kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:issue31
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:fdb9980176c0acd74327e809b295152a04a290c2
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

2 Commits
issue31 ... fdb9980176

Author SHA1 Message Date
ahtlon
fdb9980176 add malo user password
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m16s
Details
2025-01-28 12:04:40 +01:00
ahtlon
dfd8eb9c15 Add malo user module 2025-01-28 11:58:38 +01:00
7 changed files with 304 additions and 213 deletions
Expand all files Collapse all files

7
machines/.sops.yaml
View File

@@ -100,3 +100,10 @@ creation_rules:
- *admin_kalipso_dsktp - *admin_kalipso_dsktp
age: age:
- *admin_atlan - *admin_atlan
- path_regex: modules/malobeo/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

5
machines/bakunin/configuration.nix
View File

@@ -26,7 +26,6 @@ in
malobeo.disks = { malobeo.disks = {
enable = true; enable = true;
legacy = true;
hostId = "a3c3102f"; hostId = "a3c3102f";
root = { root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ"; disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
@@ -34,7 +33,9 @@ in
}; };
malobeo.initssh = { malobeo.initssh = {
enable = false; enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
}; };
hardware.sane.enable = true; #scanner support hardware.sane.enable = true; #scanner support

381
machines/modules/disko/default.nix
View File

@@ -20,11 +20,6 @@ in
default = true; default = true;
description = "Allows encryption to be disabled for testing"; description = "Allows encryption to be disabled for testing";
}; };
legacy = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable legacy boot (bios)";
};
devNodes = lib.mkOption { devNodes = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/dev/disk/by-id/"; default = "/dev/disk/by-id/";
@@ -86,220 +81,198 @@ in
}; };
}; };
config = lib.mkMerge [ config = lib.mkIf cfg.enable {
(lib.mkIf (cfg.enable && !cfg.legacy) { networking.hostId = cfg.hostId;
boot = { disko.devices = {
loader.systemd-boot.enable = true; disk = lib.mkMerge [
loader.efi.canTouchEfiVariables = true; {
supportedFilesystems = [ "vfat" "zfs" ]; ssd0 = lib.mkIf (cfg.root.disk0 != "") {
}; type = "disk";
fileSystems."/boot".neededForBoot = true; device = "/dev/${cfg.root.disk0}";
}) content = {
(lib.mkIf (cfg.enable && cfg.legacy) { type = "gpt";
boot.loader.grub = { partitions = {
enable = lib.mkForce true; ESP = {
device = "/dev/${cfg.root.disk0}-part1"; size = "1024M";
efiSupport = false; type = "EF00";
enableCryptodisk = cfg.encryption;
zfsSupport = true;
};
})
(lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = lib.mkIf (!cfg.legacy) {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
boot = lib.mkIf cfg.legacy {
size = "1024M";
type = "EF02";
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = { content = {
type = "gpt"; type = "filesystem";
partitions = { format = "vfat";
zfs = { mountpoint = "/boot";
size = "100%"; mountOptions = [ "umask=0077" ];
content = { };
type = "zfs"; };
pool = "storage"; encryptedSwap = {
}; size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
}; };
}; };
}; };
}; };
}) cfg.storage.disks };
) }) cfg.storage.disks
)) )
]; ))
];
zpool = { zpool = {
zroot = { zroot = {
type = "zpool"; type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror"; mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests # Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none"; options.cachefile = "none";
rootFsOptions = { rootFsOptions = {
mountpoint = "none"; mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd"; compression = "zstd";
"com.sun:auto-snapshot" = "false"; "com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
}; };
storage = lib.mkIf cfg.storage.enable { datasets = {
type = "zpool"; encrypted = {
mode = lib.mkIf (cfg.storage.mirror) "mirror"; type = "zfs_fs";
rootFsOptions = { options = {
mountpoint = "none"; mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount encryption = lib.mkIf cfg.encryption "aes-256-gcm";
acltype = "posixacl"; # für microvm virtiofs mount keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
}; };
datasets = { "encrypted/root" = {
encrypted = { type = "zfs_fs";
type = "zfs_fs"; mountpoint = "/";
options = { options.mountpoint = "legacy";
mountpoint = "none"; };
encryption = lib.mkIf cfg.encryption "aes-256-gcm"; "encrypted/var" = {
keyformat = lib.mkIf cfg.encryption "passphrase"; type = "zfs_fs";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key"; mountpoint = "/var";
}; options.mountpoint = "legacy";
# use this to read the key during boot };
postCreateHook = lib.mkIf cfg.encryption '' "encrypted/etc" = {
zfs set keylocation="file:///root/secret.key" storage/encrypted; type = "zfs_fs";
''; mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
}; };
"encrypted/data" = { type = "zfs_fs";
type = "zfs_fs"; };
mountpoint = "/data"; };
};
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
}; };
reserved = { # use this to read the key during boot
# for cow delete if pool is full postCreateHook = lib.mkIf cfg.encryption ''
options = { zfs set keylocation="file:///root/secret.key" storage/encrypted;
canmount = "off"; '';
mountpoint = "none"; };
reservation = "${cfg.storage.reservation}"; "encrypted/data" = {
}; type = "zfs_fs";
type = "zfs_fs"; mountpoint = "/data";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
}; };
type = "zfs_fs";
}; };
}; };
}; };
}; };
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes; boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ]; boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
fileSystems."/".neededForBoot = true;
fileSystems."/".neededForBoot = true; fileSystems."/etc".neededForBoot = true;
fileSystems."/etc".neededForBoot = true; fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true; fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true; fileSystems."/nix".neededForBoot = true;
}) };
];
} }

