ctucx.git: nixfiles

ctucx' nixfiles

commit 6168b30dce7373a4a0f5872899300bcb24d28bd4
parent ddc193f159b51b1c9be4323f7ec10d62cb83ee84
Author: Leah (ctucx) <git@ctu.cx>
Date: Fri, 25 Nov 2022 20:37:09 +0100

machines: add `trabbi`

8 files changed, 174 insertions(+), 53 deletions(-)
M
hive.nix
|
1
+
A
machines/trabbi/configuration.nix
|
74
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
machines/trabbi/hardware-configuration.nix
|
38
++++++++++++++++++++++++++++++++++++++
M
secrets/passwords/leah-at-f2k1-de.age
|
0
M
secrets/restic-server/desastro.age
|
34
+++++++++++++++++++---------------
M
secrets/restic-server/hector.age
|
39
++++++++++++++++++++-------------------
M
secrets/restic-server/lollo.age
|
32
+++++++++++++++++---------------
M
secrets/secrets.nix
|
9
+++++----
diff --git a/hive.nix b/hive.nix
@@ -23,5 +23,6 @@ inputs:
 
   hector       = import ./machines/hector/configuration.nix;
   wanderduene  = import ./machines/wanderduene/configuration.nix;
+  trabbi       = import ./machines/trabbi/configuration.nix;
 
 }

diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  imports = [
+    ./hardware-configuration.nix
+
+    # dns server
+    ../../configurations/linux/services/dns.nix
+
+    # monitoring
+    ../../configurations/linux/services/prometheus-node-exporter.nix
+  ];
+
+  age.secrets.restic-server-lollo.file    = ../../secrets/restic-server/lollo.age;
+  age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;
+  age.secrets.restic-server-hector.file   = ../../secrets/restic-server/hector.age;
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd.network = {
+      enable = true;
+      ssh    = {
+        enable         = true;
+        port           = 22;
+        hostKeys       = [ /etc/ssh/ssh_host_rsa_key ];
+        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      };
+
+      postCommands = ''
+        ip link set dev ens3 up
+        ip addr add 2a0a:4cc0:1:2d7::1/128 dev ens3
+        ip route add default via fe80::1 dev ens3 onlink
+
+        ip addr add 89.58.62.171/22 dev ens3
+        ip route add default via 89.58.62.1 dev ens3 onlink
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+  };
+
+  services.email-notify.enable = true;
+
+  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host "89.58.62.171" "2a0a:4cc0:1:2d7::1");
+
+  networking = {
+    useDHCP  = false;
+
+    defaultGateway6 = {
+      interface = "ens3";
+      address   = "fe80::1";
+    };
+
+    interfaces.ens3 = {
+      useDHCP = true;
+
+      ipv6.addresses = [{
+        address      = "2a0a:4cc0:1:2d7::1";
+        prefixLength = 64;
+      }];
+    };
+
+    firewall.enable = true;
+  };
+
+  system.stateVersion = "22.05";
+  home-manager.users.leah.home.stateVersion = "22.05";
+
+}
+

diff --git a/machines/trabbi/hardware-configuration.nix b/machines/trabbi/hardware-configuration.nix
@@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/9f4a28bc-940c-4460-b3ee-cc3f3be71267";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/9358ba89-695a-4d00-af41-baf41d8f1845";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/5DB7-1BBF";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

