kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:0df65198567843ded8f1137b3ce0e5c9da044cf0
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:82695ad5372c22eb8c1ca99341ccdbca4b2351cb
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

7 Commits
0df6519856 ... 82695ad537

Author SHA1 Message Date
kalipso
82695ad537 [nextcloud] fix hostname
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 6m43s
Details
2024-12-10 12:22:09 +01:00
ahtlon
033f571546 add nextcloud collectives
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m15s
Details
2024-11-26 21:36:53 +01:00
ahtlon
c93b87c2f4 login geht
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m12s
Details
2024-11-26 21:18:35 +01:00
ahtlon
67c85570fb nextcloud minimal 2024-11-26 21:00:54 +01:00
ahtlon
554be0c831 sops....
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m56s
Details
2024-11-26 18:45:31 +01:00
ahtlon
0e89e0c1db Start over but right this time 2024-11-26 18:28:12 +01:00
ahtlon
f6d9f70fc0 basic discourse example 2024-11-26 13:57:15 +01:00
42 changed files with 172 additions and 1966 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -5,4 +5,3 @@ result
*.qcow2
.direnv/
book/
fanny-efi-vars.fd

5
doc/src/SUMMARY.md
View File

@@ -11,13 +11,8 @@
- [Website](./server/website.md)
- [musik](./projekte/musik.md)
- [TODO](./todo.md)
- [Modules]()
- [Initrd-ssh](./module/initssh.md)
- [Disks](./module/disks.md)
- [How-to]()
- [Create New Host](./anleitung/create.md)
- [Sops](./anleitung/sops.md)
- [MaloVPN](./anleitung/wireguard.md)
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md)

66
doc/src/anleitung/create.md
View File

@@ -1,66 +0,0 @@
# Create host with disko-install
How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
---
Here are the exact steps to get bakunin running:
First create machines/hostname/configuration.nix
Add hosts nixosConfiguration in machines/configurations.nix
Boot nixos installer on the Machine.
``` bash
# establish network connection
wpa_passphrase "network" "password" > wpa.conf
wpa_supplicant -B -i wlp3s0 -c wpa.conf
ping 8.8.8.8
# if that works continue
# generate a base hardware config
nixos-generate-config --root /tmp/config --no-filesystems
# get the infra repo
nix-shell -p git
git clone https://git.dynamicdiscord.de/kalipso/infrastructure
cd infrastructure
# add the new generated hardware config (and import in hosts configuration.nix)
cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
# check which harddrive we want to install the system on
lsblk #choose harddrive, in this case /dev/sda
# run nixos-install on that harddrive
sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
# this failed with out of memory
# running again showed: no disk left on device
# it seems the usb stick i used for flashing is way to small
# it is only
# with a bigger one (more than 8 gig i guess) it should work
# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
# failed with no space left on device.
# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
```
# Testing Disko
Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
```bash
nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
```
Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
```nix
datasets = {
encrypted = {
options = {
encryption = "aes-256-gcm"; #THIS ONE
keyformat = "passphrase"; #THIS ONE
keylocation = "file:///tmp/root.key"; #THIS ONE
};
# use this to read the key during boot
postCreateHook = '' #THIS ONE
zfs set keylocation="prompt" "zroot/$name"; #THIS ONE
''; #THIS ONE
```

44
doc/src/anleitung/microvm.md
View File

@@ -12,47 +12,14 @@ Use durruti as orientation:
"10.0.0.5" is the IP assigned to its tap interface.
### Testing MicroVMs locally
MicroVMs can be built and run easily on your local host, but they are not persistent!
For durruti for example this is done by:
MicroVMs can be built and run easily on your local host.
For durruti this is done by:
``` bash
nix run .\#durruti-vm
```
### Testing persistent microvms
In order to test persistent microvms locally we need to create them using the ```microvm``` command.
This is necessary to be able to mount persistent /etc and /var volumes on those hosts.
Do the following:
Prepare your host by including `microvm.nixosModules.host` in your `flake.nix` [Microvm Docs](https://astro.github.io/microvm.nix/host.html)
```bash
# go into our repo and start the default dev shell (or use direnv)
nix develop .#
# create a microvm on your host (on the example of durruti)
sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
# start the vm
sudo systemctl start microvm@durruti.service
# this may fail, if so we most probably need to create /var /etc manually, then restart
sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
microvm -r durruti
# after u made changes to the microvm update and restart the vm
microvm -uR durruti
# deleting the vm again:
sudo systemctl stop microvm@durruti.service
sudo systemctl stop microvm-virtiofsd@durruti.service
sudo rm -rf /var/lib/microvms/durruti
sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner
```
It seems to be necessary to run this as root so that the according tap interface can be created.
To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
### Host Setup
@@ -82,3 +49,4 @@ The following example would init and autostart durruti and gitea:
``` nix
malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
```

