kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:34c008c05b37713e2e318af0a6a98446ec34138e
Branches Tags
kalipso:master kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
...
compare: kalipso:better-workflows
Branches Tags
kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

86 Commits
34c008c05b ... better-wor

Author SHA1 Message Date
ahtlon
52824e39ee with nix flake check the hydraJobs output is evaluated in the same way as Hydra's hydra-eval-jobs
All checks were successful
Check flake syntax / flake-check (push) Successful in 13m21s
Details
2025-01-18 23:41:53 +01:00
ahtlon
8793120436 Only run on push 2025-01-18 23:40:11 +01:00
ahtlon
950ada1e10 [actions] Add flake check
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m33s
Details
Check flake syntax / flake-check (push) Successful in 7m30s
Details
2025-01-18 22:24:21 +01:00
ahtlon
1e269966ff Merge branch 'fix-flake-check'
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 5m54s
Details 
nix flake check and show now work again
 2025-01-18 22:02:19 +01:00
ahtlon
3861daaf76 [modules] move microvm module import from makeMicroVM to baseModules 2025-01-18 22:01:06 +01:00
ahtlon
3a332e77d1 [scripts] move packages to legacyPackages 2025-01-18 21:45:48 +01:00
ahtlon
79c311b45d Merge branch 'issue51'
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 6m3s
Details 
Fixes #51
 2025-01-18 20:41:06 +01:00
ahtlon
850070f987 [scripts] check for flake.nix
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m15s
Details
2025-01-18 20:39:16 +01:00
ahtlon
d242562544 [packages] make scripts available in shell without nix run
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s
Details
2025-01-18 20:04:22 +01:00
kalipso
d8d910f5fd [uptimekuma] mv from fanny to hetzner server
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s
Details 
after thinking about it it makes no sense to have status/alerting
running on fanny. as soon as fanny fails we wont get any alerts anymore.
thats why i think having it running on the hetzner server, which is
quite stable, makes sense
 2025-01-17 14:19:38 +01:00
kalipso
a4f6b77e30 [fanny] deploy uptimekuma
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m21s
Details
2025-01-17 14:00:41 +01:00
kalipso
6aa6f2e171 [uptimekuma] set redirects 2025-01-17 13:59:54 +01:00
kalipso
d9bb933891 [uptimekuma] init 2025-01-17 13:59:35 +01:00
kalipso
168d45ed8a [vpn] set mtu 1340
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 5m47s
Details
2025-01-17 00:29:11 +01:00
kalipso
2f477d3566 [fanny] undo proxy settings
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m18s
Details
2025-01-17 00:19:23 +01:00
kalipso
b40cb40b01 [fanny] try fix incomplete file transfer
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m5s
Details
2025-01-16 19:30:49 +01:00
kalipso
b15b2ae789 [fanny] disable proxy_buffer
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m2s
Details
2025-01-16 16:36:38 +01:00
kalipso
c7b02b9366 [vpn] disable proxy_buffer
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m5s
Details 
url http://10.100.0.101:80/css/variables.css only returns half the file
hopefully this fixes it
 2025-01-16 16:26:23 +01:00
kalipso
c78eb9cbc1 [fanny][vpn] open port 80, enable nginx
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 5m49s
Details
2025-01-16 14:24:19 +01:00
kalipso
429be2c7b9 [fanny] setup as microvm host
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m55s
Details
2025-01-16 13:17:50 +01:00
kalipso
a12ad8db31 [fanny] setup proxypass chain 2025-01-16 13:17:50 +01:00
kalipso
ea99bbde25 [infradocs] init 2025-01-16 13:17:50 +01:00
kalipso
8e8ddb1435 [vpn] fix persistentKeepalive
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m53s
Details
2025-01-14 21:37:17 +01:00
kalipso
50a506d1c2 [bakunin] fix disk id
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 7m4s
Details
2025-01-14 17:56:39 +01:00
kalipso
3bc69085b3 [bakunin] use disko module
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
2025-01-14 17:53:58 +01:00
kalipso
3b6107c13d [fanny] set persistentKeepalive
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m44s
Details 
to be able to ssh even if fanny was not active for a while
 2025-01-14 16:47:08 +01:00
kalipso
aaf1e280fc [vpn] enable ip_forward on servers
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m50s
Details
2025-01-14 15:40:22 +01:00
kalipso
c6c7fe5a57 [vpn] allow peers to communicate within subnet