3
machines/modules/malobeo/initssh.nix
View File

@@ -26,6 +26,9 @@ in
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = { boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = { zfs = {
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
}; };

7
machines/modules/malobeo/peers.nix
View File

@@ -30,13 +30,6 @@
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
}; };
"hetzner" = {
role = "client";
address = [ "10.100.0.6/24" ];
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
};
"fanny" = { "fanny" = {
role = "client"; role = "client";
address = [ "10.100.0.101/24" ]; address = [ "10.100.0.101/24" ];

59
machines/modules/malobeo/secrets.yaml Normal file
View File

@@ -0,0 +1,59 @@
malobeoUserPassword: ENC[AES256_GCM,data:/w9Q89njBL5eL8RU6IhOxegJqtvBmx/R2+b7+asop98PN4SZn3r53lagM/3UiNnbde/Mh1/3T3OtddNFTh+v64NNzMdKE65T/A==,iv:8o97dDxA6GHkFN0uAfbdG0DnatoiP3ytEGLTHOOZe0w=,tag:Jl2EPOooYdnSfyfOr9Pn2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b2lTY1hhTUwxalZ6bHJJ
aUpUelB6K0hweW8rWXJzaTVKWC94Q0E4c2hRCnBaM3hwTkxwWGZjUCtycTR0aFJr
QXZPVkNjK2dIOWpHYUhxd2x6cW9MMTgKLS0tIEh4N2d5TEZuK2RRMklxRGNlOTFP
ZCtqbzVZYnB4WTh1RUt4V0FPYzRualUKh3lyO+Ow2698jZ05PZjeKK5CnuUnIAJ2
IdBRJNhalleoJPdQnsq/Yj3aewXtIYDdXKnhN4QdEfbQnrIrm1B7FQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-28T11:04:06Z"
mac: ENC[AES256_GCM,data:ZfWuWafknBtaLPjpujLfFjh4oRIk6Bq521NnI1woEamV1MZ53AbmGqZRroW4mAz2uI1KA3RSX7CLvFjJRzQiCBA/OblD89xGNEsQdRvsMCfkEGN85TgV5RVZ+Iqi/VoSXQUc4WcUZenBtgua8p84Ujikr/XT08dEB8hNVAOsSaw=,iv:fVX8LyxT3QkogpF/zRUY0LWzemp6ugrlK2eTag8jtWk=,tag:9kIXxg2hI1+D4XXx/ZPILw==,type:str]
pgp:
- created_at: "2025-01-28T11:02:47Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+JmOlIv1eupyfTV+T0jpZ0Ux49fjTP8xo/6aBNrukFFej
1JNX7Y57c5jUPUIWYX/obbhrT0yOj5w7yiA2lOO4ZUoHswDs70F7kuEXfdlEiL+Y
R2Zl5aAL+1Q0ydmjEG/P11H/ts0csHJTFwf6bR463Kv8yn8wjrpZKWcBTWoKzxbQ
LfEiDZ5F4FAjRJFgJRioWdUWCnMTaWWM6hQRathbVIi0DgddjzDma7I1l8qdsEEX
rh5y+SQSfajIPn1MxstY3Y8kkYb/LUOXIGGDxJV5UOuem8z2O0wiHsuRGtNAmQVJ
O0XjRALgoXbLFZYvej5xkDBvkr13JsJsa7P9IrVChF72ktFhWjPd5ALM63L3Rj//
voFD3JXmwOZsgsy+0wgfWwYb89xKcrLSrNkZKXFfLM1fUGx3huOw3YYqH35IccHe
KVPB0w5NkFRjq0Ubs9M/FpdspZPZmUgz6Y3hNUdSPsmd8+KWdDqFX0Nijv4dW/5k
1lMNcr6K/bHY9mWpqhsF0lgBfV1uX9Gw+rPVxpfbAmrqScw4XOnsYRhr39Ew2jyr
