kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:issue51
Branches Tags
kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver ahtlon:master ahtlon:update-flake-lock
..
compare: ahtlon:5443309d1ca07bbc19968d6a69e0a4f67e7bd460
Branches Tags
ahtlon:master ahtlon:update-flake-lock kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

3 Commits
issue51 ... 5443309d1c

Author SHA1 Message Date
ahtlon
5443309d1c Todo aus readme verschieben 2024-10-24 19:37:17 +02:00
ahtlon
c3de3a93e9 Init leere seiten 2024-10-24 19:36:33 +02:00
ahtlon
e1b31403be Init dokumentation mit mdbook + grobes inhaltsverzeichnis 2024-10-24 19:35:26 +02:00
64 changed files with 477 additions and 2441 deletions
Expand all files Collapse all files

15
.gitea/workflows/eval-hydra-jobs.yml
View File

@@ -1,15 +0,0 @@
name: "Evaluate Hydra Jobs"
on:
pull_request:
push:
jobs:
eval-hydra-jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies for Nix setup action
run: |
apt update -y
apt install sudo -y
- uses: cachix/install-nix-action@v27
- run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs

1
.gitignore vendored
View File

@@ -5,4 +5,3 @@ result
*.qcow2
.direnv/
book/
fanny-efi-vars.fd

2
README.md
View File

@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
#### durruti
- nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
- login via ```ssh -p 222 malobeo@5.9.153.217```
- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
- currently is running tasklist in detached tmux session
- [x] make module with systemd service out of that

0
doc/book.toml → book.toml
View File

1
doc/.gitignore vendored
View File

@@ -1 +0,0 @@
book

23
doc/src/SUMMARY.md
View File

@@ -1,23 +0,0 @@
# Summary
- [Index](./Index.md)
- [Info]()
- [Aktuelle Server]()
- [Durruti](./server/durruti.md)
- [Lucia](./server/lucia.md)
- [Hardware]()
- [Netzwerk]()
- [Seiten]()
- [Website](./server/website.md)
- [musik](./projekte/musik.md)
- [TODO](./todo.md)
- [Modules]()
- [Initrd-ssh](./module/initssh.md)
- [Disks](./module/disks.md)
- [How-to]()
- [Create New Host](./anleitung/create.md)
- [Sops](./anleitung/sops.md)
- [MaloVPN](./anleitung/wireguard.md)
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md)

66
doc/src/anleitung/create.md
View File

@@ -1,66 +0,0 @@
# Create host with disko-install
How to use disko-install is described here: https://github.com/nix-community/disko/blob/master/docs/disko-install.md
---
Here are the exact steps to get bakunin running:
First create machines/hostname/configuration.nix
Add hosts nixosConfiguration in machines/configurations.nix
Boot nixos installer on the Machine.
``` bash
# establish network connection
wpa_passphrase "network" "password" > wpa.conf
wpa_supplicant -B -i wlp3s0 -c wpa.conf
ping 8.8.8.8
# if that works continue
# generate a base hardware config
nixos-generate-config --root /tmp/config --no-filesystems
# get the infra repo
nix-shell -p git
git clone https://git.dynamicdiscord.de/kalipso/infrastructure
cd infrastructure
# add the new generated hardware config (and import in hosts configuration.nix)
cp /tmp/config/etc/nixos/hardware-configuration.nix machines/bakunin/
# check which harddrive we want to install the system on
lsblk #choose harddrive, in this case /dev/sda
# run nixos-install on that harddrive
sudo nix --extra-experimental-features flakes --extra-experimental-features nix-command run 'github:nix-community/disko/latest#disko-install' -- --flake .#bakunin --disk main /dev/sda
# this failed with out of memory
# running again showed: no disk left on device
# it seems the usb stick i used for flashing is way to small
# it is only
# with a bigger one (more than 8 gig i guess) it should work
# instead the disko-install tool i try the old method - first partitioning using disko and then installing the system
# for that i needed to adjust ./machines/modules/disko/btrfs-laptop.nix and set the disk to "/dev/sda"
sudo nix --extra-experimental-features "flakes nix-command" run 'github:nix-community/disko/latest' -- --mode format --flake .#bakunin
# failed with no space left on device.
# problem is lots of data is written to the local /nix/store which is mounted on tmpfs in ram
# it seems that a workaround could be modifying the bootable stick to contain a swap partition to extend tmpfs storage
```
# Testing Disko
Testing disko partitioning is working quite well. Just run the following and check the datasets in the vm:
```bash
nix run -L .\#nixosConfigurations.fanny.config.system.build.vmWithDisko
```
Only problem is that encryption is not working, so it needs to be commented out. For testing host fanny the following parts in ```./machines/modules/disko/fanny.nix``` need to be commented out(for both pools!):
```nix
datasets = {
encrypted = {
options = {
encryption = "aes-256-gcm"; #THIS ONE
keyformat = "passphrase"; #THIS ONE
keylocation = "file:///tmp/root.key"; #THIS ONE
};
# use this to read the key during boot
postCreateHook = '' #THIS ONE
zfs set keylocation="prompt" "zroot/$name"; #THIS ONE
''; #THIS ONE
```

84
doc/src/anleitung/microvm.md
View File

@@ -1,84 +0,0 @@
### Declaring a MicroVM
The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
Use durruti as orientation:
``` nix
modules = makeMicroVM "durruti" "10.0.0.5" [
./durruti/configuration.nix
];
```
"durruti" is the hostname.
"10.0.0.5" is the IP assigned to its tap interface.
### Testing MicroVMs locally
MicroVMs can be built and run easily on your local host, but they are not persistent!
For durruti for example this is done by:
``` bash
nix run .\#durruti-vm
```
### Testing persistent microvms
In order to test persistent microvms locally we need to create them using the ```microvm``` command.
This is necessary to be able to mount persistent /etc and /var volumes on those hosts.
Do the following:
Prepare your host by including `microvm.nixosModules.host` in your `flake.nix` [Microvm Docs](https://astro.github.io/microvm.nix/host.html)
```bash
# go into our repo and start the default dev shell (or use direnv)
nix develop .#
# create a microvm on your host (on the example of durruti)
sudo microvm -c durruti -f git+file:///home/username/path/to/infrastructure/repo
# start the vm
sudo systemctl start microvm@durruti.service
# this may fail, if so we most probably need to create /var /etc manually, then restart
sudo mkdir -p /var/lib/microvms/durruti/{var,etc}
# now you can for example get the rsa host key from /var/lib/microvms/durruti/etc/ssh/
# alternatively u can run the vm in interactive mode (maybe stop the microvm@durruti.service first)
microvm -r durruti
# after u made changes to the microvm update and restart the vm
microvm -uR durruti
# deleting the vm again:
sudo systemctl stop microvm@durruti.service
sudo systemctl stop microvm-virtiofsd@durruti.service
sudo rm -rf /var/lib/microvms/durruti
```
### Host Setup
#### Network Bridge
To provide network access to the VMs a bridge interface needs to be created on your host.
For that:
- Add the infrastructure flake as input to your hosts flake
- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
If you want to provide Internet access to the VM it is necessary to create a nat.
This could be done like this:
``` nix
networking.nat = {
enable = true;
internalInterfaces = [ "microvm" ];
externalInterface = "eth0"; #change to your interface name
};
```
#### Auto Deploy VMs
By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
VMs configured using this option will be initialized and autostarted at boot.
Updating still needs to be done imperative, or by enabling autoupdates.nix
The following example would init and autostart durruti and gitea:
``` nix
malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
```

35
doc/src/anleitung/sops.md
View File

@@ -1,35 +0,0 @@
# Sops
## How to add admin keys
- Git:
- Generate gpg key
- Add public key to `./machines/secrets/keys/users/`
- Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
- Age:
- Generate age key for Sops:
```
$ mkdir -p ~/.config/sops/age
$ age-keygen -o ~/.config/sops/age/keys.txt
```
or to convert an ssh ed25519 key to an age key
```
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
```
- Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
- Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`
## How to add host keys
If a new host is created we have to add its age keys to the sops config.
Do the following:
```bash
# ssh into the host and run:
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# create new host with the output of that command in /machines/.sops.yaml
```