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m49s
Details
2025-01-14 15:14:58 +01:00
kalipso
60221f474c [vpn] fix allowedIps
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m48s
Details 
it seems allowedIPs need to have /32 subnet
 2025-01-14 15:04:49 +01:00
kalipso
9b526906c0 [vpn] fix allowedIPs in peers.nix
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m52s
Details
2025-01-14 14:38:09 +01:00
kalipso
642bb8ba64 [fanny] fix vpn name
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m45s
Details
2025-01-14 13:53:20 +01:00
kalipso
727f771c4f [docs] update sops
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m50s
Details
2025-01-14 13:46:08 +01:00
kalipso
468c3d63f9 [fanny] add to malovpn 2025-01-14 13:45:53 +01:00
kalipso
f0e7fef90e [fanny] add to sops 2025-01-14 13:45:34 +01:00
kalipso
5d2bb40028 [nixpkgs] update tasklist
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m48s
Details
2025-01-06 18:28:39 +01:00
ahtlon
a5d6cd6455 Configure fanny for disk and initssh module
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m33s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m51s
Details
2025-01-05 20:46:37 +01:00
ahtlon
f44adbc815 Allow disableing encryption for testing
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m39s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m29s
Details
2025-01-02 14:07:38 +01:00
ahtlon
63f2ca5b3c Module documentation 2025-01-02 14:06:19 +01:00
ahtlon
f46265e98a Add unlock-boot script
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m26s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m34s
Details
2024-12-31 13:43:00 +01:00
ahtlon
9f81b1497d init now automaticly imports all pools
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m27s
Details
2024-12-31 13:33:24 +01:00
ahtlon
8c488d50a8 add install script
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m41s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m39s
Details
2024-12-31 03:39:28 +01:00
ahtlon
b0a5fd91cd fix my mistakes 2024-12-31 03:18:37 +01:00
ahtlon
4fa01acae1 Create example configuration for qemu 2024-12-31 02:59:16 +01:00
ahtlon
e9b5937af9 add configurable disko modul 2024-12-31 02:46:12 +01:00
ahtlon
4d4c4fa6fa add init ssh modul 2024-12-31 02:45:37 +01:00
ahtlon
0087aa78a3 Add atlanpc wireguard access
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
2024-12-30 17:33:48 +01:00
kalipso
56ba8d06cd [malobeo/vpn] do not autostart wg interface on clients
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
2024-12-25 22:36:11 +01:00
kalipso
cf300973d5 [vpn] add peer desktop
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m28s
Details
2024-12-25 21:44:03 +01:00
kalipso
fedf849499 [fanny] set neededForBoot flags
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m32s
Details
2024-12-20 23:47:25 +01:00
System administrator
e7710d63a3 [louse] add user to pipewire group
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
2024-12-20 21:19:24 +01:00
kalipso
3855130d41 [louise] fix sound
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m3s
Details 
hopefully
 2024-12-20 20:15:08 +01:00
kalipso
b439a56e0b [vpn] cleanup unused secrets
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m29s
Details
2024-12-19 23:03:04 +01:00
kalipso
a2a4815d3b [docs] add vpn documentation
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
2024-12-19 23:01:55 +01:00
kalipso
826481cf5e [vpn] open wireguard port
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m32s
Details
2024-12-19 22:35:42 +01:00
kalipso
3131d1bebb [malobeo/vpn] update peers
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m36s
Details
2024-12-19 16:12:59 +01:00
kalipso
8efe601b90 [sops] updatekeys
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m28s
Details
2024-12-19 16:09:16 +01:00
kalipso
7af59b2a36 [modules] fix imports
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m32s
Details
2024-12-19 15:36:35 +01:00
kalipso
0d6df1d0ce [malobeo/vpn] use wg-quick instead wireguard
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 9m22s
Details 
this is compatible with systemd network (also in the future)
 2024-12-19 15:23:46 +01:00
kalipso
6e4e35fcdf [modules] fix microvm.host 'leak' 
including the malobeo module caused microvm to include microvm.host
which caused super annoying trouble and 2 days of debugging because
microvm.host.enable defaults to true...
