diff --git a/.gitignore b/.gitignore index 5ac5559..36de04e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,8 +5,12 @@ !docs/ !hosts/ + +!hosts/disk/ + !hosts/nine/ !hosts/nine/github2forgejo/ + !hosts/pala/ !lib/ diff --git a/hosts/disk/default.nix b/hosts/disk/default.nix new file mode 100644 index 0000000..abd05e9 --- /dev/null +++ b/hosts/disk/default.nix @@ -0,0 +1,66 @@ +lib: lib.nixosSystem ({ config, keys, lib, ... }: let + inherit (lib) collectNix remove; +in { + imports = collectNix ./. |> remove ./default.nix; + + secrets.id.file = ./id.age; + services.openssh.hostKeys = [{ + type = "ed25519"; + path = config.secrets.id.path; + }]; + + secrets.floppyPassword.file = ./password.floppy.age; + users.users = { + root.hashedPasswordFile = config.secrets.floppyPassword.path; + + floppy = { + description = "Floppy"; + openssh.authorizedKeys.keys = keys.admins; + hashedPasswordFile = config.secrets.floppyPassword.path; + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + + backup = { + description = "Backup"; + openssh.authorizedKeys.keys = keys.all; + hashedPasswordFile = config.secrets.floppyPassword.path; + isNormalUser = true; + }; + }; + + home-manager.users = { + root = {}; + floppy = {}; + backup = {}; + }; + + networking = let + interface = "ens32"; + in { + hostName = "disk"; + + ipv4 = "23.164.232.40"; + ipv6 = "2602:f9f7::40"; + + domain = "rgbcu.be"; + + defaultGateway = { + inherit interface; + + address = "23.164.232.1"; + }; + + defaultGateway6 = { + inherit interface; + + address = "2602:f9f7::1"; + }; + }; + + nixpkgs.hostPlatform = "x86_64-linux"; + system.stateVersion = "23.11"; + home-manager.sharedModules = [{ + home.stateVersion = "23.11"; + }]; +}) diff --git a/hosts/disk/hardware.nix b/hosts/disk/hardware.nix new file mode 100644 index 0000000..9c07aa5 --- /dev/null +++ b/hosts/disk/hardware.nix @@ -0,0 +1,36 @@ +{ config, lib, modulesPath, ... }: let + inherit (lib) enabled; +in { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + + boot.loader = { + systemd-boot = enabled { + editor = false; + }; + + efi.canTouchEfiVariables = true; + }; + + boot.initrd.availableKernelModules = [ + "ahci" + "ata_piix" + "nvme" + "sr_mod" + ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + + fileSystems.${config.boot.loader.efi.efiSysMountPoint} = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "noatime" ]; + }; + + swapDevices = [{ + device = "/dev/disk/by-label/swap"; + }]; +} diff --git a/hosts/disk/id.age b/hosts/disk/id.age new file mode 100644 index 0000000..4ff9d0a Binary files /dev/null and b/hosts/disk/id.age differ diff --git a/hosts/disk/mail.nix b/hosts/disk/mail.nix new file mode 100644 index 0000000..ba40048 --- /dev/null +++ b/hosts/disk/mail.nix @@ -0,0 +1,11 @@ +{ config, self, ... }: let + inherit (config.networking) domain; + + fqdn = "mail1.