10
doc/src/anleitung/sops.md
View File

@@ -23,13 +23,3 @@
- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
## How to add host keys
If a new host is created we have to add its age keys to the sops config.
Do the following:
```bash
# ssh into the host and run:
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# create new host with the output of that command in /machines/.sops.yaml
```

55
doc/src/anleitung/wireguard.md
View File

@@ -1,55 +0,0 @@
# MaloVPN
Running in the cloud. To let a host access the VPN you need to do the following:
- generate a wireguard keypair
- add the host to ./machines/modules/malobeo/peers.nix
- enable the malovpn module on the host
## Generate Wireguard keys
Enter nix shell for wg commands `nix-shell -p wireguard-tools`
```bash
umask 077
wg genkey > wg.private
wg pubkey < wg.private > wg.pub
```
Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
## Add host to peers.nix
peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.
- Add your host to /machines/modules/malobeo/peers.nix
- Set the role to "client"
- choose a ip address as 'address' that is not taken already
- set allowedIPs as the others, except we want to limit this host to only access certain peers
- Add your public Key here as string
After that commit your changes and either open a PR or push directly to master
Example:
```nix
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.0/24" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
```
## Enable MaloVPN on Host
Either you configure wireguard manually or use the malobeo vpn module
The 'name' must match your hosts name in peers.nix:
```nix
sops.secrets.private_key = {};
imports = [
malobeo.nixosModules.malobeo.vpn
];
services.malobeo.vpn = {
enable = true;
name = "celine";
privateKeyFile = config.sops.secrets.private_key.path;
};
```
After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist.

117
doc/src/module/disks.md
View File

@@ -1,117 +0,0 @@
# Disks
The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
#### `let cfg = malobeo.disks`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
#### `cfg.hostId` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
#### `cfg.encryption` (bool)
- **Type:** `bool`
- **Default:** `true`
- **Description:**
Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
#### `cfg.devNodes` (string)
- **Type:** `string`
- **Default:** `"/dev/disk/by-id/"`
- **Description:**
Specifies where the disks should be mounted from.
- Use `/dev/disk/by-id/` for general systems.
- Use `/dev/disk/by-path/` for VMs.
- For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
#### `let cfg = malobeo.disks.root`
#### `cfg.disk0` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
#### `cfg.disk1` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
#### `cfg.swap` (string)
- **Type:** `string`
- **Default:** `"8G"`
- **Description:**
Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the root pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
#### `let cfg = malobeo.disks.storage`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
#### `cfg.disks` (list of strings)
- **Type:** `listOf string`
- **Default:** `[]`
- **Description:**
A list of device names without /dev/ prefix (e.g., `sda`, `sdb`) to include in the storage pool.
Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the storage pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
## Example Configuration
```nix
{
options.malobeo.disks = {
enable = true;
hostId = "abcdef01";
encryption = true;
devNodes = "/dev/disk/by-id/";
root = {
disk0 = "sda";
disk1 = "sdb";
swap = "8G";
reservation = "40GiB";
mirror = true;
};
storage = {
enable = true;
disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
reservation = "100GiB";
mirror = false;
};
};
}
```

29
doc/src/module/initssh.md
View File

@@ -1,29 +0,0 @@
# Initrd-ssh
The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
#### `let cfg = malobeo.initssh`
## cfg.enable
Enable the initssh module
*Default*
false
## cfg.authorizedKeys
Authorized keys for the initrd ssh
*Default*
`[ ]`
## cfg.ethernetDrivers
Ethernet drivers to load in the initrd.
Run ` lspci -k | grep -iA4 ethernet `
*Default:*
` [ ] `
*Example:*
`[ "r8169" ]`

96
flake.lock generated
View File

@@ -1,26 +1,5 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730135292,
"narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
"owner": "nix-community",
"repo": "disko",
"rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "latest",
"repo": "disko",
"type": "github"
}
},
"ep3-bs": {
"inputs": {
"nixpkgs": [
@@ -47,11 +26,11 @@
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@@ -67,16 +46,16 @@
]
},
"locked": {
"lastModified": 1733951536,
"narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
@@ -109,11 +88,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1734041466,
"narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
"lastModified": 1732122592,
"narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
"rev": "19650774c23df84d0b8f315d2527274563497cad",
"type": "github"
},
"original": {
@@ -124,11 +103,11 @@
},
"nixlib": {
"locked": {
"lastModified": 1733620091,
"narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
"lastModified": 1731805462,
"narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
"rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
"type": "github"
},
"original": {
@@ -145,11 +124,11 @@
]
},
"locked": {
"lastModified": 1733965598,
"narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
"lastModified": 1732151224,
"narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
"rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
"type": "github"
},
"original": {
@@ -160,11 +139,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1733861262,
"narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
"lastModified": 1731797098,
"narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
"rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
"type": "github"
},
"original": {
@@ -192,11 +171,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1733759999,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github"
},
"original": {
@@ -208,23 +187,22 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733808091,
"narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
"lastModified": 1731797254,
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"ep3-bs": "ep3-bs",
"home-manager": "home-manager",
"mfsync": "mfsync",
@@ -245,11 +223,11 @@
]
},
"locked": {
"lastModified": 1733965552,
"narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
"lastModified": 1732186149,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
"type": "github"
},
"original": {
@@ -261,11 +239,11 @@
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"lastModified": 1729945407,
"narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
"ref": "refs/heads/main",
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
"revCount": 764,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
@@ -341,11 +319,11 @@
]
},
"locked": {
"lastModified": 1736184101,
"narHash": "sha256-HAX+TkDXzyNp6SAsKwjNFql7KzAtxximpQSv+GmP8KQ=",
"lastModified": 1729717517,
"narHash": "sha256-Gul0Zqy0amouh8Hs8BL/DIKFYD6BmdTo4H8+5K5+mTo=",
"ref": "refs/heads/master",
"rev": "9cdab949f44301553e3817cf1f38287ad947e00c",
"revCount": 28,
"rev": "610269a14232c2888289464feb5227e284eef336",
"revCount": 27,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/tasklist"
},

6
flake.nix
View File

@@ -3,15 +3,13 @@
inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
mfsync.url = "github:k4lipso/mfsync";
microvm.url = "github:astro/microvm.nix";
microvm.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/latest";
disko.inputs.nixpkgs.follows = "nixpkgs";
utils = {
url = "github:numtide/flake-utils";
@@ -33,7 +31,7 @@
};
home-manager= {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-24.05";
inputs = {
nixpkgs.follows = "nixpkgs";
};

41
machines/.sops.yaml
View File

@@ -8,9 +8,7 @@ keys:
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
- &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
creation_rules:
- path_regex: moderatio/secrets/secrets.yaml$
key_groups:
@@ -33,44 +31,7 @@ creation_rules:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_durruti
- *admin_atlan
- path_regex: vpn/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_vpn
- *admin_atlan
- path_regex: fanny/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_fanny
- *admin_atlan
- path_regex: testvm/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: fanny/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: bakunin/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

100
machines/bakunin/configuration.nix
View File

@@ -1,100 +0,0 @@
{ config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/xserver.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.initssh
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
malobeo.disks = {
enable = true;
hostId = "a3c3102f";
root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
hardware.sane.enable = true; #scanner support
nix.settings.experimental-features = [ "nix-command" "flakes" ];
users.users.malobeo = {
packages = with pkgs; [
firefox
thunderbird
telegram-desktop
tor-browser-bundle-bin
keepassxc
libreoffice
gimp
inkscape
okular
element-desktop
chromium
mpv
vlc
simple-scan
];
};
services.tor = {
enable = true;
client.enable = true;
};
services.printing.enable = true;
services.printing.drivers = [
(pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
pkgs.gutenprint
pkgs.gutenprintBin
pkgs.brlaser
pkgs.brgenml1lpr
pkgs.brgenml1cupswrapper
];
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "bakunin";
networking.networkmanager.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/bakunin/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-14T16:40:57Z",
"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
"pgp": [
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

49
machines/bakunin/hardware-configuration.nix
View File

@@ -1,49 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
preLVM = true;
allowDiscards = true;
};
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/402B-2026";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

95
machines/configuration.nix
View File

@@ -41,41 +41,21 @@ let
];
defaultModules = baseModules;
makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
makeMicroVM = hostName: ipv4Addr: modules: [
inputs.microvm.nixosModules.microvm
{
microvm = {
hypervisor = "cloud-hypervisor";
mem = 2560;
shares = [
{
hypervisor = "qemu";
shares = [ {
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/${hostName}/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/${hostName}/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}
];
} ];
interfaces = [
{
type = "tap";
id = "vm-${hostName}";
mac = "${macAddr}";
mac = "02:00:00:00:00:01";
}
];
};
@@ -93,8 +73,6 @@ let
};
}
] ++ defaultModules ++ modules;
inputsMod = inputs // { malobeo = self; };
in
{
louise = nixosSystem {
@@ -105,12 +83,12 @@ in
];
};
bakunin = nixosSystem {
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
./bakunin/configuration.nix
inputs.disko.nixosModules.disko
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" [
./durruti/configuration.nix
];
};
@@ -123,59 +101,6 @@ in
];
};
fanny = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputsMod;
modules = defaultModules ++ [
self.nixosModules.malobeo.vpn
./fanny/configuration.nix
];
};
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [
./durruti/configuration.nix
];
};
vpn = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
self.nixosModules.malobeo.vpn
./vpn/configuration.nix
];
};
infradocs = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [
self.nixosModules.malobeo.vpn
./infradocs/configuration.nix
];
};
uptimekuma = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [
./uptimekuma/configuration.nix
];
};
testvm = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = defaultModules ++ [ ./testvm ];
};
discourse = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;

9
machines/durruti/documentation.nix
View File

@@ -8,15 +8,6 @@
{ addr = "0.0.0.0"; port = 9000; }
];
root = "${self.packages.x86_64-linux.docs}/share/doc";
extraConfig = ''
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};

16
machines/durruti/host_config.nix
View File

@@ -36,21 +36,7 @@ in
services.nginx.virtualHosts."docs.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
'';
};
};
services.nginx.virtualHosts."status.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.12";
extraConfig = ''
'';
};
locations."/".proxyPass = "http://${cfg.host_ip}:9000";
};
services.nginx.virtualHosts."tasklist.malobeo.org" = {

95
machines/durruti/secrets.yaml
View File

@@ -7,64 +7,75 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-26T10:07:26Z"
mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
pgp:
- created_at: "2024-12-19T15:09:01Z"
- created_at: "2024-11-14T13:03:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
+RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
EKQxUDnO8Nvb
=1PHB
hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
bxCHPCFfvmX/
=3wBJ
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:01Z"
- created_at: "2024-11-14T13:03:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
/xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
=5AlZ
hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
+x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
=4vnh
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-14T13:03:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
=FLuF
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted
version: 3.8.1

93
machines/fanny/configuration.nix
View File

@@ -1,93 +0,0 @@
{ inputs, config, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.microvm
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
malobeo.disks = {
enable = true;
hostId = "a3c3101f";
root = {
disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
};
storage = {
disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
mirror = true;
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
services.malobeo.vpn = {
enable = true;
name = "fanny";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [ "infradocs" ];
networking = {
firewall = {
allowedTCPPorts = [ 80 ];
};
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.0.0.11:9000";
extraConfig = ''
'';
};
};
};
services.tor = {
enable = true;
client.enable = true;
};
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "fanny";
networking.networkmanager.enable = true;
virtualisation.vmVariant.virtualisation.graphics = false;
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/fanny/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T19:35:48Z",
"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
"pgp": [
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

49
machines/fanny/hardware-configuration.nix
View File

@@ -1,49 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
preLVM = true;
allowDiscards = true;
};
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/402B-2026";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

68
machines/fanny/secrets.yaml
View File

@@ -1,68 +0,0 @@
wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp:
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
/MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
J+o9dahBHvIF
=GKm4
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
=9FN4
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