 2024-12-19 15:21:58 +01:00
kalipso
7b53639208 [vpn] rm wireguard.nix
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m11s
Details
2024-12-18 00:41:04 +01:00
kalipso
8fe69ca2da [vpn] fix missing defaultSopsFile 2024-12-18 00:40:31 +01:00
kalipso
4d79714853 [modules] rename wg0 -> malovpn
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m53s
Details
2024-12-17 23:13:16 +01:00
kalipso
66579fcbfc [vpn] add missing module 2024-12-17 23:13:04 +01:00
kalipso
b6aef85860 [vpn] init wireguard
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m57s
Details
2024-12-17 23:04:50 +01:00
kalipso
bf2c801597 [vpn] use age instead gpg for sops 2024-12-17 23:04:29 +01:00
kalipso
3f1032d04d [microvm] try different MACs
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m37s
Details
2024-12-17 18:47:03 +01:00
kalipso
ced7b996ae [vpn] dont import malobeo module
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m45s
Details
2024-12-17 16:30:36 +01:00
kalipso
79082a5e4e [microvm] fix use of same macaddr
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m59s
Details
2024-12-17 16:24:34 +01:00
kalipso
074ad306ac [vpn] add sops key 2024-12-17 15:32:46 +01:00
kalipso
dd0499d64d [vpn] disable module for host setup
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m26s
Details
2024-12-17 11:38:59 +01:00
kalipso
58b0ff4ec7 [modules] vpn use hostName as fallback name
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m59s
Details
2024-12-17 11:30:33 +01:00
kalipso
7d73807f80 [lucia] rm wireguard cfg 2024-12-17 11:30:33 +01:00
kalipso
fea16d6f4b [vpn] init 2024-12-17 11:30:33 +01:00
kalipso
f27065d49e [modules] add missing import 2024-12-17 11:30:33 +01:00
kalipso
014564191d [modules] init vpn 2024-12-17 11:30:33 +01:00
ahtlon
65c61f6923 forgot a line 2024-12-17 11:30:33 +01:00
ahtlon
1245db5af9 Documentation for wireguard key creation 2024-12-17 11:30:33 +01:00
ahtlon
e15618de36 add secrets 2024-12-17 11:30:33 +01:00
ahtlon
ca1e9a3af6 add wireguard module from wiki and prepare sops 2024-12-17 11:30:33 +01:00
ahtlon
a10fb33c29 [fanny] disable mounting root datasets and add encrypted swap
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m40s
Details
2024-12-16 16:58:07 +01:00
ahtlon
cc73276ef4 Improve microvm docs
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m34s
Details
2024-12-15 17:22:55 +01:00
kalipso
9cc3912cbe [nixpkgs] 24.05 -> 24.11
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m31s
Details
2024-12-13 14:10:43 +01:00
kalipso
3cfd0a2283 [machines] switch PulseAudio to Pipewire 2024-12-13 14:08:51 +01:00
kalipso
b57827c86e [lucia] rm deprecated boot.loader.raspberryPi 
needs to be fixed still according to https://github.com/NixOS/nixpkgs/pull/241534
 2024-12-13 14:08:51 +01:00
kalipso
5119209392 [machines] remove sound.enable = true; 2024-12-13 14:08:51 +01:00
kalipso
1ff2f2b4ca [nixpkgs] 24.05 -> 24.11 2024-12-13 14:08:49 +01:00
38 changed files with 1508 additions and 310 deletions
Expand all files Collapse all files

9
.gitea/workflows/eval-hydra-jobs.yml → .gitea/workflows/flake-check.yml
View File

@@ -1,9 +1,8 @@
name: "Evaluate Hydra Jobs" name: "Check flake syntax"
on: on:
pull_request:
push: push:
jobs: jobs:
eval-hydra-jobs: flake-check:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -11,5 +10,5 @@ jobs:
run: | run: |
apt update -y apt update -y
apt install sudo -y apt install sudo -y
- uses: cachix/install-nix-action@v27 - uses: cachix/install-nix-action@v30
- run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs - run: nix flake check --no-update-lock-file --accept-flake-config .

1
.gitignore vendored
View File

@@ -5,3 +5,4 @@ result
*.qcow2 *.qcow2
.direnv/ .direnv/
book/ book/
fanny-efi-vars.fd

4
doc/src/SUMMARY.md
View File

@@ -11,9 +11,13 @@
- [Website](./server/website.md) - [Website](./server/website.md)
- [musik](./projekte/musik.md) - [musik](./projekte/musik.md)
- [TODO](./todo.md) - [TODO](./todo.md)
- [Modules]()
- [Initrd-ssh](./module/initssh.md)
- [Disks](./module/disks.md)
- [How-to]() - [How-to]()
- [Create New Host](./anleitung/create.md) - [Create New Host](./anleitung/create.md)
- [Sops](./anleitung/sops.md) - [Sops](./anleitung/sops.md)
- [MaloVPN](./anleitung/wireguard.md)
- [Updates](./anleitung/updates.md) - [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md) - [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md) - [MicroVM](./anleitung/microvm.md)

9
doc/src/anleitung/microvm.md
View File

@@ -23,18 +23,21 @@ In order to test persistent microvms locally we need to create them using the ``
This is necessary to be able to mount persistent /etc and /var volumes on those hosts. This is necessary to be able to mount persistent /etc and /var volumes on those hosts.
Do the following: Do the following:
Prepare your host by including `microvm.nixosModules.host` in your `flake.nix` [Microvm Docs](https://astro.github.io/microvm.nix/host.html)
```bash ```bash
# go into our repo and start the default dev shell (or us direnv) # go into our repo and start the default dev shell (or use direnv)
nix develop .# nix develop .#
# create a microvm on your host (on the example of durruti) # create a microvm on your host (on the example of durruti)
sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
# start the vm # start the vm
sudo systemctl start microvm@durruti.serivce sudo systemctl start microvm@durruti.service
# this may fail, if so we most probably need to create /var /etc manually, then restart # this may fail, if so we most probably need to create /var /etc manually, then restart
sudo mkdir /var/lib/microvms/durruti/{var, etc} sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/ # now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/

12
doc/src/anleitung/sops.md
View File

@@ -22,4 +22,14 @@
- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to - Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml` - `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
## How to add host keys
If a new host is created we have to add its age keys to the sops config.