${domain}"; +in { + imports = [(self + /modules/mail)]; + + mailserver = { + inherit fqdn; + }; +} diff --git a/hosts/disk/password.floppy.age b/hosts/disk/password.floppy.age new file mode 100644 index 0000000..22d78fe --- /dev/null +++ b/hosts/disk/password.floppy.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 spFFQA pJguGLlB7R7iXrGfwKabGxmryMrfY57yvfaCytZG/Fs +1USXbjiteoTrs7+KEFPTMVBNHpBWFXyHi/iLxFL7tls +-> ssh-ed25519 CzqbPQ IbK7nvEUn324R2zHDJzfgMV/FDqwLCU/jGZLSjrG4FY +naDshlcyrpvgLQydqxAXg/hhfFAFov568p163F7wrZ4 +--- MTj/7Zs1N348gDK+G1p01d6EZ21JzpPJnlaUc1ChcBo +*luM=&Z0!A3e\B0VښR; \6ֹo^ZR}_%~›k o$O$^A* \ No newline at end of file diff --git a/hosts/disk/site6.nix b/hosts/disk/site6.nix new file mode 100644 index 0000000..5bf000c --- /dev/null +++ b/hosts/disk/site6.nix @@ -0,0 +1,7 @@ +{ self, ... }: { + imports = [ + # (self + /modules/acme) + # (self + /modules/nginx.nix) + # (self + /modules/site.nix) + ]; +} diff --git a/hosts/nine/default.nix b/hosts/nine/default.nix index 0b180d3..a6de34f 100644 --- a/hosts/nine/default.nix +++ b/hosts/nine/default.nix @@ -56,18 +56,6 @@ in { address = "fe80::1"; }; - - interfaces.${interface} = { - ipv4.addresses = [{ - address = config.networking.ipv4; - prefixLength = 22; - }]; - - ipv6.addresses = [{ - address = config.networking.ipv6; - prefixLength = 64; - }]; - }; }; nixpkgs.hostPlatform = "aarch64-linux"; diff --git a/hosts/nine/github2forgejo/environment.age b/hosts/nine/github2forgejo/environment.age index 98edaa6..1373ee0 100644 Binary files a/hosts/nine/github2forgejo/environment.age and b/hosts/nine/github2forgejo/environment.age differ diff --git a/hosts/nine/hardware.nix b/hosts/nine/hardware.nix index b5082ee..fa7c015 100644 --- a/hosts/nine/hardware.nix +++ b/hosts/nine/hardware.nix @@ -18,13 +18,15 @@ in { boot.initrd.kernelModules = [ "nvme" ]; fileSystems."/" = { - device = "/dev/disk/by-label/root"; - fsType = "ext4"; + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + options = [ "noatime" ]; }; fileSystems.${config.boot.loader.efi.efiSysMountPoint} = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "noatime" ]; }; zramSwap = enabled; diff --git a/hosts/nine/id.age b/hosts/nine/id.age index 6cf0712..42f0b9f 100644 Binary files a/hosts/nine/id.age and b/hosts/nine/id.age differ diff --git a/hosts/nine/password.seven.age b/hosts/nine/password.seven.age index e5ba356..21078a4 100644 Binary files a/hosts/nine/password.seven.age and b/hosts/nine/password.seven.age differ diff --git a/modules/acme/environment.age b/modules/acme/environment.age index 7011b11..e894173 100644 --- a/modules/acme/environment.age +++ b/modules/acme/environment.age @@ -1,13 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw /sYx2CZG4l/oWbh9aKT4lFOcSiwY6A9SxwgX32mXqBs -iK6qzFpI4xGh5m4oqmW18eM2v6OVj/z3t1aRslnhH50 --> ssh-ed25519 spFFQA S3tkGQbTGQgWcp8Uh625eMCnE/h4nFVeb/z1AVemBkw -9RiAPo2w7PC+2abVofU1Aficcn0eOfvvOMgxGXRIL+0 --> ssh-ed25519 dASlBQ zuVu1QbtutWUG93M+i/UlVlkrmUdz71SrW8jhV4Pxg4 -OMEdnXV0Ix11FRX58Q3zH7nRG2tSkBl1wDmGY7J4JLM --> ssh-ed25519 CzqbPQ XLqIYDBAQXyL4/khZ71XP6uajnkX2HhzA2Ksx1UTGiU -MWrt9f1XjxECD4TRKbME2bN4XU1ns9VQ7btuqijXJYU ---- rpTCT+04nE+Jl+2qDHbocBGeYQYBtW/EcRiYHWTqcvw -P3ԢpQ^ 8lA ŻhYQ GW'&תH;ܐ *3 -tAOXk>Mi:!