20
machines/infradocs/configuration.nix
View File

@@ -1,20 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "infradocs";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../durruti/documentation.nix
../modules/malobeo_user.nix
../modules/sshd.nix
];
system.stateVersion = "22.11"; # Did you read the comment?
}

16
machines/louise/configuration.nix
View File

@@ -67,13 +67,17 @@
networking.hostName = "louise";
networking.networkmanager.enable = true;
security.rtkit.enable = true;
services.pipewire = {
sound.enable = true;
hardware.pulseaudio = {
enable = true;
zeroconf.discovery.enable = true;
extraConfig = ''
load-module module-zeroconf-discover
'';
};
services.avahi = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
};

12
machines/lucia/configuration.nix
View File

@@ -20,6 +20,14 @@ in
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = false;
boot.loader.raspberryPi.version = 3;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.firmwareConfig = ''
dtparam=audio=on
hdmi_ignore_edid_audio=1
audio_pwm_mode=2
'';
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
@@ -31,8 +39,12 @@ in
# Set your time zone.
time.timeZone = "Europe/Berlin";
# hardware audio support:
sound.enable = true;
services = {
dokuwiki.sites."wiki.malobeo.org" = {
enable = true;
#acl = "* @ALL 8"; # everyone can edit using this config

7
machines/lucia/secrets.yaml
View File

@@ -1,6 +1,5 @@
hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -16,8 +15,8 @@ sops:
aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-14T18:10:54Z"
mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
lastmodified: "2023-10-24T15:09:51Z"
mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
pgp:
- created_at: "2024-11-14T13:02:46Z"
enc: |-
@@ -78,4 +77,4 @@ sops:
-----END PGP MESSAGE-----
fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

63
machines/modules/disko/btrfs-laptop.nix
View File

@@ -1,63 +0,0 @@
{ config, self, inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
# https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
disko.devices = {
disk = {
main = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/disk/by-id/some-disk-id";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = /tmp/secret.key; # Interactive
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "20M";
};
};
};
};
};
};
};
};
};
};
}

278
machines/modules/disko/default.nix
View File

@@ -1,278 +0,0 @@
{config, inputs, lib, ...}:
let
cfg = config.malobeo.disks;
in
{
imports = [inputs.disko.nixosModules.disko];
options.malobeo.disks = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable disko disk creation";
};
hostId = lib.mkOption {
type = lib.types.str;
default = "";
description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
};
encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Allows encryption to be disabled for testing";
};
devNodes = lib.mkOption {
type = lib.types.str;
default = "/dev/disk/by-id/";
description = ''
where disks should be mounted from
https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
use "/dev/disk/by-path/" for vm's
'';
};
root = {
disk0 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für root dateisystem";
};
disk1 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für eventuellen root mirror";
};
swap = lib.mkOption {
type = lib.types.str;
default = "8G";
description = "size of swap partition (only disk0)";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs root pool";
};
};
storage = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable storage pool";
};
disks = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "name ab /dev/ für storage pool";
example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs storage pool";
};
};
};
config = lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
}) cfg.storage.disks
)
))
];
zpool = {
zroot = {
type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
};
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
};
};
};
};
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
};
}

66
machines/modules/malobeo/initssh.nix
View File

@@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.malobeo.initssh;
inherit (config.networking) hostName;
in
{
options.malobeo.initssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable initrd-ssh";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Authorized keys for the initrd ssh";
};
ethernetDrivers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169";
};
};
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
systemd = {
enable = true;
network.enable = true;
};
network.ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}

3
machines/modules/malobeo/microvm_host.nix
View File

@@ -75,7 +75,7 @@ in
microvm.vms =
let
# Map the values to each hostname to then generate an Attrset using listToAttrs
# Map the values to each hostname to then generate a Attrs using listToAttrs
mapperFunc = name: { inherit name; value = {
# Host build-time reference to where the MicroVM NixOS is defined
# under nixosConfigurations
@@ -98,6 +98,7 @@ in
};
path = with pkgs; [ nix git ];
environment.HOME = config.users.users.root.home;
scriptArgs = "%i";
script = ''
/run/current-system/sw/bin/microvm -Ru ${name}
'';

39
machines/modules/malobeo/peers.nix
View File

@@ -1,39 +0,0 @@
{
"vpn" = {
role = "server";
publicIp = "5.9.153.217";
address = [ "10.100.0.1/24" ];
allowedIPs = [ "10.100.0.0/24" ];
listenPort = 51821;
publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
persistentKeepalive = 25;
};
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.2/32" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
"desktop" = {
role = "client";
address = [ "10.100.0.3/24" ];
allowedIPs = [ "10.100.0.3/32" ];
publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
};
"atlan-pc" = {
role = "client";
address = [ "10.100.0.5/24" ];
allowedIPs = [ "10.100.0.5/32" ];
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"fanny" = {
role = "client";
address = [ "10.100.0.101/24" ];
allowedIPs = [ "10.100.0.101/32" ];
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
};
}

101
machines/modules/malobeo/wireguard.nix
View File

@@ -1,101 +0,0 @@
{ config, self, lib, inputs, options, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.vpn;
peers = import ./peers.nix;
myPeer = if cfg.name == "" then peers.${config.networking.hostName} else peers.${cfg.name};
peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
peerListWithEndpoint = map (host:
if host.role == "server" then
host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
else
host
) peerList;
filteredPeerlist = map (host: builtins.removeAttrs host [
"role"
"address"
"listenPort"
"publicIp"
] ) peerListWithEndpoint;
in
{
options = {
services.malobeo.vpn = {
enable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
};
autostart = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "whether to autostart vpn interface on boot";
};
name = mkOption {
default = "";
type = types.str;
description = ''
Name of the host in peers.nix, if empty uses hostname
'';
};
privateKeyFile = mkOption {
default = "";
type = types.str;
description = ''
Path to private key
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = !(myPeer.role != "client" && myPeer.role != "server");
message = ''
VPN Role must be either client or server, nothing else!
'';
}
];
boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
networking.wg-quick = {
interfaces = {
malovpn = {
mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
address = myPeer.address;
autostart = cfg.autostart;
listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postUp = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
# This undoes the above command
postDown = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
privateKeyFile = cfg.privateKeyFile;
peers = filteredPeerlist;
};
};
};
#networking.nat = mkIf (myPeer.role == "server"){
# enable = true;
# internalInterfaces = [ "microvm" ];
# externalInterface = "eth0"; #change to your interface name
#};
};
}

2
machines/modules/malobeo_user.nix
View File

@@ -6,7 +6,7 @@ in
{
users.users.malobeo = {
isNormalUser = true;
extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins;
initialPassword = "test";
};

59
machines/testvm/default.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
];
boot.initrd.systemd.enable = true;
boot.loader.systemd-boot.enable = true;
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["virtio_net"];
};
malobeo.disks = {
enable = true;
encryption = false;
hostId = "83abc8cb";
devNodes = "/dev/disk/by-path/";
root = {
disk0 = "disk/by-path/pci-0000:04:00.0";
swap = "1G";
reservation = "1G";
mirror = false;
};
storage = {
enable = true;
disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
reservation = "1G";
mirror = true;
};
};
boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "testvm";
networking.networkmanager.enable = true;
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/testvm/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-12-31T02:35:20Z",
"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
"pgp": [
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

37
machines/uptimekuma/configuration.nix
View File

@@ -1,37 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "uptimekuma";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
];
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."status.malobeo.org" = {
locations."/" = {
proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
'';
};
};
};
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "22.11"; # Did you read the comment?
}

45
machines/vpn/configuration.nix
View File

@@ -1,45 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
networking = {
hostName = mkDefault "vpn";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
firewall = {
allowedUDPPorts = [ 51821 ];
allowedTCPPorts = [ 80 ];
};
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
];
services.malobeo.vpn = {
enable = true;
name = "vpn";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
'';
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?
}

68
machines/vpn/secrets.yaml
View File

@@ -1,68 +0,0 @@
wg_private: ENC[AES256_GCM,data:uuBYbOTiThZYiNetM+FOLFVMr/HII9otG4FvN5YvuRErvNjgmAYxVncV71k=,iv:Sy3HAEcALod2pL4IZ/GSjVybLAviOoO+DsW8OROzgTg=,tag:hynRmiilafVzWCjx2Xoxhw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T22:01:22Z"
mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
pgp:
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
LN6uk4NCOKwA
=Mdnc
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
=vQSV
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

76
outputs.nix
View File

@@ -4,7 +4,6 @@
, nixpkgs-unstable
, nixos-generators
, sops-nix
, microvm
, ...
} @inputs:
@@ -16,32 +15,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs = nixpkgs.legacyPackages."${system}";
in
{
devShells.default =
let
sops = sops-nix.packages."${pkgs.system}";
microvmpkg = microvm.packages."${pkgs.system}";
in
pkgs.mkShell {
sopsPGPKeyDirs = [
"./machines/secrets/keys/hosts"
"./machines/secrets/keys/users"
];
nativeBuildInputs = [
sops.ssh-to-pgp
sops.sops-import-keys-hook
sops.sops-init-gpg-key
pkgs.sops
pkgs.age
pkgs.python310Packages.grip
pkgs.mdbook
microvmpkg.microvm
];
devShells.default = pkgs.callPackage ./shell.nix {
inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
};
packages = {
remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs";
phases = [ "buildPhase" ];
@@ -58,46 +36,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
cp -r ./book/* $dest
'';
};
} //
builtins.foldl'
(result: host:
let
inherit (self.nixosConfigurations.${host}) config;
in
result // {
# boot any machine in a microvm
"${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
modules = [{
microvm = {
mem = pkgs.lib.mkForce 4096;
hypervisor = pkgs.lib.mkForce "qemu";
socket = pkgs.lib.mkForce null;
shares = pkgs.lib.mkForce [{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}];
interfaces = pkgs.lib.mkForce [{
type = "user";
id = "eth0";
mac = "02:23:de:ad:be:ef";
}];
};
boot.isContainer = pkgs.lib.mkForce false;
users.users.root.password = "";
fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
services.getty.helpLine = ''
Log in as "root" with an empty password.
Use "reboot" to shut qemu down.
'';
}] ++ pkgs.lib.optionals (! config ? microvm) [
microvm.nixosModules.microvm
];
}).config.microvm.declaredRunner;
})
{ }
(builtins.attrNames self.nixosConfigurations);
apps = {
docs = {
@@ -114,13 +53,10 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
self = self;
});
nixosModules.malobeo = {
host.imports = [ ./machines/durruti/host_config.nix ];
microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
disko.imports = [ ./machines/modules/disko ];
};
nixosModules.malobeo.imports = [
./machines/durruti/host_config.nix
./machines/modules/malobeo/microvm_host.nix
];
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
let

47
scripts/remote-install-encrypt.sh
View File

@@ -1,47 +0,0 @@
set -o errexit
set -o nounset
set -o pipefail
if [ $# -lt 2 ]; then
echo
echo "Install NixOS to the host system with secrets and encryption"
echo "Usage: $0 <hostname> <ip> (user)"
exit 1
fi
hostname=$1
ipaddress=$2
# Create a temporary directory
temp=$(mktemp -d)
# Function to cleanup temporary directory on exit
cleanup() {
rm -rf "$temp"
}
trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"
# Install NixOS to the host system with our secrets and encription
# optional --build-on-remote
if [ $# = 3 ]
then
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi

30
scripts/unlock-boot.sh
View File

@@ -1,30 +0,0 @@
set -o errexit
set -o pipefail
sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
HOSTNAME=$1
echo
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
if [ $# = 1 ]
then
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ]
then
IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
else
echo
echo "Unlock the root disk on a remote host."
echo "Usage: $0 <hostname> [ip]"
echo "If an IP is not provided, the hostname will be used as the IP address."
exit 1
fi

24
shell.nix Normal file
View File

@@ -0,0 +1,24 @@
{ mkShell
, sops-import-keys-hook
, ssh-to-pgp
, sops-init-gpg-key
, sops
, pkgs
}:
mkShell {
sopsPGPKeyDirs = [
"./machines/secrets/keys/hosts"
"./machines/secrets/keys/users"
];
nativeBuildInputs = [
ssh-to-pgp
sops-import-keys-hook
sops-init-gpg-key
sops
pkgs.age
pkgs.python310Packages.grip
pkgs.mdbook
];
}