55
doc/src/anleitung/wireguard.md
View File

@@ -1,55 +0,0 @@
# MaloVPN
Running in the cloud. To let a host access the VPN you need to do the following:
- generate a wireguard keypair
- add the host to ./machines/modules/malobeo/peers.nix
- enable the malovpn module on the host
## Generate Wireguard keys
Enter nix shell for wg commands `nix-shell -p wireguard-tools`
```bash
umask 077
wg genkey > wg.private
wg pubkey < wg.private > wg.pub
```
Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
## Add host to peers.nix
peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.
- Add your host to /machines/modules/malobeo/peers.nix
- Set the role to "client"
- choose a ip address as 'address' that is not taken already
- set allowedIPs as the others, except we want to limit this host to only access certain peers
- Add your public Key here as string
After that commit your changes and either open a PR or push directly to master
Example:
```nix
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.0/24" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
```
## Enable MaloVPN on Host
Either you configure wireguard manually or use the malobeo vpn module
The 'name' must match your hosts name in peers.nix:
```nix
sops.secrets.private_key = {};
imports = [
malobeo.nixosModules.malobeo.vpn
];
services.malobeo.vpn = {
enable = true;
name = "celine";
privateKeyFile = config.sops.secrets.private_key.path;
};
```
After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist.

117
doc/src/module/disks.md
View File

@@ -1,117 +0,0 @@
# Disks
The disks module can be used by importing `inputs.self.nixosModules.malobeo.disko`
#### `let cfg = malobeo.disks`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the disk creation process using the `disko` tool. Set to `true` to initialize disk setup.
#### `cfg.hostId` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The host ID used for ZFS disks. This ID should be generated using a command like `head -c4 /dev/urandom | od -A none -t x4`.
#### `cfg.encryption` (bool)
- **Type:** `bool`
- **Default:** `true`
- **Description:**
Determines if encryption should be enabled. Set to `false` to disable encryption for testing purposes.
#### `cfg.devNodes` (string)
- **Type:** `string`
- **Default:** `"/dev/disk/by-id/"`
- **Description:**
Specifies where the disks should be mounted from.
- Use `/dev/disk/by-id/` for general systems.
- Use `/dev/disk/by-path/` for VMs.
- For more information on disk name conventions, see [OpenZFS FAQ](https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux).
#### `let cfg = malobeo.disks.root`
#### `cfg.disk0` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sda`) for the root filesystem.
#### `cfg.disk1` (string)
- **Type:** `string`
- **Default:** `""`
- **Description:**
The device name (beginning after `/dev/` e.g., `sdb`) for the optional mirror disk of the root filesystem.
#### `cfg.swap` (string)
- **Type:** `string`
- **Default:** `"8G"`
- **Description:**
Size of the swap partition on `disk0`. This is applicable only for the root disk configuration.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the root pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS root pool. Set to `true` to mirror the root filesystem across `disk0` and `disk1`.
#### `let cfg = malobeo.disks.storage`
#### `cfg.enable` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Enables the creation of an additional storage pool. Set to `true` to create the storage pool.
#### `cfg.disks` (list of strings)
- **Type:** `listOf string`
- **Default:** `[]`
- **Description:**
A list of device names without /dev/ prefix (e.g., `sda`, `sdb`) to include in the storage pool.
Example: `["disks/by-id/ata-ST16000NE000-2RW103_ZL2P0YSZ"]`.
#### `cfg.reservation` (string)
- **Type:** `string`
- **Default:** `"20GiB"`
- **Description:**
The ZFS reservation size for the storage pool.
#### `cfg.mirror` (bool)
- **Type:** `bool`
- **Default:** `false`
- **Description:**
Whether to configure a mirrored ZFS storage pool. Set to `true` to mirror the storage pool.
## Example Configuration
```nix
{
options.malobeo.disks = {
enable = true;
hostId = "abcdef01";
encryption = true;
devNodes = "/dev/disk/by-id/";
root = {
disk0 = "sda";
disk1 = "sdb";
swap = "8G";
reservation = "40GiB";
mirror = true;
};
storage = {
enable = true;
disks = [ "sdc" "sdd" "disks/by-uuid/sde" ];
reservation = "100GiB";
mirror = false;
};
};
}
```

29
doc/src/module/initssh.md
View File

@@ -1,29 +0,0 @@
# Initrd-ssh
The initssh module can be used by importing `inputs.self.nixosModules.malobeo.initssh`
#### `let cfg = malobeo.initssh`
## cfg.enable
Enable the initssh module
*Default*
false
## cfg.authorizedKeys
Authorized keys for the initrd ssh
*Default*
`[ ]`
## cfg.ethernetDrivers
Ethernet drivers to load in the initrd.
Run ` lspci -k | grep -iA4 ethernet `
*Default:*
` [ ] `
*Example:*
`[ "r8169" ]`

2
doc/src/server/durruti.md
View File

@@ -1,2 +0,0 @@
# Durruti
Hetzner Server

2
doc/src/server/lucia.md
View File

@@ -1,2 +0,0 @@
# Lucia
Lokaler Raspberry Pi 3

7
doc/src/server/website.md
View File

@@ -1,7 +0,0 @@
#Website
hosted on uberspace
runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)
access via ssh with public key or password
Files under /var/www/virtual/malobeo/html

177
flake.lock generated
View File

@@ -1,26 +1,5 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730135292,
"narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
"owner": "nix-community",
"repo": "disko",
"rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "latest",
"repo": "disko",
"type": "github"
}
},
"ep3-bs": {
"inputs": {
"nixpkgs": [
@@ -42,24 +21,6 @@
"url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -67,16 +28,16 @@
]
},
"locked": {
"lastModified": 1733951536,
"narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
"lastModified": 1719827415,
"narHash": "sha256-pvh+1hStXXAZf0sZ1xIJbWGx4u+OGBC1rVx6Wsw0fBw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
"rev": "f2e3c19867262dbe84fdfab42467fc8dd83a2005",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
@@ -100,35 +61,13 @@
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1734041466,
"narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1733620091,
"narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
"lastModified": 1728781282,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
"rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b",
"type": "github"
},
"original": {
@@ -145,11 +84,11 @@
]
},
"locked": {
"lastModified": 1733965598,
"narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
"lastModified": 1729127034,
"narHash": "sha256-42AMGl+dh4I2wGgICSeDI1mqYaDEJhwqquHJ1vA0QiQ=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
"rev": "dd28a0806e7124fe392c33c9ccaa12f21970401f",
"type": "github"
},
"original": {
@@ -160,11 +99,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1733861262,
"narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
"lastModified": 1729333370,
"narHash": "sha256-NU+tYe3QWzDNpB8RagpqR3hNQXn4BNuBd7ZGosMHLL8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
"rev": "38279034170b1e2929b2be33bdaedbf14a57bfeb",
"type": "github"
},
"original": {
@@ -190,13 +129,29 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1733759999,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
"lastModified": 1728156290,
"narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
"rev": "17ae88b569bb15590549ff478bab6494dde4a907",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1729256560,
"narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
"type": "github"
},
"original": {
@@ -208,27 +163,25 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733808091,
"narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
"lastModified": 1729181673,
"narHash": "sha256-LDiPhQ3l+fBjRATNtnuDZsBS7hqoBtPkKBkhpoBHv3I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
"rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"ep3-bs": "ep3-bs",
"home-manager": "home-manager",
"mfsync": "mfsync",
"microvm": "microvm",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
@@ -242,14 +195,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1733965552,
"narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
"lastModified": 1728345710,
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
"type": "github"
},
"original": {
@@ -258,22 +212,6 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1733308308,
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
"ref": "refs/heads/main",
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
"revCount": 792,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -319,21 +257,6 @@
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tasklist": {
"inputs": {
"nixpkgs": [
@@ -341,11 +264,11 @@
]
},
"locked": {
"lastModified": 1736184101,
"narHash": "sha256-HAX+TkDXzyNp6SAsKwjNFql7KzAtxximpQSv+GmP8KQ=",
"lastModified": 1721034873,
"narHash": "sha256-3Bpj3h2UHXgBwlVm+jB5qCLtbn42LunCIEDg1IX111M=",
"ref": "refs/heads/master",
"rev": "9cdab949f44301553e3817cf1f38287ad947e00c",
"revCount": 28,
"rev": "a4a9bf571de0880621739228358a5d31e4c14d43",
"revCount": 16,
"type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/tasklist"
},
@@ -392,14 +315,14 @@
},
"utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {

8
flake.nix
View File

@@ -3,15 +3,11 @@
inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
mfsync.url = "github:k4lipso/mfsync";
microvm.url = "github:astro/microvm.nix";
microvm.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/latest";
disko.inputs.nixpkgs.follows = "nixpkgs";
utils = {
url = "github:numtide/flake-utils";
@@ -33,7 +29,7 @@
};
home-manager= {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-23.11";
inputs = {
nixpkgs.follows = "nixpkgs";
};

48
machines/.sops.yaml
View File

@@ -5,12 +5,9 @@
keys:
- &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
- &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
- &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
creation_rules:
- path_regex: moderatio/secrets/secrets.yaml$
key_groups:
@@ -18,58 +15,15 @@ creation_rules:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_moderatio
age:
- *admin_atlan
- path_regex: lucia/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_lucia
age:
- *admin_atlan
- path_regex: durruti/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_durruti
- *admin_atlan
- path_regex: vpn/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_vpn
- *admin_atlan
- path_regex: fanny/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *machine_fanny
- *admin_atlan
- path_regex: testvm/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: fanny/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: bakunin/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

100
machines/bakunin/configuration.nix
View File

@@ -1,100 +0,0 @@
{ config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/xserver.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.initssh
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
malobeo.disks = {
enable = true;
hostId = "a3c3102f";
root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
hardware.sane.enable = true; #scanner support
nix.settings.experimental-features = [ "nix-command" "flakes" ];
users.users.malobeo = {
packages = with pkgs; [
firefox
thunderbird
telegram-desktop
tor-browser-bundle-bin
keepassxc
libreoffice
gimp
inkscape
okular
element-desktop
chromium
mpv
vlc
simple-scan
];
};
services.tor = {
enable = true;
client.enable = true;
};
services.printing.enable = true;
services.printing.drivers = [
(pkgs.writeTextDir "share/cups/model/brother5350.ppd" (builtins.readFile ../modules/BR5350_2_GPL.ppd))
pkgs.gutenprint
pkgs.gutenprintBin
pkgs.brlaser
pkgs.brgenml1lpr
pkgs.brgenml1cupswrapper
];
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "bakunin";
networking.networkmanager.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
};
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/bakunin/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:2/tfkG7SwWNpnqgkFkmUqbAJBF2eN/lfZCK/9VsZag==,iv:Sps+ZIQGveS/zumjVE8VFfVTlNwQJ093eMDndlne2nU=,tag:lW8xcz43jj1XPV6M/0e11g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRU003cys0d0d4MXFmVVVH\ndDg1eHZpVjFMeDBGL3JQcjB5a0luSVRaSWtnCmxNOEUyZ2oybkNLdm12ZTVmNUpo\nVCtUem44bXA2dGhURGdyRWxKdUF6OVkKLS0tIDdVbUt2eGVHMHBzOEt6QnRpOXZF\nVWFEUFloRXpIUGJxblpaNUNuTjlLbDQKQii2qUIl72d02D3P0oTDHZQT1srSk6jS\n89XSBy6ND9vP0tGXcZ4a7jghO0Q1OVNe1fm6Ez41lKOuUu77hgOAWg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-14T16:40:57Z",
"mac": "ENC[AES256_GCM,data:M8l4a2SbBikF/tEtGx4ZY13eK3ffM70aUCDYo4ljgTAtQEbGLx1SJM/mrFW325LycFMNOerWhXyipbXPZPw2VfnSJ9dz+bQ53xK7Mpf/bOZs5aQZJpJ1/MJh6lkmR/zPeQXhE08WsyJ1rCRqAfygau2CqdV8ujY5li3jIIDQMcQ=,iv:lJZhTjJAxSky9MrzYldkJOG0dCIzkv4IE3ZKzxgUxvo=,tag:t/grczWX+0sDcsHC5SCd/A==,type:str]",
"pgp": [
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/S6LvVBsznEqLZbT/UAom1KmfmA3swxAJnQ5tl/vnnix6\nvzs4KSFGZMOQZihEKC/M/og8qTCvlUFBAUMkYLgX+8ehZeZwnnH9V8EDGDIyoWXE\n6AIHP9Ur6yk62gHqmfHlMxFG2A9/A4a+mOvxyKKPDK/AYG0PBaSVMkM6cp7efWwe\n7C6m4BpPRU+3NsNKy/4FkWt9xoFy82K89FqUGC8oZOQW1q+fS7ZIhmnTzzApwILy\n5Y77yBnpPECDYNZdH097bZli6KGWob7aXJ431gyw2OMVQHFb0DlQbKxemo9eWpIr\nnXu2FYrY2D7YxXBGQvXTuNQD3BuvrccOgWAmmi852C1gVVKV+egeOBRq2RYPl6+j\n8TBaNzl0rcvaoWeTJGR142pR9ht9B3aGzXcvCsciZo3SjYyt31J0huzPfv4Dakfn\nyY8BvOaNfugjx0aS6BOZgZiOPlBer86/0FKX469QQAnqL0LRoPyjn53JYUdPdI+s\nCI2WuVynSl7ItiwoKkJK0lgBm0oMhpSiGOC4Z2Bkk2xdpiuXUdMcP6m8OlG9ldCs\n0KrWubh9Ne6CP7etvTkwqWvMuSpCuheToIQ0rp8j21/YdCFX5LpxA3+em0t9M7Is\nV4ZoLnqA2KjI\n=4+Yl\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-14T16:40:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//c/UkuZRpJM5sH1snP8Kidek6nHgC11hUaY1G15a5ap1D\nn9cMIn4xUdfCAN/DoNiE14NzeTDQyawmIV1ZmrYZzItFdNgunf1r9jQNa3EqcWfE\norJS2RwWDrsw7tmx0wyenr9BLefMGJYaJ6Rd7J3j8sXL7aT+SbNw27mmVbYrJiFJ\nYh2usIsxDu2C+dCeTb3J9sKK6F96IbNnj/2Sx8AGYsIQvcpwloCRrnjiEa+hrEBn\nj1I6U4B/NjRGv20PAR1OnQ2OhKVL5UgTJgNKWCLdvGVOQnqJgDNUrrNEBY19wDQL\nQzJEzL21aiyF+8BB3IrtQlntmAIMcUUHTpqIols9rpVJl54yiK1mQ3UqTQPQ2+gd\nu2gtjXXk3FMnVzaI33ZMcxENGHy/+ZdZMfY70/EwJpRvneHTsLr3Z/bHUxavSYdL\nQqbeWLUm7a2/pnOl5JKa9asKYaNBNdmzO/YVgQNhLQzFtHJ9riVN7Ro+S2bocN9Z\npHGCCISAdMDyuFC7aSngnZEwE4NACbQEc8Udu+YCAUIeeBaPI/QWu3n61fZrkxR7\nmik9uJdXnMzKpmNGVQbPurifykDA6Bsqakn69AZQIPyxMtEDBV+pDX0yy3tI5D12\nhksuXSC7fpV/4BsZWKczK9fpDUJMDTFajSSVrSKb4nr2hk49IAZX9rhgbiHmT1LS\nWAHa5YGYUMkVQc59J3uhAjuSckWA/7R7oMhIrL5e/vnnHVR5zFW/auHkDytzZ0d0\nbGdrIRZh81C+yxB1pSJvlUnIWbYnpqhaH3xL+8yARpGZMNi595x0EJM=\n=8puy\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

