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-11T16:32:20Z" + mac: ENC[AES256_GCM,data:dgiAU9oMoHi1KvmkSbmNYRA6s2dIrsn8JC5UVpmfUUV5X+u+xwzt+QA/9IRHQoBWL3UZNz4E5qIvitEDx0xP8BktfNd2cGmeaBWT5e7YiSYGWNek0r/2SgXf8aSKsay4g+qdkE4mnxhRcj1pOc6dP5cKE/qh7vjnjlpTOMdp1wE=,iv:M7HE/XQGwttkwY7uXf7SHffwcaSzLqATB5Vqes3+W9w=,tag:vBhNC8zgNPPIzeNjikLt9A==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 From 7ecc31cfcf6237f0ee9d6f1d66af5f4fe70905f1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 11 Aug 2023 18:49:31 +0200 Subject: [PATCH 3/4] feat(sj-vps-htz0): separate secrets --- .sops.yaml | 8 +++++++- nix/os/devices/sj-vps-htz0/configuration.nix | 20 ++++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 4ba5ffb..c049481 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -56,4 +56,10 @@ creation_rules: - pgp: - *steveej age: - - *router0-dmz0 \ No newline at end of file + - *router0-dmz0 + - path_regex: ^secrets/sj-vps-htz0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-vps-htz0 \ No newline at end of file diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index 28a63fb..dbbf113 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,12 +1,28 @@ -{...}: { +{ + nodeName, + config, + ... +}: { disabledModules = []; imports = [ ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix - ./pkg.nix ./boot.nix ]; } From f7de354cbe402688808a8ee730f7691b243d35ee Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 11 Aug 2023 18:54:56 +0200 Subject: [PATCH 4/4] chore(flake): comment router0-dmz0 deploy cmd --- flake.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/flake.nix b/flake.nix index 3412ee3..6f441e1 100644 --- a/flake.nix +++ b/flake.nix @@ -117,6 +117,9 @@ router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; in { router0-dmz0 = router0-dmz0.native; + + # for now deploy directly with: + # nixos-rebuild switch --flake .\#cross_router0-dmz0 --build-host localhost --target-host root@192.168.10.1 cross_router0-dmz0 = router0-dmz0.cross; });