Do the following:
```bash
# ssh into the host and run:
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# create new host with the output of that command in /machines/.sops.yaml
```

55
doc/src/anleitung/wireguard.md Normal file
View File

@@ -0,0 +1,55 @@
# MaloVPN
Running in the cloud. To let a host access the VPN you need to do the following:
- generate a wireguard keypair
- add the host to ./machines/modules/malobeo/peers.nix
- enable the malovpn module on the host
## Generate Wireguard keys
Enter nix shell for wg commands `nix-shell -p wireguard-tools`
```bash
umask 077
wg genkey > wg.private
wg pubkey < wg.private > wg.pub
```
Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
## Add host to peers.nix
peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.
- Add your host to /machines/modules/malobeo/peers.nix
- Set the role to "client"
- choose a ip address as 'address' that is not taken already
- set allowedIPs as the others, except we want to limit this host to only access certain peers
- Add your public Key here as string
After that commit your changes and either open a PR or push directly to master
Example:
```nix
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.0/24" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
```
## Enable MaloVPN on Host
Either you configure wireguard manually or use the malobeo vpn module
The 'name' must match your hosts name in peers.nix:
```nix
sops.secrets.private_key = {};
imports = [
malobeo.nixosModules.malobeo.vpn
];
services.malobeo.vpn = {
enable = true;
name = "celine";
privateKeyFile = config.sops.secrets.private_key.path;
};
```
After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist.

117
doc/src/module/disks.md Normal file
View File

@@ -0,0 +1,117 @@
# Disks
The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
#### `let cfg = malobeo.disks`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
#### `cfg.hostId` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
#### `cfg.encryption` (bool)
- **Type:** `bool`
- **Default:** `true`
- **Description:**
Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
#### `cfg.devNodes` (string)
- **Type:** `string`
- **Default:** `"/dev/disk/by-id/"`
- **Description:**
Specifies where the disks should be mounted from.
- Use `/dev/disk/by-id/` for general systems.
- Use `/dev/disk/by-path/` for VMs.
- For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
#### `let cfg = malobeo.disks.root`
#### `cfg.disk0` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
#### `cfg.disk1` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
#### `cfg.swap` (string)
- **Type:** `string`
- **Default:** `"8G"`
- **Description:**
Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the root pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
#### `let cfg = malobeo.disks.storage`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
#### `cfg.disks` (list of strings)
- **Type:** `listOf string`
- **Default:** `[]`
- **Description:**
A list of device names without /dev/ prefix (e.g., `sda`, `sdb`) to include in the storage pool.
Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the storage pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
## Example Configuration
```nix
{
options.malobeo.disks = {
enable = true;
hostId = "abcdef01";
encryption = true;
devNodes = "/dev/disk/by-id/";
root = {
disk0 = "sda";
disk1 = "sdb";
swap = "8G";
reservation = "40GiB";
mirror = true;
};
storage = {
enable = true;
disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
reservation = "100GiB";
mirror = false;
};
};
}
```

29
doc/src/module/initssh.md Normal file
View File

@@ -0,0 +1,29 @@
# Initrd-ssh
The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
#### `let cfg = malobeo.initssh`
## cfg.enable
Enable the initssh module
*Default*
false
## cfg.authorizedKeys
Authorized keys for the initrd ssh
*Default*
`[ ]`
## cfg.ethernetDrivers
Ethernet drivers to load in the initrd.