126
machines/configuration.nix
View File

@@ -40,63 +40,16 @@ let
}
];
defaultModules = baseModules;
makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
inputs.microvm.nixosModules.microvm
{
microvm = {
hypervisor = "cloud-hypervisor";
mem = 2560;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/${hostName}/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/${hostName}/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}
];
interfaces = [
{
type = "tap";
id = "vm-${hostName}";
mac = "${macAddr}";
}
];
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = [ "${ipv4Addr}/24" ];
Gateway = "10.0.0.1";
DNS = ["1.1.1.1"];
DHCP = "no";
};
};
}
] ++ defaultModules ++ modules;
inputsMod = inputs // { malobeo = self; };
in
{
moderatio = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
./moderatio/configuration.nix
];
};
louise = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
@@ -105,12 +58,11 @@ in
];
};
bakunin = nixosSystem {
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
./bakunin/configuration.nix
inputs.disko.nixosModules.disko
./durruti/configuration.nix
];
};
@@ -123,57 +75,15 @@ in
];
};
fanny = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputsMod;
sdImageLucia = nixosSystem {
system = "aarch64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
self.nixosModules.malobeo.vpn
./fanny/configuration.nix
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
./lucia/configuration.nix
{
sdImage.compressImage = false;
}
];
};
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [
./durruti/configuration.nix
];
};
vpn = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [
self.nixosModules.malobeo.vpn
./vpn/configuration.nix
];
};
infradocs = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [
self.nixosModules.malobeo.vpn
./infradocs/configuration.nix
];
};
uptimekuma = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [
./uptimekuma/configuration.nix
];
};
testvm = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = defaultModules ++ [ ./testvm ];
};
}

46
machines/durruti/configuration.nix
View File

@@ -5,6 +5,7 @@ with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
boot.isContainer = true;
networking = {
hostName = mkDefault "durruti";
useDHCP = false;
@@ -22,16 +23,55 @@ with lib;
imports = [
inputs.ep3-bs.nixosModules.ep3-bs
inputs.tasklist.nixosModules.malobeo-tasklist
./documentation.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
services.malobeo-tasklist.enable = true;
services.ep3-bs = {
enable = true;
in_production = true;
favicon = ./circle-a.png;
logo = ./malobeo.png;
mail = {
type = "smtp-tls";
address = "dynamicdiscorddresden@systemli.org";
host = "mail.systemli.org";
user = "dynamicdiscorddresden@systemli.org";
passwordFile = config.sops.secrets.ep3bsMail.path;
auth = "plain";
};
database = {
user = "malodbuser";
passwordFile = config.sops.secrets.ep3bsDb.path;
};
};
sops.secrets.ep3bsDb = {
owner = config.services.ep3-bs.user;
key = "ep3bsDb";
};
sops.secrets.ep3bsMail = {
owner = config.services.ep3-bs.user;
key = "ep3bsMail";
};
system.stateVersion = "22.11"; # Did you read the comment?
}

24
machines/durruti/documentation.nix
View File

@@ -1,24 +0,0 @@
{ config, self, ... }:
{
services.nginx = {
enable = true;
virtualHosts."_" = {
listen = [
{ addr = "0.0.0.0"; port = 9000; }
];
root = "${self.packages.x86_64-linux.docs}/share/doc";
extraConfig = ''
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
networking.firewall.allowedTCPPorts = [ 9000 ];
}

21
machines/durruti/host_config.nix
View File

@@ -33,26 +33,6 @@ in
}
];
services.nginx.virtualHosts."docs.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.10";
extraConfig = ''
'';
};
};
services.nginx.virtualHosts."status.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/" = {
proxyPass = "http://10.0.0.12";
extraConfig = ''
'';
};
};
services.nginx.virtualHosts."tasklist.malobeo.org" = {
forceSSL = true;
enableACME= true;
@@ -64,5 +44,6 @@ in
enableACME= true;
locations."/".proxyPass = "http://${cfg.host_ip}:80";
};
};
}

96
machines/durruti/secrets.yaml
View File

@@ -6,65 +6,67 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEay9wZGM5elhUd2RqVFdJ
aHFhRVNiY0lzZEZzSkVvcVlMT1FmMXN4YzNrCkE3SnprNUJ6Ty9hUGZhbzNEVit4
THpoUnMyNmQ2Q3Z0SlR6cDFzeE9BaDAKLS0tIHFpbFJadTdtb2s2T2hmMWFBTlBV
azZzNXBTRVFoUGtJaGpPdzlDNVpYcjAKd/9v8gn3jbMEK+UPipI8cIufCoWwWfS/
kI9zLws/jtjhRZLNHJaXWz7CjAEwKA+6NOQA3pwZaeS1QKwSmeRdZA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc1o2eTlFc1l4YjVOUHdM
S1F2RG9PQWwyd2VYSmJmVzE4cWNSSEt5WUJZCjlwaWNJWFNHNnZkUVBwdVJUbVNi
WjdYZ2dENVIydWw4WHJmckF0ZjRLWXMKLS0tIDRsNXNSRnZkVzFkSHpDSWgrSEhv
bjBqRlYzcGIvNzhLbjdUbmFhMkU2RXMKsgkwNqQeP40boqriANQg13YKKwMz9iTZ
Vw1wYVeQmo4En7c4yAztqBriVoTNsbWkkvGw0P4z37B+6ll8kdEMSQ==
-----END AGE ENCRYPTED FILE-----
age: []
lastmodified: "2024-06-26T10:07:26Z"
mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
pgp:
- created_at: "2024-12-19T15:09:01Z"
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+K+G7MhXO0RlQENydEstPcMV5vAgkzL06kiN3wXpeOPmj
2gwdNcbOLtcXV8a4mH6xGZPkKOV8xjkybp7Myicll6YDs+4Uw3qRTUmCyZ0BC2Wc
WDrTMz/lCx1gZGVa99KgHaLmALhZbEO/R08qW52Xkwmcvg1GdM22RtB12L+c8JPB
+RR/pLR4UCTfN21uS2CJ33bJnAayfi+s/maGYsElZkH/zoPtDBxF/ntk7g/xeN13
Jymg1Ofmjm8JT0FPe8RE7Er/qXlxsG46GVj964chCtljz3NgL76tgC207E8CLUJq
rVqGKU0PO6h924uNmVON+JI1CeyCsjejsFOGaS8kOEAwEgCoeICqiqkTbtUCU21K
4C7J3mFwhAL+F2IueOY8NZxEV4tMJoY6JZ8c8wtM4Gl6JePlkFRX8LhuO/Bw2VJ9
cuGlkIIg3pA94U6Hql7LwLZbIkquI7SWGx7IHOhk/4qtCUlEn4t40JdN4PbA0bz2
Cde3+6zFOkX0m1BXkj4f0lgBIOfcPsXmY8ho4isVd9+v7arbE2WSZ6IBG75cx0a1
4LYx3QWTLlujiDIc5arhBgpB2ceO8lFTARnoLLqG6y1T+w6UNoVHQZ4n987SpWkk
EKQxUDnO8Nvb
=1PHB
hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
OBN3luBRDDAj
=+dua
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:01Z"
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAhfUKm9iR11pU0U44IDfwa7NRRurim8GOPX4FWwJJORNL
q85xGM0jA/k8JRsOdsjfHb4/khHtG8cl+t09nEBxTeeb7mKdiOXfsxrvHEf6qeUw
F/DQGoaxk+ISXW4iMcV0CPYciLb7kSHCqVFovmmTGlI9fMXryKl3UpP/nzzz9Zk2
5cXLmbQqeQVsp17Dw5x7rglkTlx8+W7Z1tDHlHrycxzh6LYpJ7QX54EHM8JgMjw/
WREO0qnJMt6C0qp8e3KWhYhMHIidM3WexJR9ixBICxevy0QwvNult0ryOZMc+nTY
48sXxCTebnLspiFBS5OsagGxNgwMixydfKv0ci8E7FyB84jwq7XriiQRzYfzU/6L
wEPapKrXno0F7wyiiesl/HKdLkOujFIhAl7P1ZNHQLcDuzDCqSo2xd7dbUsbPLcR
BUNcfc0VK3TEJks1lXkO5C1PeYEy+NgsJnEQ2lrnAbmKDxpH6qOA2KSGh12uZnHp
7kk/hRclVnygkcQc6j71eOyprQms2VjU6fVy2dED+ucjvogrceWWSUkuP6GQEqZV
bPhLxpMMw6cIWcTLZIEqLRQv9EqibIFEohkUh9A2TL7XxPb6MEhsRXKTsmMqzdiH
/xUwxH3w0w8CrEheVvxGxQi7B4XWC9jHGN+KvJGisrLeGpl/wJ8NKcqOSasB4fLS
WAHQxsAnNtNj5rV/BQJHr8lvX+ebJkMpCEBmIdQUeX4WVegr3HkDF34EWoqVfzV2
T0ZUaCXNI+tdmvJji9MPd1ZFrTgF5XuFjQxMP1uPI6gannH9InvBXvY=
=5AlZ
hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
=7OG0
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
=GiUe
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted
version: 3.8.1