diff --git a/secrets/passwords/leah-at-f2k1-de.age b/secrets/passwords/leah-at-f2k1-de.age  Binary files differ.
diff --git a/secrets/restic-server/desastro.age b/secrets/restic-server/desastro.age
@@ -1,15 +1,19 @@
 age-encryption.org/v1
--> X25519 EIWR+ZTgzjXLk54jmmgN/MMG3Y868TBm+90wxv8TyXg
-z0Rq2HcxNnz7KkKY2eIGO2U7T3XTJvEqNELcMo8VzZg
--> ssh-ed25519 YtLkIw ZVWP1dyfZwVnoog90a4RqhomCgwOfO6QcXe1B7Zbc1A
-olcCZrvlNvoGI8eqPoI1IcuFCOLGY29R8SRfBk7u+kQ
--> ssh-ed25519 qAHlAg UshnbSKqoQI+I/JqLA1CyWPRMo4P7qkVBCufOqH16Bc
-P3mok8NxdUJ+/Yun1GlUha6Of05EbiyOdyhXIJNKKwU
--> ssh-ed25519 NrwbpQ pC3bT5NmozenWfaGk6JPLHBLEe0gpFXotTP3Lkp6iCs
-4JdFFfam4PlikD6+QPO+pZvcL5cdZUt93SijSLuC+co
--> ssh-ed25519 2LuoZg F2XLeas1tTwWIuT1Ur/dGy82hAZ3HWkWXiRJlbyGsDE
-oF48HhCVgBT2rJBenHsufGqF2nvyybXVnoBS6HokbEI
--> `QTT?/>&-grease @MUik~?\
-QJ0Njf/G3tlrMLnlNuQTHMjeOEUf/mbqiWiz
---- 8Jca77NScm1VlLOP/BvP3haaXehbesp60Dd5HBiruZ8
-I2\,ϳzO1	ui9/ASdNiXKCVOyiXxӰNO/-
\ No newline at end of file
+-> X25519 MB9ymPMV0Q8qsRYOVqtf5R2NElIwW1cl3XIcIf8o21k
+uwvuf/6UawBU56cwD1xFJ0BKw1P7QXfq1CdSUvnEDVw
+-> ssh-ed25519 V0uUrw QBgYzfRBwRv1ahuaiyUIIDzXBk92ZJZGO0r77O214i0
+uFyPxFm+jKd2l82eIRgaSOzi5Bxog2PzBT/aTNCz1iY
+-> ssh-ed25519 YtLkIw yT42kM9UGLs9JY5zbf7sm9jsaIOk3gvNrdXVh64dTn0
+/Iomy8VCv6pW/QBI8JhNfKaZkFcH5Xa1ChLD6uEOtjQ
+-> ssh-ed25519 qAHlAg MHPrRp9V4quaJ145/2F53Wq3t7L3+09PAvjNLITU7m0
+VTZ5WmxjjLCVe+C/h4xwC0SU00sLSQikMc3LW57ABHI
+-> ssh-ed25519 NrwbpQ 00pMSVPL2pDXy6o3D0x7QPubHEP/k900OzQ9hADr7yU
+qEZZov0h2ZDiCjyXlvZ74pb6lPMtIjZSMugiFPWx5Zw
+-> ssh-ed25519 2LuoZg WEJclcwll1GA4hPyGQPfY59ZXIoSZp2qvBV6B5Q/TCs
+1iwCiFdDmHiuxrwgfR6s0N0Ho2MPYvrXW3aRp+98ajA
+-> q<&B-grease m:[B Z 79Ej~8d
+IPOQMJhG0SMxZalBuSAm9upZBePr/i2Agu/wGMP0VoDo8KvocRk9qf7p/wENwD7v
+v4Q
+--- tAzFs9wUbQIWeszcZwRJwcymOb2BPjO3bqco1UuauYg
+3x%Y/&J}gՆNsK
+vRIduS!{t*&-87X]!3wGn+
\ No newline at end of file