Run ` lspci -k | grep -iA4 ethernet `
*Default:*
` [ ] `
*Example:*
`[ "r8169" ]`

60
flake.lock generated
View File

@@ -67,16 +67,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726989464, "lastModified": 1733951536,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.05", "ref": "release-24.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@@ -109,11 +109,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1733796600, "lastModified": 1734041466,
"narHash": "sha256-scaQMTs4NnGkd9SZWROr5m0vOZIIhRkk5N7Q+S9zhXQ=", "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "e08aed6e3a32e47e21e57bd2791326ea3f7647be", "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -124,11 +124,11 @@
}, },
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1731805462, "lastModified": 1733620091,
"narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -145,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732151224, "lastModified": 1733965598,
"narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -160,11 +160,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1731797098, "lastModified": 1733861262,
"narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -192,11 +192,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1732014248, "lastModified": 1733759999,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -208,16 +208,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1731797254, "lastModified": 1733808091,
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "nixos-24.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -245,11 +245,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1732186149, "lastModified": 1733965552,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -341,11 +341,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729717517, "lastModified": 1736184101,
"narHash": "sha256-Gul0Zqy0amouh8Hs8BL/DIKFYD6BmdTo4H8+5K5+mTo=", "narHash": "sha256-HAX+TkDXzyNp6SAsKwjNFql7KzAtxximpQSv+GmP8KQ=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "610269a14232c2888289464feb5227e284eef336", "rev": "9cdab949f44301553e3817cf1f38287ad947e00c",
"revCount": 27, "revCount": 28,
"type": "git", "type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/tasklist" "url": "https://git.dynamicdiscord.de/kalipso/tasklist"
}, },

4
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = { inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -33,7 +33,7 @@
}; };
home-manager= { home-manager= {
url = "github:nix-community/home-manager/release-24.05"; url = "github:nix-community/home-manager/release-24.11";
inputs = { inputs = {
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
}; };

41
machines/.sops.yaml
View File

@@ -8,7 +8,9 @@ keys:
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567 - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
creation_rules: creation_rules:
- path_regex: moderatio/secrets/secrets.yaml$ - path_regex: moderatio/secrets/secrets.yaml$
key_groups: key_groups:
@@ -31,6 +33,43 @@ creation_rules:
- pgp: - pgp:
- *admin_kalipso - *admin_kalipso
- *admin_kalipso_dsktp - *admin_kalipso_dsktp
age:
- *machine_durruti - *machine_durruti
- *admin_atlan
- path_regex: vpn/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_vpn
- *admin_atlan
- path_regex: fanny/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_fanny
- *admin_atlan
- path_regex: testvm/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: fanny/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: bakunin/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age: age:
- *admin_atlan - *admin_atlan

37
machines/bakunin/configuration.nix
View File

@@ -1,5 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
@@ -9,6 +12,8 @@
../modules/sshd.nix ../modules/sshd.nix
../modules/minimal_tools.nix ../modules/minimal_tools.nix
../modules/autoupdate.nix ../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.initssh
]; ];
malobeo.autoUpdate = { malobeo.autoUpdate = {
@@ -19,7 +24,19 @@
cacheurl = "https://cache.dynamicdiscord.de"; cacheurl = "https://cache.dynamicdiscord.de";
}; };
boot.loader.systemd-boot.enable = true; malobeo.disks = {
enable = true;
hostId = "a3c3102f";
root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
hardware.sane.enable = true; #scanner support hardware.sane.enable = true; #scanner support
@@ -67,17 +84,13 @@
networking.hostName = "bakunin"; networking.hostName = "bakunin";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
sound.enable = true; security.rtkit.enable = true;
hardware.pulseaudio = { services.pipewire = {
enable = true;
zeroconf.discovery.enable = true;
extraConfig = ''
load-module module-zeroconf-discover
'';
};
services.avahi = {
enable = true; enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
}; };

31
machines/bakunin/disk.key Normal file
View File

@@ -0,0 +1,31 @@
{
"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-14T16:40:57Z",
"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
"pgp": [
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

85
machines/configuration.nix
View File

@@ -3,6 +3,7 @@
, nixpkgs , nixpkgs
, sops-nix , sops-nix
, inputs , inputs
, microvm
, nixos-hardware , nixos-hardware
, home-manager , home-manager
, ... , ...
@@ -34,15 +35,14 @@ let
}; };
}; };
}) })
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
microvm.nixosModules.microvm
]; ];
} }
]; ];
defaultModules = baseModules; defaultModules = baseModules;
makeMicroVM = hostName: ipv4Addr: modules: [ makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
inputs.microvm.nixosModules.microvm
{ {
microvm = { microvm = {
hypervisor = "cloud-hypervisor"; hypervisor = "cloud-hypervisor";
@@ -75,7 +75,7 @@ let
{ {
type = "tap"; type = "tap";
id = "vm-${hostName}"; id = "vm-${hostName}";
mac = "02:00:00:00:00:01"; mac = "${macAddr}";
} }
]; ];
}; };
@@ -93,6 +93,8 @@ let
}; };
} }
] ++ defaultModules ++ modules; ] ++ defaultModules ++ modules;
inputsMod = inputs // { malobeo = self; };
in in
{ {
louise = nixosSystem { louise = nixosSystem {
@@ -109,27 +111,6 @@ in
modules = defaultModules ++ [ modules = defaultModules ++ [
./bakunin/configuration.nix ./bakunin/configuration.nix
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./modules/disko/btrfs-laptop.nix
];
};
fanny = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
./fanny/configuration.nix
inputs.disko.nixosModules.disko
./modules/disko/fanny.nix
];
};
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" [
./durruti/configuration.nix
]; ];
}; };
@@ -141,4 +122,58 @@ in
./lucia/hardware_configuration.nix ./lucia/hardware_configuration.nix
]; ];
}; };
fanny = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputsMod;
modules = defaultModules ++ [
self.nixosModules.malobeo.vpn
./fanny/configuration.nix
];
};
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [
./durruti/configuration.nix
];
};
vpn = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
self.nixosModules.malobeo.vpn
./vpn/configuration.nix
];
};
infradocs = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [
self.nixosModules.malobeo.vpn
./infradocs/configuration.nix
];
};
uptimekuma = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [
./uptimekuma/configuration.nix
];
};
testvm = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = defaultModules ++ [ ./testvm ];
};
} }

9
machines/durruti/documentation.nix
View File

@@ -8,6 +8,15 @@
{ addr = "0.0.0.0"; port = 9000; } { addr = "0.0.0.0"; port = 9000; }
]; ];
root = "${self.packages.x86_64-linux.docs}/share/doc"; root = "${self.packages.x86_64-linux.docs}/share/doc";
extraConfig = ''
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
}; };
}; };

16
machines/durruti/host_config.nix
View File

@@ -36,7 +36,21 @@ in
services.nginx.virtualHosts."docs.malobeo.org" = { services.nginx.virtualHosts."docs.malobeo.org" = {
forceSSL = true; forceSSL = true;
enableACME= true; enableACME= true;
locations."/".proxyPass = "http://${cfg.host_ip}:9000"; locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
'';
};
};
services.nginx.virtualHosts."status.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.12";
extraConfig = ''
'';
};
}; };
services.nginx.virtualHosts."tasklist.malobeo.org" = { services.nginx.virtualHosts."tasklist.malobeo.org" = {

95
machines/durruti/secrets.yaml
View File

@@ -7,75 +7,64 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw== Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-26T10:07:26Z" lastmodified: "2024-06-26T10:07:26Z"
mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str] mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
pgp: pgp:
- created_at: "2024-11-14T13:03:00Z" - created_at: "2024-12-19T15:09:01Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+ hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80 2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ +RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v 4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx 4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
bxCHPCFfvmX/ EKQxUDnO8Nvb
=3wBJ =1PHB
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-14T13:03:00Z" - created_at: "2024-12-19T15:09:01Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3 hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG 5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3 48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4 wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1 7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S /xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
+x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo= T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
=4vnh =5AlZ
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-14T13:03:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
=FLuF
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

59
machines/fanny/configuration.nix
View File

@@ -1,6 +1,11 @@
{ config, pkgs, ... }: { inputs, config, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{ {
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
#./hardware-configuration.nix #./hardware-configuration.nix
@@ -8,6 +13,9 @@
../modules/sshd.nix ../modules/sshd.nix
../modules/minimal_tools.nix ../modules/minimal_tools.nix
../modules/autoupdate.nix ../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.microvm
]; ];
malobeo.autoUpdate = { malobeo.autoUpdate = {
@@ -18,10 +26,52 @@
cacheurl = "https://cache.dynamicdiscord.de"; cacheurl = "https://cache.dynamicdiscord.de";
}; };
boot.loader.systemd-boot.enable = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
malobeo.disks = {
enable = true;
hostId = "a3c3101f";
root = {
disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
};
storage = {
disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
mirror = true;
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
services.malobeo.vpn = {
enable = true;
name = "fanny";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [ "infradocs" ];
networking = {
firewall = {
allowedTCPPorts = [ 80 ];
};
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.0.0.11:9000";
extraConfig = ''
'';
};
};
};
services.tor = { services.tor = {
enable = true; enable = true;
client.enable = true; client.enable = true;
@@ -33,7 +83,6 @@
services.acpid.enable = true; services.acpid.enable = true;
networking.hostName = "fanny"; networking.hostName = "fanny";
networking.hostId = "1312acab";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
virtualisation.vmVariant.virtualisation.graphics = false; virtualisation.vmVariant.virtualisation.graphics = false;

31
machines/fanny/disk.key Normal file
View File

@@ -0,0 +1,31 @@
{
"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T19:35:48Z",
"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
"pgp": [
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

68
machines/fanny/secrets.yaml Normal file
View File

@@ -0,0 +1,68 @@
wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp:
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
/MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
J+o9dahBHvIF
=GKm4
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
=9FN4
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

20
machines/infradocs/configuration.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "infradocs";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../durruti/documentation.nix
../modules/malobeo_user.nix
../modules/sshd.nix
];
system.stateVersion = "22.11"; # Did you read the comment?