FY+EDPYj84AlfKCRr21lDOYsEYlxvRRL94LuzaJ5ZPsvc4fSRlLfA6CaTnyMO/Uh
0UaAUmo9gj8D
=oYMG
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-28T11:02:47Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ/+O8kqGBbX22K56L7/TRjZIFsvPKNO89QADDuL8R9cYYug
iKvtCp1rjSkRZZOxEqdLltqlub7Qvm/FmOTTV/Ha97FyLu908ci9FhZhYSIu95PO
VVBKRqEvcjtYj7HV/WbHUPc0KNq3EJ2XmJPAbNel0vbLv5Y5RMCiPK7ZtP5owIX+
Vq5wxu92MUyQOcryqzVnP5Ly7hWjlQEVg88zHtOvzMBf2OtVh10f5xF6nNpxfmXO
ni0UvlzzatLmGX1t9CDchVvRkgvlALZAgwDnFqc3L3HbKlATgaH8Ilr5rEmjt3v1
wWSQWewoEH3BtMgNTvXcVZu4mji9wYTNR2MfrL7eIqkhQzxCgL+vIh9wpNXYN+jO
ghnQKUoGFpM0AnT8OXGODDfOqQd2nkUuySUP+n+N8LnEN021ve5500t4uAjZnASe
kVrNXK+9XUEIDNaWnO9ykRRvB4y41yqf5Pu5FfMtHg5s53ypqox3rSqQMPhwFtVz
HLSQ5iyv2v66RoXUX9Esk+QcTQuDRQpZFzM7v4tyU+IeT7rOe7dC0YEOYRetKApQ
bru47ZS4nPFfaCdOnMr5tmTMwv/dzMDQHeRkxqEKPTyYx56nHjrMRE13PjYUvSbT
aQVoAspsYXhxQ6eDVzGbBlbA1KXS7fbl9Ji0aVWXVS2otdL0hPRd6Nh0Cy0RuLnS
WAF5hbffH9AgRLC8HlAFAsYvf42JSjwpLdeFnGYka8dWZX0ItxLFEOJ1IAyilFy6
mkBFyUYLRwlbExJNEH+WFlbMSDWzZ6eXmuPzUBvhwOC/8AxKvhk8je4=
=x1tN
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

55
machines/modules/malobeo/users.nix Normal file
View File

@@ -0,0 +1,55 @@
{config, lib, pkgs, ...}:
let
cfg = config.malobeo.users;
sshKeys = import ../ssh_keys.nix;
in
{
options.malobeo.users = {
malobeo = lib.mkEnableOption "enable malobeo user";
admin = lib.mkEnableOption "enable admin user";
};
config = lib.mkMerge [
(lib.mkIf cfg.malobeo {
sops.secrets.malobeoUserPassword.neededForUsers = true;
users.users.malobeo = {
isNormalUser = true;
description = "malobeo user, password and ssh access, no root";
extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins;
hashedPassword = config.sops.secrets.malobeoUserPassword.path;
};
environment.systemPackages = with pkgs; [];
})
(lib.mkIf cfg.admin {
users.user.admin = {
isNormalUser = true;
description = "admin user, passwordless sudo access, only ssh";
hashedPassword = null;
extraGroups = [ "networkmanager" ];
};
environment.systemPackages = with pkgs; [];
security.sudo.extraRules = [
{
users = [ "admin" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
})
{
users.mutableUsers = false;
environment.systemPackages = with pkgs; [
nix-output-monitor
vim
htop
wget
git
pciutils
];
}
];
}