93
machines/fanny/configuration.nix
View File

@@ -1,93 +0,0 @@
{ inputs, config, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.microvm
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
malobeo.disks = {
enable = true;
hostId = "a3c3101f";
root = {
disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
};
storage = {
disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
mirror = true;
};
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
};
services.malobeo.vpn = {
enable = true;
name = "fanny";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [ "infradocs" ];
networking = {
firewall = {
allowedTCPPorts = [ 80 ];
};
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.0.0.11:9000";
extraConfig = ''
'';
};
};
};
services.tor = {
enable = true;
client.enable = true;
};
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "fanny";
networking.networkmanager.enable = true;
virtualisation.vmVariant.virtualisation.graphics = false;
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/fanny/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T19:35:48Z",
"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
"pgp": [
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

49
machines/fanny/hardware-configuration.nix
View File

@@ -1,49 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
preLVM = true;
allowDiscards = true;
};
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/402B-2026";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

68
machines/fanny/secrets.yaml
View File

@@ -1,68 +0,0 @@
wg_private: ENC[AES256_GCM,data:kFuLzZz9lmtUccQUIYiXvJRf7WBg5iCq1xxCiI76J3TaIBELqgbEmUtPR4g=,iv:0S0uzX4OVxQCKDOl1zB6nDo8152oE7ymBWdVkPkKlro=,tag:gg1n1BsnjNPikMBNB60F5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp:
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
/MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
J+o9dahBHvIF
=GKm4
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-14T12:32:13Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
=9FN4
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

20
machines/infradocs/configuration.nix
View File

@@ -1,20 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "infradocs";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../durruti/documentation.nix
../modules/malobeo_user.nix
../modules/sshd.nix
];
system.stateVersion = "22.11"; # Did you read the comment?
}

16
machines/louise/configuration.nix
View File

@@ -67,13 +67,17 @@
networking.hostName = "louise";
networking.networkmanager.enable = true;
security.rtkit.enable = true;
services.pipewire = {
sound.enable = true;
hardware.pulseaudio = {
enable = true;
zeroconf.discovery.enable = true;
extraConfig = ''
load-module module-zeroconf-discover
'';
};
services.avahi = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
systemWide = true;
};

42
machines/lucia/configuration.nix
View File

@@ -14,12 +14,20 @@ in
services.openssh.enable = true;
services.openssh.ports = [ 22 ];
services.openssh.settings.PasswordAuthentication = false;
services.openssh.passwordAuthentication = false;
services.openssh.settings.PermitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = false;
boot.loader.raspberryPi.version = 3;
boot.loader.raspberryPi.uboot.enable = true;
boot.loader.raspberryPi.firmwareConfig = ''
dtparam=audio=on
hdmi_ignore_edid_audio=1
audio_pwm_mode=2
'';
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
@@ -31,8 +39,12 @@ in
# Set your time zone.
time.timeZone = "Europe/Berlin";
# hardware audio support:
sound.enable = true;
services = {
dokuwiki.sites."wiki.malobeo.org" = {
enable = true;
#acl = "* @ALL 8"; # everyone can edit using this config
@@ -161,7 +173,7 @@ in
mpv
ncmpcpp
ncpamixer
# pulseaudio
pulseaudio
vim
htop
wget
@@ -170,23 +182,23 @@ in
nix-tree
];
#hardware.pulseaudio = {
# enable = true;
# systemWide = true;
# tcp = {
# enable = true;
# anonymousClients.allowedIpRanges = [
# "127.0.0.0/8"
# "192.168.1.0/24"
# ];
# };
hardware.pulseaudio = {
enable = true;
systemWide = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [
"127.0.0.0/8"
"192.168.1.0/24"
];
};
# zeroconf.publish.enable = true;
#};
zeroconf.publish.enable = true;
};
services.avahi = {
enable = true;
nssmdns4 = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;

110
machines/lucia/secrets.yaml
View File

@@ -1,81 +1,71 @@
hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-14T18:10:54Z"
mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
age: []
lastmodified: "2023-10-24T15:09:51Z"
mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
pgp:
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
qkz9uKEGrGjb
=wPkW
hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
/f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
WxGMHNWqN7NS
=XZkW
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
=DC78
hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
=2A7P
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
+QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
=8HBK
hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
=NnkE
-----END PGP MESSAGE-----
fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.7.3

92
machines/moderatio/configuration.nix Normal file
View File

@@ -0,0 +1,92 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
services.acpid.enable = true;
boot.kernelPackages = pkgs.linuxPackages_5_4;
services.xserver.videoDrivers = [ "intel" ];
services.xserver.deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
zramSwap.enable = true;
zramSwap.memoryPercent = 150;
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./zfs.nix
../modules/xserver.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
];
users.users.malobeo = {
packages = with pkgs; [
firefox
thunderbird
];
};
networking.hostName = "moderatio"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

46
machines/bakunin/hardware-configuration.nix → machines/moderatio/hardware-configuration.nix
View File

@@ -8,42 +8,46 @@
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
root = {
device = "/dev/disk/by-uuid/35ae4fa2-1076-42ae-a04c-1752126b2aaf";
preLVM = true;
allowDiscards = true;
};
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fe34ee57-9397-4311-94f2-a4fc0a3ef09c";
fsType = "btrfs";
{ device = "rpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{ device = "rpool/nixos/home";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/402B-2026";
{ device = "bpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
{ device = "/dev/disk/by-uuid/A0D1-00C1";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/b4a28946-dcc4-437d-a1b9-08d36f4b6b27"; }
];
fileSystems."/boot/efi" =
{ device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
fsType = "none";
options = [ "bind" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

34
machines/moderatio/zfs.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, pkgs, ... }:
{ boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "ae749b82";
#boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.generationsDir.copyKernels = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.copyKernels = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.zfsSupport = true;
boot.loader.grub.extraPrepareConfig = ''
mkdir -p /boot/efis
for i in /boot/efis/*; do mount $i ; done
mkdir -p /boot/efi
mount /boot/efi
'';
boot.loader.grub.extraInstallCommands = ''
ESP_MIRROR=$(mktemp -d)
cp -r /boot/efi/EFI $ESP_MIRROR
for i in /boot/efis/*; do
cp -r $ESP_MIRROR/EFI $i
done
rm -rf $ESP_MIRROR
'';
boot.loader.grub.devices = [
"/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
];
users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
}

11
machines/modules/autoupdate.nix
View File

@@ -100,12 +100,11 @@ in
nix = {
# Show a diff when activating a new system except for microvms which handle this seperately
#diffSystem = config.malobeo.deployment.server or "" == "";
#TODO: THIS WIPES HOSTS NIX STORE FROM WITHIN NIXOS-CONTAINER
#gc = lib.mkIf config.malobeo.autoUpdate.enable {
# automatic = true;
# randomizedDelaySec = "6h";
# options = "--delete-older-than 21d";
#};
gc = lib.mkIf config.malobeo.autoUpdate.enable {
automatic = true;
randomizedDelaySec = "6h";
options = "--delete-older-than 21d";
};
};
environment.systemPackages = [ (