ơs9!:$ra4"HUD - bH Hw'Š̍xJ XYy+P(eG& &TG'8:!)Ԫ<´ \ No newline at end of file +-> ssh-ed25519 +rZ0Tw DMMzxXSIPSsRLkIvKJAiE6OzV1z3EZ0T+od2iIxMiA0 +OHVLHmVzeiWlsVI+DQ5M+iNik+nsdiQBz4zcquygC0A +-> ssh-ed25519 spFFQA TVqArtAoudQlrgAqshCP8ZU0YlVZoKwkvUVh968NqC8 +Cy7+Y1rTFiAoWp6Gw8a1cljCjWPHtNwXjlXWQyu8A8U +-> ssh-ed25519 dASlBQ ui5a61Tg1JoJvR8okc8qKkDhrSE9dH84XZQWhLn7cCo +5ehK2bvVgLZSYr5AstV1dwW7/qaVGRxs8PdzAg7sk4w +-> ssh-ed25519 CzqbPQ wgktFhPRIAwX8BNJu8svEHDrpz0ZCOw94nR+M3FJCTY +RAErTHg/g/voC7yPf2lB+ELmysNwQXre9jucw2y+ZVc +--- AB7oiyhts6riNlp5xuWsFTzIx2y7Axn0CU4uCXHfVLo +`8eߧJST'BězgK zꚉWcFݸ3ᇴGR}Rיq6]n0b <+  dԴ\ECMUͱ3 X{qjʁE0&M8xtʈF }/Oq_:ҟ0(I/hKHK\X\'(gbAܐ \ No newline at end of file diff --git a/modules/common/ssh/config.age b/modules/common/ssh/config.age index 4519152..3fca7c9 100644 --- a/modules/common/ssh/config.age +++ b/modules/common/ssh/config.age @@ -1,12 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw 6O4kuzuRQRYphZTIWeFHBxZ8iRImicVWzISKkRDpkHU -e4kCn+CEtt85NtnEik+GwHyP4VxO926URUgUSXPKF3E --> ssh-ed25519 spFFQA lzDLZiLU3qfjGEIxLVk6ax+UqvEDsBzyDEA5oBXl+1k -fA0ObL1S1V19XSv+Wj+sZlxxMQoVDTgMvncn4y56RHo --> ssh-ed25519 dASlBQ qZALhRmOTNN4Q/rKN6MQkEUFfFbGBZdwrx3rLtC3Xis -+cNLajIY16dErY3W5jyQt1q/O+AZ08pgqxbxh2e6MV4 --> ssh-ed25519 CzqbPQ YnkQEcf1jOm9/voAlbqmjPdTlNFeyW1eeHGC53V4n2c -RVtx1VD0yzSGFwBJ7y5nNWBA0qEt8VXwKjCw3c5iMS8 ---- j7fj7Ke05D5Q7xr9LhM6++la9TW0gn2R46DxBztXgGE -˺ _+=xMvyQ -+-te{2.G2}#eAųAT-u͒s \ No newline at end of file +-> ssh-ed25519 +rZ0Tw ifhIam0q2bs/Y59Z7OcOSOLoTL6+ZpEnnSp+NV6M7wU +iW4MNMvME9OoYs98bofV5yIAzkRnEC/r+VcI9oDHWGU +-> ssh-ed25519 spFFQA JwTUt4N7UUYn2DS6BIXceJTxnZSssFh8eFRcg9Fz+18 +aah1QHiAM2qSkKoQPxzNTDQVxyxaJUNGtVXJSNv1n48 +-> ssh-ed25519 dASlBQ jeeRHlJ/5hqyDX2GiQYk1ZRgkpBid9jzZ5qeqVzByyk +OawpP+fHhVqoB4OFw1ATbc53TZcVMR4EGJ2xcV67xq8 +-> ssh-ed25519 CzqbPQ a2f0ztMO4RQdadwdHbb70javzdF+loMSA65ts+crexI +inoxpsQcz/ZintLwIsvtOeCdRJ/gqvNdDGRyyXPFBEw +--- m4JEHQx5W7mCBUSctSb2U9CJSFKEu6oROraAR2pyU7s +vЎ4 J$S#sQ\P?Oع` VRI.ڙCQ9`*DVTPZBJȤq \ No newline at end of file diff --git a/modules/common/ssh/default.nix b/modules/common/ssh/default.nix index ff398ea..5999e17 100644 --- a/modules/common/ssh/default.nix +++ b/modules/common/ssh/default.nix @@ -40,11 +40,11 @@ in { # port = 2222; # }; - # disk = { - # hostname = self.disk.networking.ipv4; - # user = "floppy"; - # port = 2222; - # }; + disk = { + hostname = self.disk.networking.ipv4; + user = "floppy"; + port = 2222; + }; nine = { hostname = self.nine.networking.ipv4; diff --git a/modules/linux/ip.nix b/modules/linux/ip.nix new file mode 100644 index 0000000..15dac4a --- /dev/null +++ b/modules/linux/ip.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: let + inherit (config.networking.defaultGateway) interface; + inherit (lib) optionals; +in { + networking.interfaces.