}

16
machines/louise/configuration.nix
View File

@@ -67,17 +67,13 @@
networking.hostName = "louise"; networking.hostName = "louise";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
sound.enable = true; security.rtkit.enable = true;
hardware.pulseaudio = { services.pipewire = {
enable = true;
zeroconf.discovery.enable = true;
extraConfig = ''
load-module module-zeroconf-discover
'';
};
services.avahi = {
enable = true; enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
}; };

12
machines/lucia/configuration.nix
View File

@@ -20,14 +20,6 @@ in
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default) # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = false;
boot.loader.raspberryPi.version = 3;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.firmwareConfig = ''
dtparam=audio=on
hdmi_ignore_edid_audio=1
audio_pwm_mode=2
'';
# Enables the generation of /boot/extlinux/extlinux.conf # Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true; boot.loader.generic-extlinux-compatible.enable = true;
@@ -39,12 +31,8 @@ in
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# hardware audio support:
sound.enable = true;
services = { services = {
dokuwiki.sites."wiki.malobeo.org" = { dokuwiki.sites."wiki.malobeo.org" = {
enable = true; enable = true;
#acl = "* @ALL 8"; # everyone can edit using this config #acl = "* @ALL 8"; # everyone can edit using this config

7
machines/lucia/secrets.yaml
View File

@@ -1,5 +1,6 @@
hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str] hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str] njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -15,8 +16,8 @@ sops:
aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3 aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ== f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-24T15:09:51Z" lastmodified: "2024-11-14T18:10:54Z"
mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str] mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
pgp: pgp:
- created_at: "2024-11-14T13:02:46Z" - created_at: "2024-11-14T13:02:46Z"
enc: |- enc: |-
@@ -77,4 +78,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1

278
machines/modules/disko/default.nix Normal file
View File

@@ -0,0 +1,278 @@
{config, inputs, lib, ...}:
let
cfg = config.malobeo.disks;
in
{
imports = [inputs.disko.nixosModules.disko];
options.malobeo.disks = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable disko disk creation";
};
hostId = lib.mkOption {
type = lib.types.str;
default = "";
description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
};
encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Allows encryption to be disabled for testing";
};
devNodes = lib.mkOption {
type = lib.types.str;
default = "/dev/disk/by-id/";
description = ''
where disks should be mounted from
https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
use "/dev/disk/by-path/" for vm's
'';
};
root = {
disk0 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für root dateisystem";
};
disk1 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für eventuellen root mirror";
};
swap = lib.mkOption {
type = lib.types.str;
default = "8G";
description = "size of swap partition (only disk0)";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs root pool";
};
};
storage = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable storage pool";
};
disks = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "name ab /dev/ für storage pool";
example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs storage pool";
};
};
};
config = lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
}) cfg.storage.disks
)
))
];
zpool = {
zroot = {
type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
};
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
};
};
};
};
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
};
}

141
machines/modules/disko/fanny.nix
View File

@@ -1,141 +0,0 @@
{
disko.devices = {
disk = {
ssd = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
hdd0 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
hdd1 = {
type = "disk";
device = "/dev/sdc";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
mode = "";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/root.key";
};
# use this to read the key during boot
postCreateHook = ''
zfs set keylocation="prompt" "zroot/$name";
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
};
};
storage = {
type = "zpool";
mode = "mirror";
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = "aes-256-gcm";
keyformat = "passphrase";
keylocation = "file:///tmp/storage.key";
};
# use this to read the key during boot
postCreateHook = ''
zfs set keylocation="prompt" "zroot/$name";
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
};
};
};
};
};
}

66
machines/modules/malobeo/initssh.nix Normal file
View File

@@ -0,0 +1,66 @@
{ config, lib, pkgs, ... }:
let
cfg = config.malobeo.initssh;
inherit (config.networking) hostName;
in
{
options.malobeo.initssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable initrd-ssh";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Authorized keys for the initrd ssh";
};
ethernetDrivers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169";
};
};
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
systemd = {
enable = true;
network.enable = true;
};
network.ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}

39
machines/modules/malobeo/peers.nix Normal file
View File

@@ -0,0 +1,39 @@
{
"vpn" = {
role = "server";
publicIp = "5.9.153.217";
address = [ "10.100.0.1/24" ];
allowedIPs = [ "10.100.0.0/24" ];
listenPort = 51821;
publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
persistentKeepalive = 25;
};
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.2/32" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
"desktop" = {
role = "client";
address = [ "10.100.0.3/24" ];
allowedIPs = [ "10.100.0.3/32" ];
publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
};
"atlan-pc" = {
role = "client";
address = [ "10.100.0.5/24" ];
allowedIPs = [ "10.100.0.5/32" ];
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"fanny" = {
role = "client";
address = [ "10.100.0.101/24" ];
allowedIPs = [ "10.100.0.101/32" ];
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
};
}

101
machines/modules/malobeo/wireguard.nix Normal file
View File

@@ -0,0 +1,101 @@
{ config, self, lib, inputs, options, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.vpn;
peers = import ./peers.nix;
myPeer = if cfg.name == "" then peers.${config.networking.hostName} else peers.${cfg.name};
peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
peerListWithEndpoint = map (host:
if host.role == "server" then
host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
else
host
) peerList;
filteredPeerlist = map (host: builtins.removeAttrs host [
"role"
"address"
"listenPort"
"publicIp"
] ) peerListWithEndpoint;
in
{
options = {
services.malobeo.vpn = {
enable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
};
autostart = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "whether to autostart vpn interface on boot";
};
name = mkOption {
default = "";
type = types.str;
description = ''
Name of the host in peers.nix, if empty uses hostname
'';
};
privateKeyFile = mkOption {
default = "";
type = types.str;
description = ''
Path to private key
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = !(myPeer.role != "client" && myPeer.role != "server");
message = ''
VPN Role must be either client or server, nothing else!