63
machines/modules/disko/btrfs-laptop.nix
View File

@@ -1,63 +0,0 @@
{ config, self, inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
# https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
disko.devices = {
disk = {
main = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/disk/by-id/some-disk-id";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = /tmp/secret.key; # Interactive
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "20M";
};
};
};
};
};
};
};
};
};
};
}

278
machines/modules/disko/default.nix
View File

@@ -1,278 +0,0 @@
{config, inputs, lib, ...}:
let
cfg = config.malobeo.disks;
in
{
imports = [inputs.disko.nixosModules.disko];
options.malobeo.disks = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable disko disk creation";
};
hostId = lib.mkOption {
type = lib.types.str;
default = "";
description = "Host ID for zfs disks, generate with 'head -c4 /dev/urandom | od -A none -t x4'";
};
encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Allows encryption to be disabled for testing";
};
devNodes = lib.mkOption {
type = lib.types.str;
default = "/dev/disk/by-id/";
description = ''
where disks should be mounted from
https://openzfs.github.io/openzfs-docs/Project%20and%20Community/FAQ.html#selecting-dev-names-when-creating-a-pool-linux
use "/dev/disk/by-path/" for vm's
'';
};
root = {
disk0 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für root dateisystem";
};
disk1 = lib.mkOption {
type = lib.types.str;
default = "";
description = "name ab /dev für eventuellen root mirror";
};
swap = lib.mkOption {
type = lib.types.str;
default = "8G";
description = "size of swap partition (only disk0)";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs root pool";
};
};
storage = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable storage pool";
};
disks = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "name ab /dev/ für storage pool";
example = "ata-ST16000NE000-2RW103_ZL2P0YSZ";
};
reservation = lib.mkOption {
type = lib.types.str;
default = "20GiB";
description = "zfs reservation";
};
mirror = lib.mkOption {
type = lib.types.bool;
default = false;
description = "mirror zfs storage pool";
};
};
};
config = lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
}) cfg.storage.disks
)
))
];
zpool = {
zroot = {
type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
};
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
};
};
};
};
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
};
}

66
machines/modules/malobeo/initssh.nix
View File

@@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.malobeo.initssh;
inherit (config.networking) hostName;
in
{
options.malobeo.initssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable initrd-ssh";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Authorized keys for the initrd ssh";
};
ethernetDrivers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169";
};
};
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;
systemd = {
enable = true;
network.enable = true;
};
network.ssh = {
enable = true;
port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd";
};
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "systemctl default" >> /var/empty/.profile
'';
};
};
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
};
};
}

119
machines/modules/malobeo/microvm_host.nix
View File

@@ -1,119 +0,0 @@
{ config, self, lib, inputs, options, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.microvm;
in
{
options = {
services.malobeo.microvm = {
enableHostBridge = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup bridge device for microvms.";
};
enableHostBridgeUnstable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup bridge device for microvms.";
};
deployHosts = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List hostnames of MicroVMs that should be automatically initializes and autostart
'';
};
};
};
imports = [
inputs.microvm.nixosModules.host
];
config = {
assertions = [
{
assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
message = ''
Only enableHostBridge or enableHostBridgeUnstable! Not Both!
'';
}
];
systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
enable = true;
# create a bride device that all the microvms will be connected to
netdevs."10-microvm".netdevConfig = {
Kind = "bridge";
Name = "microvm";
};
networks."10-microvm" = {
matchConfig.Name = "microvm";
networkConfig = {
DHCPServer = true;
IPv6SendRA = true;
};
addresses = if cfg.enableHostBridgeUnstable then [
{ Address = "10.0.0.1/24"; }
] else [
{ addressConfig.Address = "10.0.0.1/24"; }
];
};
# connect the vms to the bridge
networks."11-microvm" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = "microvm";
};
};
microvm.vms =
let
# Map the values to each hostname to then generate an Attrset using listToAttrs
mapperFunc = name: { inherit name; value = {
# Host build-time reference to where the MicroVM NixOS is defined
# under nixosConfigurations
flake = inputs.malobeo;
# Specify from where to let `microvm -u` update later on
updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
}; };
in
builtins.listToAttrs (map mapperFunc cfg.deployHosts);
systemd.services = builtins.foldl' (services: name: services // {
"microvm-update@${name}" = {
description = "Update MicroVMs automatically";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
serviceConfig = {
LimitNOFILE = "1048576";
Type = "oneshot";
};
path = with pkgs; [ nix git ];
environment.HOME = config.users.users.root.home;
script = ''
/run/current-system/sw/bin/microvm -Ru ${name}
'';
};
}) {} (cfg.deployHosts);
systemd.timers = builtins.foldl' (timers: name: timers // {
"microvm-update-${name}" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "microvm-update@${name}.service";
# three times per hour
OnCalendar = "*:0,20,40:00";
Persistent = true;
};
};
}) {} (cfg.deployHosts);
};
}

39
machines/modules/malobeo/peers.nix
View File

@@ -1,39 +0,0 @@
{
"vpn" = {
role = "server";
publicIp = "5.9.153.217";
address = [ "10.100.0.1/24" ];
allowedIPs = [ "10.100.0.0/24" ];
listenPort = 51821;
publicKey = "hF9H10Y8Ar7zvZXFoNM8LSoaYFgPCXv30c54SSEucX4=";
persistentKeepalive = 25;
};
"celine" = {
role = "client";
address = [ "10.100.0.2/24" ];
allowedIPs = [ "10.100.0.2/32" ];
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
};
"desktop" = {
role = "client";
address = [ "10.100.0.3/24" ];
allowedIPs = [ "10.100.0.3/32" ];
publicKey = "FtY2lcdWcw+nvtydOOUDyaeh/xkaqHA8y9GXzqU0Am0=";
};
"atlan-pc" = {
role = "client";
address = [ "10.100.0.5/24" ];
allowedIPs = [ "10.100.0.5/32" ];
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"fanny" = {
role = "client";
address = [ "10.100.0.101/24" ];
allowedIPs = [ "10.100.0.101/32" ];
publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU=";
};
}

101
machines/modules/malobeo/wireguard.nix
View File

@@ -1,101 +0,0 @@
{ config, self, lib, inputs, options, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.vpn;
peers = import ./peers.nix;
myPeer = if cfg.name == "" then peers.${config.networking.hostName} else peers.${cfg.name};
peerList = builtins.filter (peer: peer.role != myPeer.role) (builtins.attrValues peers);
peerListWithEndpoint = map (host:
if host.role == "server" then
host // { endpoint = "${host.publicIp}:${builtins.toString host.listenPort}"; }
else
host
) peerList;
filteredPeerlist = map (host: builtins.removeAttrs host [
"role"
"address"
"listenPort"
"publicIp"
] ) peerListWithEndpoint;
in
{
options = {
services.malobeo.vpn = {
enable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup wireguard to access malobeo maintainance vpn";
};
autostart = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "whether to autostart vpn interface on boot";
};
name = mkOption {
default = "";
type = types.str;
description = ''
Name of the host in peers.nix, if empty uses hostname
'';
};
privateKeyFile = mkOption {
default = "";
type = types.str;
description = ''
Path to private key
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = !(myPeer.role != "client" && myPeer.role != "server");
message = ''
VPN Role must be either client or server, nothing else!
'';
}
];
boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf (myPeer.role == "server") 1;
networking.wg-quick = {
interfaces = {
malovpn = {
mtu = 1340; #seems to be necessary to proxypass nginx traffic through vpn
address = myPeer.address;
autostart = cfg.autostart;
listenPort = mkIf (myPeer.role == "server") myPeer.listenPort;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postUp = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
# This undoes the above command
postDown = mkIf (myPeer.role == "server") ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s3 -j MASQUERADE
'';
privateKeyFile = cfg.privateKeyFile;
peers = filteredPeerlist;
};
};
};
#networking.nat = mkIf (myPeer.role == "server"){
# enable = true;
# internalInterfaces = [ "microvm" ];
# externalInterface = "eth0"; #change to your interface name
#};
};
}

2
machines/modules/malobeo_user.nix
View File

@@ -6,7 +6,7 @@ in
{
users.users.malobeo = {
isNormalUser = true;
extraGroups = [ "pipewire" "wheel" "pulse-access" "scanner" "lp" ];
extraGroups = [ "wheel" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins;
initialPassword = "test";
};

2
machines/modules/sshd.nix
View File

@@ -6,7 +6,7 @@ in
{
services.openssh.enable = true;
services.openssh.ports = [ 22 ];
services.openssh.settings.PasswordAuthentication = false;
services.openssh.passwordAuthentication = false;
services.openssh.settings.PermitRootLogin = "no";
users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
}

3
machines/modules/xserver.nix
View File

@@ -7,6 +7,7 @@
xterm.enable = false;
cinnamon.enable = true;
};
displayManager.defaultSession = "cinnamon";
};
services.displayManager.defaultSession = "cinnamon";
}

1
machines/ssh_keys.nix
View File

@@ -3,6 +3,5 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
];
}

59
machines/testvm/default.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, inputs, ... }:
let
sshKeys = import ../ssh_keys.nix;
in
{
imports =
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.disko
];
boot.initrd.systemd.enable = true;
boot.loader.systemd-boot.enable = true;
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["virtio_net"];
};
malobeo.disks = {
enable = true;
encryption = false;
hostId = "83abc8cb";
devNodes = "/dev/disk/by-path/";
root = {
disk0 = "disk/by-path/pci-0000:04:00.0";
swap = "1G";
reservation = "1G";
mirror = false;
};
storage = {
enable = true;
disks = ["disk/by-path/pci-0000:08:00.0" "disk/by-path/pci-0000:09:00.0"];
reservation = "1G";
mirror = true;
};
};
boot.initrd.kernelModules = ["virtio_blk" "zfs" "virtio_console" "virtio_pci" "virtio" "virtio_net"];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# needed for printing drivers
nixpkgs.config.allowUnfree = true;
services.acpid.enable = true;
networking.hostName = "testvm";
networking.networkmanager.enable = true;
time.timeZone = "Europe/Berlin";
system.stateVersion = "23.05"; # Do.. Not.. Change..
}

31
machines/testvm/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-12-31T02:35:20Z",
"mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]",
"pgp": [
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2024-12-31T02:35:05Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

37
machines/uptimekuma/configuration.nix
View File

@@ -1,37 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
networking = {
hostName = mkDefault "uptimekuma";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
];
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."status.malobeo.org" = {
locations."/" = {
proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
'';
};
};
};
services.uptime-kuma = {
enable = true;
};
system.stateVersion = "22.11"; # Did you read the comment?
}

45
machines/vpn/configuration.nix
View File

@@ -1,45 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets.wg_private = {};
networking = {
hostName = mkDefault "vpn";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
firewall = {
allowedUDPPorts = [ 51821 ];
allowedTCPPorts = [ 80 ];
};
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
];
services.malobeo.vpn = {
enable = true;
name = "vpn";
privateKeyFile = config.sops.secrets.wg_private.path;
};
services.nginx = {
enable = true;
virtualHosts."docs.malobeo.org" = {
locations."/" = {
proxyPass = "http://10.100.0.101";
extraConfig = ''
'';
};
};
};
system.stateVersion = "22.11"; # Did you read the comment?
}

68
machines/vpn/secrets.yaml
View File

@@ -1,68 +0,0 @@
wg_private: ENC[AES256_GCM,data:uuBYbOTiThZYiNetM+FOLFVMr/HII9otG4FvN5YvuRErvNjgmAYxVncV71k=,iv:Sy3HAEcALod2pL4IZ/GSjVybLAviOoO+DsW8OROzgTg=,tag:hynRmiilafVzWCjx2Xoxhw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua1FUY1pZamY5R1ExOC8r
cUU4VE9VVUJjeEdXNEJnMUM5WEtUL0E2NWhZCm5xTXZ2WnhFcXRGVkdQNHlTcDBC
cTlySDcxaGJXOFl0UWJ6RlYzekdJaU0KLS0tIEo1RmVIZG9mOGpJM2NlOEQyKzNG
a0FsVGh6TlBBWG5qNTBFWVVWb3U2ZUEKp6Rfi5h1j9+nosARUcuVFUDLajaHf5SK
PFDpyy+n1msB4E+Yuku6ySxyf58TqPvy/JnVA7Nhkmir7IngIdfX1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT2hGalZFaktoUHdJRXJy
dlg0NVZxNSsvV0VsQndOV2VqZHJzcnI3cFEwCmg0eHl0djNpcmVSaHlEM2h0R2dm
QzRveGlpbldYeFFQdmVHSlVtU1FhcGsKLS0tIHFnZ0xyaDRidE5naElnNWNOZmM2
RUpHanJrOUx1endqRytjOW9VV1dLQ1UKcS6MhvTHTn+3sCh/wrMDw4z5aYHmKbER
n/doy/gDtIWeIlw9TPNdCtOu/P/atNnrjvpTDCU1i+H86fODFmu5zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-17T22:01:22Z"
mac: ENC[AES256_GCM,data:ctpzk2gUHSLThmZpRFwIBKX+SfwKt8/V8AWQbPnoBqJ9KwuHcRKkkT2yEMx3l2qKUy7DgrqRXhSVGbF57poXC9nshyjXMrrjMQA4PBB7a3SAwgpcX6j+aEx0xIt8GTUVxcn0xDvbP9xJ+adeACLUvkE+a4EB1jtdsL/iacxlv5Y=,iv:Zw+sG7oXmPRGa2jWc+mloGMBq6CnDQgz5x7ke5paeW8=,tag:RtfGmrSt8U8Je7Dq9FQGTg==,type:str]
pgp:
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/bueAXskPGUYQwlmujEEdjh2o3yGxTScqCEwYbghRPbf+
a59WXJMtIkOCxRF0bkyfoKLudJJeWRteBfN3aqdUKtFqr4g7PfavLmipRaqm1cmJ
EswakDt4raLx2C4HAyZvaab4fzA592tqpGU5RBRmwtkxjfCL0bY6zV/FHmk7NzYg
RAaEChpaUGXSTmwDiXJn1FJ1QwOSTlKm0ccoUbB1MSHi8A3LqH0lEHPqq5mb3Yhx
XIvOKPTZ+ODX9duLOQrAPWAfOShcyjd8SAA+uygJ7PYnXeN9HpuROcl4WEB1mpKa
h2AGwtUpOC9tpqKJ3kueBUePpsSHM9s1qmeImItSycFHzlB/hnuFQFndhV6I2yaP
lDs/Vpsfoeq3/ufR4Cajqwd7Q6dRGmf71/Sk6QhjXZQapGRcIfGWlOMcHn/z+ura
PPn2EtTxkgzp9G8ksOdTzIoriM7RmosC7N1BgSpw+vRUXn4dNhHN4h9LcR9XsX0u
lUJXfAc5DOl0bkpJ0y1B0lgBldvxchsMsg4RS2GNhIs20gjMfFLs4eRlcXU8Yps5
HizBAKW5frOePfzVM+GD30IstOd/pJPYrRCzg7Ym1oY/+IZTLfK/7MW2bvtP5IJy
LN6uk4NCOKwA
=Mdnc
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-12-19T15:09:08Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//bvRwMD4xzEq9wihdYG/XHb72Y8RYzHLA1/okH0Kfe9wW
DomZhwi/VPoLf8RWTZfa0/S1PnPyOZdfEP46ZM2WSksNydMidqY7fOuFYxTI5cRG
javuZjAH0ZyMMG3J+Y+zzFCFRMBT8n5yDtv+bDbi1T16SJj0gpYW2IIEglOudPVl
vDM6bqHD5UefHtxhYGRnPaxqenLxCoNYq4DAx8+8DoIj7RTg4+rjrglW16G7KU5n
t7acEiD+J0fXeQM7bLTYuiI0gSkaftSuQ1GVEDgw6M80pSdWfrqE5xue+8t3MPDA
UGQGjXxG4ykOV5Wggs3EjOVkscgmQxWJgMYNanCZJEy36WWlzPnG59O1kiXW+6AQ
TCy4ZXb3SyUJ1kSoI9pJ3PSaADaID9rDgIn+IkIfY0E+QVrw9qL4qN0rqISx++EW
XOBucRspIqcXzFGikuz4yIwLBWVAqGhr5iKge8FVjBPVUX+JPgJjFw25fAFZkkds
mJDAkbzJh6iALxSIoj++kPIw+f4xQXKPPPLJiJzpuWAcZJiA3WM10iakGyuKmYPL
qVgwo1hXOVODwbkBvztJOGIMqMXNLQP9A45kpNjFuyPn8WcignmvoFXtGbr9BtCY
sZAZrDFw/JxVLVPSM3duKC6R8r8MQfp1ZNVLU9fMzqfReu+6gD5biESM+rnYC4TS
WAGB3htm92PRqdsJnDrgO8kzi9fHNxo0htj9fmo8ipNY+eeLfrAW6ocqPMBzCuyf
3EbF+PS9PRg0lHyjkBC2pF6PD8DHVL/2OTSpWOZdp8FCqogZg7e7dMI=
=vQSV
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

128
outputs.nix
View File

@@ -4,7 +4,6 @@
, nixpkgs-unstable
, nixos-generators
, sops-nix
, microvm
, ...
} @inputs:
@@ -16,114 +15,15 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs = nixpkgs.legacyPackages."${system}";
in
{
devShells.default =
let
sops = sops-nix.packages."${pkgs.system}";
microvmpkg = microvm.packages."${pkgs.system}";
installed = builtins.attrNames self.packages."${pkgs.system}".scripts;
in
pkgs.mkShell {
sopsPGPKeyDirs = [
"./machines/secrets/keys/hosts"
"./machines/secrets/keys/users"
];
nativeBuildInputs = [
sops.ssh-to-pgp
sops.sops-import-keys-hook
sops.sops-init-gpg-key
pkgs.sops
pkgs.age
pkgs.python310Packages.grip
pkgs.mdbook
microvmpkg.microvm
];
packages = builtins.map (pkgName: self.packages."${pkgs.system}".scripts.${pkgName}) installed;
shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
devShells.default = pkgs.callPackage ./shell.nix {
inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
};
packages = {
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs";
phases = [ "buildPhase" ];
buildInputs = [ pkgs.mdbook ];
inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
buildPhase = ''
dest=$out/share/doc
mkdir -p $dest
cp -r --no-preserve=all $inputs/* ./
mdbook build
ls
cp -r ./book/* $dest
'';
};
} //
builtins.foldl'
(result: host:
let
inherit (self.nixosConfigurations.${host}) config;
in
result // {
# boot any machine in a microvm
"${host}-vm" = (self.nixosConfigurations.${host}.extendModules {
modules = [{
microvm = {
mem = pkgs.lib.mkForce 4096;
hypervisor = pkgs.lib.mkForce "qemu";
socket = pkgs.lib.mkForce null;
shares = pkgs.lib.mkForce [{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}];
interfaces = pkgs.lib.mkForce [{
type = "user";
id = "eth0";
mac = "02:23:de:ad:be:ef";
}];
};
boot.isContainer = pkgs.lib.mkForce false;
users.users.root.password = "";
fileSystems."/".fsType = pkgs.lib.mkForce "tmpfs";
services.getty.helpLine = ''
Log in as "root" with an empty password.
Use "reboot" to shut qemu down.
'';
}] ++ pkgs.lib.optionals (! config ? microvm) [
microvm.nixosModules.microvm
];
}).config.microvm.declaredRunner;
})
{ }
(builtins.attrNames self.nixosConfigurations);
apps = {
docs = {
type = "app";
program = builtins.toString (pkgs.writeShellScript "docs" ''
${pkgs.mdbook}/bin/mdbook serve --open ./doc
'');
};
};
})) // rec {
nixosConfigurations = import ./machines/configuration.nix (inputs // {
inherit inputs;
self = self;
});
nixosModules.malobeo = {
host.imports = [ ./machines/durruti/host_config.nix ];
microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
disko.imports = [ ./machines/modules/disko ];
};
nixosModules.malobeo = import ./machines/durruti/host_config.nix;
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
let
@@ -136,4 +36,26 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations
);
#lucia = self.nixosConfigurations.lucia.config.system.build.toplevel;
#images.lucia_base_image = nixosConfigurations.lucia.config.system.build.sdImage;
#packages.x86_64-linux = {
# lucia_base_img = nixos-generators.nixosGenerate {
# system = "aarch64-linux";
# modules = [
# #"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
# ./machines/modules/sshd.nix
# {
# nixpkgs.config.allowUnsupportedSystem = true;
# nixpkgs.crossSystem.system = "aarch64-linux";
# networking.dhcpcd.enable = true;
# }
# ];
# format = "sd-aarch64-installer";
# };
#};
}

61
scripts/remote-install-encrypt.sh
View File

@@ -1,61 +0,0 @@
set -o errexit
set -o pipefail
if [ $# -lt 2 ]; then
echo
echo "Install NixOS to the host system with secrets and encryption"
echo "Usage: $0 <hostname> <ip> (user)"
exit 1
fi
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
hostname=$1
ipaddress=$2
# Create a temporary directory
temp=$(mktemp -d)
# Function to cleanup temporary directory on exit
cleanup() {
rm -rf "$temp"
}
trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"
chmod 600 "$temp/etc/ssh/initrd"
# Install NixOS to the host system with our secrets and encription
# optional --build-on-remote
if [ $# = 3 ]
then
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi

44
scripts/unlock-boot.sh
View File

@@ -1,44 +0,0 @@
set -o errexit
set -o pipefail
sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
HOSTNAME=$1
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
echo
if [ $# = 1 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
else
echo
echo "Unlock the root disk on a remote host."
echo "Usage: $0 <hostname> [ip]"
echo "If an IP is not provided, the hostname will be used as the IP address."
exit 1
fi

23
shell.nix Normal file
View File

@@ -0,0 +1,23 @@
{ mkShell
, sops-import-keys-hook
, ssh-to-pgp
, sops-init-gpg-key
, sops
, pkgs
}:
mkShell {
sopsPGPKeyDirs = [
"./machines/secrets/keys/hosts"
"./machines/secrets/keys/users"
];
nativeBuildInputs = [
ssh-to-pgp
sops-import-keys-hook
sops-init-gpg-key
sops
pkgs.python310Packages.grip
pkgs.mdbook
];
}

0
doc/src/Index.md → src/Index.md
View File

15
src/SUMMARY.md Normal file
View File

@@ -0,0 +1,15 @@
# Summary
- [Index](./Index.md)
- [Info]()
- [Aktuelle Server]()
- [Durruti](./server/durruti.md)
- [Lucia](./server/lucia.md)
- [Hardware]()
- [Netzwerk]()
- [Seiten]()
- [musik](./projekte/musik.md)
- [TODO](./todo.md)
- [How-to]()
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)

0
doc/src/anleitung/rollback.md → src/anleitung/rollback.md
View File

0
doc/src/anleitung/updates.md → src/anleitung/updates.md
View File

0
doc/src/projekte/musik.md → src/projekte/musik.md
View File

1
src/server/durruti.md Normal file
View File

@@ -0,0 +1 @@
# Durruti

1
src/server/lucia.md Normal file
View File

@@ -0,0 +1 @@
# Lucia

3
doc/src/todo.md → src/todo.md
View File

@@ -7,11 +7,8 @@
* [ ] how to use beamer
* [ ] how to buecher ausleihen
* ...
- [x] host a local wiki with infrastructure information
* [x] host some pad (codimd aka hedgedoc)
* [ ] some network fileshare for storing the movies and streaming them within the network
- Currently developed in the 'fileserver' branch
- NFSV4 based
* [x] malobeo network infrastructure rework
* [x] request mulvad acc
* [x] remove freifunk, use openwrt with mulvad configured