${interface} = { + ipv4.addresses = optionals (config.networking.ipv4 != null) [{ + address = config.networking.ipv4; + prefixLength = 22; + }]; + + ipv6.addresses = optionals (config.networking.ipv4 != null) [{ + address = config.networking.ipv6; + prefixLength = 64; + }]; + }; +} diff --git a/modules/linux/restic/password.age b/modules/linux/restic/password.age index ec55952..dfe39fc 100644 Binary files a/modules/linux/restic/password.age and b/modules/linux/restic/password.age differ diff --git a/modules/mail/default.nix b/modules/mail/default.nix index 19c1886..295301e 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -1,8 +1,6 @@ { self, config, lib, ... }: let inherit (lib) const enabled genAttrs head mkDefault; inherit (config.networking) domain; - - fqdn = "mail1.${domain}"; in { imports = [(self + /modules/acme)]; @@ -19,8 +17,6 @@ in { acmeGroup = "mail"; mailserver = enabled { - fqdn = mkDefault fqdn; - domains = mkDefault [ domain ]; certificateScheme = "acme"; diff --git a/modules/mail/password.hash.age b/modules/mail/password.hash.age index c013731..8347272 100644 Binary files a/modules/mail/password.hash.age and b/modules/mail/password.hash.age differ diff --git a/modules/mail/password.plain.age b/modules/mail/password.plain.age index e5276de..917472f 100644 --- a/modules/mail/password.plain.age +++ b/modules/mail/password.plain.age @@ -1,12 +1,12 @@ age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0 -+hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A --> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE -jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI --> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A -vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI --> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8 -y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w ---- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg -iO2 ѻGQ(o X3=>:)m -"[QQ \ No newline at end of file +-> ssh-ed25519 +rZ0Tw e/Myh9IdG3mTDdO2Y6dQX1xH7O/wXFXeu5J/3L9AZns +FflORBOBRxFu+BxdFocuYpAMROBks9S+n/jo+fGYzNI +-> ssh-ed25519 spFFQA VjBxKfyWeNSLlyryeQ/XHtQZIrYOIPaaGsir52DBAn4 +gI3kBrmv7za+3n00TeUXAlA0rHLmwFq3rcd4XjUpZu4 +-> ssh-ed25519 dASlBQ YNcwqwyyyjqthVG1U51b8ZlWJy97oaBhspAloOyG2Sw +OjdM1z/V3OOIIJCQfslqvUq2UAoZMBLTpjRhgJnvUSY +-> ssh-ed25519 CzqbPQ Zg6rZXjzr4SBL7C9Ns9OgIOh+Cu4nMN9g8k7p64kuAk +vgFArTTOqj72QjbfKnstG9rOUcFygZBMPKFPFlpeAok +--- dougaYMQ93Sk/8K3EcxZJCLLpikrKytfNgWpVbQ7yYM +rEvЫ _# Qk|< +#vb49GaI,F \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 66791aa..1476caa 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,6 +1,10 @@ let - inherit (import ./keys.nix) nine admins all; + inherit (import ./keys.nix) disk nine admins all; in { + # disk + "hosts/disk/password.floppy.age".publicKeys = [ disk ] ++ admins; + "hosts/disk/id.age".publicKeys = [ disk ] ++ admins; + # nine "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins;