diff --git a/.gitignore b/.gitignore index 781ced8..07cc058 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ !docs/ !hosts/ +!hosts/nine/ !hosts/pala/ !lib/ diff --git a/hosts/nine/default.nix b/hosts/nine/default.nix new file mode 100644 index 0000000..fef8dbe --- /dev/null +++ b/hosts/nine/default.nix @@ -0,0 +1,60 @@ +lib: lib.nixosSystem ({ config, keys, lib, ... }: let + inherit (lib) collect remove; +in { + imports = collect ./. |> remove ./default.nix; + + nixpkgs.hostPlatform = "aarch64-linux"; + + system.stateVersion = "23.11"; + home-manager.sharedModules = [{ + home.stateVersion = "23.11"; + }]; + + networking.hostName = "nine"; + + secrets.id.file = ./id.age; + services.openssh.hostKeys = [{ + type = "ed25519"; + path = config.secrets.id.path; + }]; + + secrets.sevenPassword.file = ./password.seven.age; + users.users = { + root.hashedPasswordFile = config.secrets.sevenPassword.path; + + seven = { + description = "Hungry Seven"; + openssh.authorizedKeys.keys = keys.admins; + hashedPasswordFile = config.secrets.sevenPassword.path; + extraGroups = [ "wheel" ]; + }; + + backup = { + description = "Backup"; + openssh.authorizedKeys.keys = keys.all; + hashedPasswordFile = config.secrets.sevenPassword.path; + }; + }; + + networking = { + ipv4 = "152.53.2.105"; + ipv6 = "2a0a:4cc0::12d9"; + + domain = "rgbcu.be"; + + defaultGateway = "152.53.0.1"; + defaultGateway6 = "fe80::1"; + + interfaces.enp4s0 = { + ipv4.addresses = [{ + address = config.networking.ipv4; + prefixLength = 22; + }]; + + ipv6.addresses = [{ + address = config.networking.ipv6; + prefixLength = 64; + }]; + }; + }; +}) diff --git a/hosts/nine/hardware.nix b/hosts/nine/hardware.nix new file mode 100644 index 0000000..b5082ee --- /dev/null +++ b/hosts/nine/hardware.nix @@ -0,0 +1,31 @@ +{ config, lib, modulesPath, ... }: let + inherit (lib) enabled; +in { + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; + + boot.loader.grub = enabled { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + ]; + + boot.initrd.kernelModules = [ "nvme" ]; + + fileSystems."/" = { + device = "/dev/disk/by-label/root"; + fsType = "ext4"; + }; + + fileSystems.${config.boot.loader.efi.efiSysMountPoint} = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; + + zramSwap = enabled; +} diff --git a/hosts/nine/id.age b/hosts/nine/id.age new file mode 100644 index 0000000..97fd931 Binary files /dev/null and b/hosts/nine/id.age differ diff --git a/hosts/nine/password.seven.age b/hosts/nine/password.seven.age new file mode 100644 index 0000000..41f5777 --- /dev/null +++ b/hosts/nine/password.seven.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 dASlBQ gh2TXagLOCoZF72LeTEpCfa6y5bltnN+JlRjhxs/lA4 +QOi6kenko+A4MB5aLBbyOXjY8RmEpOHFUM24H3Pgnaw +-> ssh-ed25519 CzqbPQ iP9T7X/mVGAZyj6xkMjuAkO4dDUsMFhQB29iTatmonY +YRn1gcHQvPyzGl79UF50C4OXPaeI4xD5BkkdjJCxLFs +--- 7+SPAGy57E4RsUE6Wsu8u3hbF9nnyJAysMQFlY3izIY +֣8$b-GSsYyUn뉘G*D)o8Âi=*Lz1lq85!- \U9ק^ \ No newline at end of file diff --git a/modules/common/ssh/config.age b/modules/common/ssh/config.age index 38c5abe..4d768f3 100644 Binary files a/modules/common/ssh/config.age and b/modules/common/ssh/config.age differ diff --git a/modules/common/system.nix b/modules/common/system.nix index 8a39c9d..1ce48ea 100644 --- a/modules/common/system.nix +++ b/modules/common/system.nix @@ -1,5 +1,5 @@ { config, lib, ... }: let - inherit (lib) any elem last mapAttrsToList mkConst splitString; + inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString; in { options = { os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system; @@ -7,7 +7,7 @@ in { isLinux = mkConst <| config.os == "linux"; isDarwin = mkConst <| config.os == "darwin"; - isDesktop = mkConst <| config.isDarwin || (any <| mapAttrsToList (_: value: elem "graphical" value.extraGroups) config.users.users); + isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users); isServer = mkConst <| !config.isDesktop; }; } diff --git a/modules/linux/endlessh-go.nix b/modules/linux/endlessh-go.nix index efe8704..66e7b95 100644 --- a/modules/linux/endlessh-go.nix +++ b/modules/linux/endlessh-go.nix @@ -2,17 +2,17 @@ inherit (lib) enabled merge mkEnableOption mkIf mkOption types; fakeSSHPort = 22; -in merge <| mkIf config.isServer { - config.services.prometheus.exporters.endlessh-go = enabled { +in { + config.services.prometheus.exporters.endlessh-go = mkIf config.isServer <| enabled { listenAddress = "[::]"; }; # `services.endlessh-go.openFirewall` exposes both the Prometheus # exporters port and the SSH port, and we don't want the metrics # to leak, so we manually expose this like so. - config.networking.firewall.allowedTCPPorts = [ fakeSSHPort ]; + config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ fakeSSHPort ]; - config.services.endlessh-go = enabled { + config.services.endlessh-go = mkIf config.isServer <| enabled { listenAddress = "[::]"; port = fakeSSHPort; diff --git a/modules/linux/hyprland/fuzzel.nix b/modules/linux/hyprland/fuzzel.nix index d7b3474..2f9a8d8 100644 --- a/modules/linux/hyprland/fuzzel.nix +++ b/modules/linux/hyprland/fuzzel.nix @@ -1,7 +1,7 @@ { config, lib, ... }: let inherit (lib) enabled mapAttrs merge mkIf replaceStrings; in merge <| mkIf config.isDesktop { - home-manager.sharedNodules = [{ + home-manager.sharedModules = [{ wayland.windowManager.hyprland.settings = { bindl = [(replaceStrings [ "\n;" "\n" ] [ ";" "" ] '' , XF86PowerOff, exec, diff --git a/modules/linux/restic/default.nix b/modules/linux/restic/default.nix index 0b2c743..52c3852 100644 --- a/modules/linux/restic/default.nix +++ b/modules/linux/restic/default.nix @@ -1,11 +1,11 @@ { config, lib, ... }: let inherit (lib) genAttrs merge mkConst mkIf remove; -in merge <| mkIf config.isServer { +in{ options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ]; - config.secrets.resticPassword.file = ./password.age; + config.secrets.resticPassword.file = mkIf config.isServer ./password.age; - config.services.restic.backups = genAttrs config.resticHosts (host: { + config.services.restic.backups = mkIf config.isServer <| genAttrs config.resticHosts (host: { repository = "sftp:backup@${host}:${config.networking.hostName}-backup"; passwordFile = config.secrets.resticPassword.path; initialize = true; diff --git a/modules/linux/restic/password.age b/modules/linux/restic/password.age index 4c4e20d..4fb00c5 100644 --- a/modules/linux/restic/password.age +++ b/modules/linux/restic/password.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw 06oZk46oR6ELo5J27k6yawjranT3zRItKK+rl0P9bgk -Zl9FaZ0zz7X+NNa8YZ7mF+I3NM6uIQ4OyOxHCC7tG0s --> ssh-ed25519 spFFQA lNlbKPxx4NolZih3OdSW+Om6LfLzQGPcOateTm7PmjE -faPPdpWeJytmEGMCfNiup4hE/wjwAp9hdFBRR9PJ7JE --> ssh-ed25519 dASlBQ 0hpF2NYQrE8k0yQWjecxaEmxPswUfqjr/isjwcuRbio -zy5tvK0/6WaxzOOzmhRdMIdWeMyE0YYvRI+UAx4sW1c --> ssh-ed25519 CzqbPQ VuaclNfcFIo7wIFauMBcy4amv4QDMUwmWevaCaMICxg -JpO3lbn95Hfhqi7x2SRUSzVHQ7tS/Ay9Gn+mFhQpKbE ---- iuP1ypvDk453T8/jiyTnWRnVpKZ89yLdWbrMJubNwq8 -n Q)pպ1 Cbn)TaO^VL}4@Q \ No newline at end of file +-> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8 +m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE +-> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0 +Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g +-> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg +4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M +-> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I +OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c +--- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI +|38|H%tȏ38rz?4HՎC+ \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 26e6cf9..1644bfe 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,6 +1,10 @@ let - inherit (import ./keys.nix) all; + inherit (import ./keys.nix) nine admins all; in { + # nine + "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins; + # shared "modules/common/ssh/config.age".publicKeys = all; "modules/linux/restic/password.age".publicKeys = all;