'';
}
];
boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
networking.wg-quick = {
interfaces = {
malovpn = {
mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
address = myPeer.address;
autostart = cfg.autostart;
listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postUp = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
# This undoes the above command
postDown = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
privateKeyFile = cfg.privateKeyFile;
peers = filteredPeerlist;
};
};
};
#networking.nat = mkIf (myPeer.role == "server"){
# enable = true;
# internalInterfaces = [ "microvm" ];
# externalInterface = "eth0"; #change to your interface name
#};
};
}

2
machines/modules/malobeo_user.nix
View File

@@ -6,7 +6,7 @@ in
{ {
users.users.malobeo = { users.users.malobeo = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ]; extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins; openssh.authorizedKeys.keys = sshKeys.admins;
initialPassword = "test"; initialPassword = "test";
}; };

59
machines/testvm/default.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
];
boot.initrd.systemd.enable = true;
boot.loader.systemd-boot.enable = true;
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["virtio_net"];
};
malobeo.disks = {
enable = true;
encryption = false;
hostId = "83abc8cb";
devNodes = "/dev/disk/by-path/";
root = {
disk0 = "disk/by-path/pci-0000:04:00.0";
swap = "1G";
reservation = "1G";
mirror = false;
};
storage = {
enable = true;
disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
reservation = "1G";
mirror = true;
};
};
boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "testvm";
networking.networkmanager.enable = true;
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/testvm/disk.key Normal file
View File

@@ -0,0 +1,31 @@
{
"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-12-31T02:35:20Z",
"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
"pgp": [
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

37
machines/uptimekuma/configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "uptimekuma";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
];
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."status.malobeo.org" = {
locations."/" = {
proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
'';
};
};
};
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "22.11"; # Did you read the comment?
}

45
machines/vpn/configuration.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
networking = {
hostName = mkDefault "vpn";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
firewall = {
allowedUDPPorts = [ 51821 ];
allowedTCPPorts = [ 80 ];
};
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
];
services.malobeo.vpn = {
enable = true;
name = "vpn";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
'';
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?
}

68
machines/vpn/secrets.yaml Normal file
View File

@@ -0,0 +1,68 @@
wg_private: ENC[AES256_GCM,data:uuBYbOTiThZYiNetM+FOLFVMr/HII9otG4FvN5YvuRErvNjgmAYxVncV71k=,iv:Sy3HAEcALod2pL4IZ/GSjVybLAviOoO+DsW8OROzgTg=,tag:hynRmiilafVzWCjx2Xoxhw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T22:01:22Z"
mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
pgp:
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
LN6uk4NCOKwA
=Mdnc
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
=vQSV
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

19
outputs.nix
View File

@@ -20,6 +20,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
let let
sops = sops-nix.packages."${pkgs.system}"; sops = sops-nix.packages."${pkgs.system}";
microvmpkg = microvm.packages."${pkgs.system}"; microvmpkg = microvm.packages."${pkgs.system}";
installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
in in
pkgs.mkShell { pkgs.mkShell {
sopsPGPKeyDirs = [ sopsPGPKeyDirs = [
@@ -37,8 +38,13 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs.mdbook pkgs.mdbook
microvmpkg.microvm microvmpkg.microvm
]; ];
packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
};
legacyPackages = {
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
}; };
packages = { packages = {
docs = pkgs.stdenv.mkDerivation { docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs"; name = "malobeo-docs";
@@ -112,10 +118,13 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
self = self; self = self;
}); });
nixosModules.malobeo.imports = [ nixosModules.malobeo = {
./machines/durruti/host_config.nix host.imports = [ ./machines/durruti/host_config.nix ];
./machines/modules/malobeo/microvm_host.nix microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
]; vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
disko.imports = [ ./machines/modules/disko ];
};
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) ( hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
let let

61
scripts/remote-install-encrypt.sh Executable file
View File

@@ -0,0 +1,61 @@
set -o errexit
set -o pipefail
if [ $# -lt 2 ]; then
echo
echo "Install NixOS to the host system with secrets and encryption"
echo "Usage: $0 <hostname> <ip> (user)"
exit 1
fi
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
hostname=$1
ipaddress=$2
# Create a temporary directory
temp=$(mktemp -d)
# Function to cleanup temporary directory on exit
cleanup() {
rm -rf "$temp"
}
trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"
# Install NixOS to the host system with our secrets and encription
# optional --build-on-remote
if [ $# = 3 ]
then
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi

44
scripts/unlock-boot.sh Normal file
View File

@@ -0,0 +1,44 @@
set -o errexit
set -o pipefail
sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
HOSTNAME=$1
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
echo
if [ $# = 1 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
else
echo
echo "Unlock the root disk on a remote host."
echo "Usage: $0 <hostname> [ip]"
echo "If an IP is not provided, the hostname will be used as the IP address."
exit 1
fi