diff --git a/secrets/restic-server/hector.age b/secrets/restic-server/hector.age
@@ -1,19 +1,20 @@
 age-encryption.org/v1
--> X25519 olKLRyHNT1J3q9wSvxTLVuHqjYdRSgU62HTFVIYquXk
-0h2hlhO74wH/3T6ga6WJhhV9+bzcjT/8GwyTKa3NZoI
--> ssh-ed25519 YtLkIw QuYn8fgWiPSKEgqGe00BPkejtBhlt/orMUb2vgJFLgw
-bSRDtHt2rvNAmaRx+YSt3eN+F5k6gKmA/K8cClIETiY
--> ssh-ed25519 qAHlAg 9zJwqVeU9Z7/RLZkTp1NOXU7hP3Rfn9ylblTbfsHrU0
-wieiVhaGu/Y16y+XjHsqpA5f0U9/cCPo19jWmJCMcN4
--> ssh-ed25519 NrwbpQ mdfZLEGemGWzmj0M/tXusms3Gj3IKRCPNj/OzMy++1A
-e8A6EAkBtIkt6woQffWJ6Dt9y3KtCnV/gPJG3J/TNlA
--> ssh-ed25519 2LuoZg lQw8Vxi91zKNOa4Tq73FH1CWUemhHIMXH0/PcWxhpW4
-moAHJH4iaJwddC34SQTDf8W7E/qJOoK1gLrgg770pOY
--> ssh-ed25519 VgQ62A FfJV3ra0QksQyPmSpmjixfl4+RXVA18x+yiZqBB0pX0
-2sTwsQx07vAKGKPNUNfZxgdJyxJO+EYUOH/oTo3uVzw
--> 0!-grease
-sBMz6K2cdVIv3iTtBIhHy5YIkvIMCfFbv0ctZdfIPHFMJ0LFioYscAXGRdrnS0tz
-i+I9Y3FGZhEKcIDMg6yaTkGJA6QiWVkSnmReH1Ifcqnyd+dgAJcEf3rjy5YJw+US
-
---- Hv3D7tNegILuEv21M8OTcruiShNhwQpobmA9sC+qMOE
-tn1	-\9Ŷ#hä-ū>!f-
\ No newline at end of file
+-> X25519 CuYJ631fqZlwUllCJRkQiYRm9fLO5a9bqp9rCz2JU3I
+jQcRfDzTojuSr6C/6NPz2P4QqyG3ud3Purb69Egtyz8
+-> ssh-ed25519 V0uUrw ZMWogXy1cWUTQNyV58rJYHZe/aHPSMKe1doeDDZgIw4
+hXETLY/1/vrpO0a37rn437Sj8duwWgs0mpRw1Kk0+OQ
+-> ssh-ed25519 YtLkIw KxY3SdwMukBqZ1/9+XVFiT6yyYH7fzTK6ErB9ukJxDU
+6lUgSpRsGp2usoI4H5EnMazlZeSIXtSRjmw8oymyIro
+-> ssh-ed25519 qAHlAg j5VM/AGjhqundMD/NkPRYMt8wfxP0/WW5vpR0cm4v2w
+Bue2DHhasKXB+b0b1cuXK4s29x/DIBK31liZW7hmi+0
+-> ssh-ed25519 NrwbpQ evFdyAQyUZYTJ7tdea738shp846WjMu6e3F5nlfNE1Q
+vvA/0fsPQl5i6Y9JjDftBfwfAstbC2xG05ldZJvGlGI
+-> ssh-ed25519 2LuoZg 2VZtm0xaXQzx+9REmyBauhM1PFd8qN6L4FSbPWANeyc
+03BQ098xKMRiWj18kZMUnRR5uj3tvJwNgL8UXNjLce4
+-> ssh-ed25519 VgQ62A z/Bkqa5Gxg82p8N057OM2X1T5nL2gTkgK+AWxMkcOSA
+sIOJffoUcxeMQ9/dXFfOtHDL76QIEOig1hhPSwzw9gk
+-> f~-grease $ ]DU #rM sFB-PH
+DyTanNcrEGz2n65Nr+x68L4wojAG2HvL+8D4N+1eTGF1d75uhFGhRhSVKTBrhTSN
+WOue4HGZvYG99hUUA3IrVmScBP5Cyif89r1jdQCpCQfgOBE
+--- W88DXFq6VOTgBBbnoz0tDZg1fj776P2Lp6TI8DBFjww
+R䖩w<yXVvokv;C+
\ No newline at end of file

diff --git a/secrets/restic-server/lollo.age b/secrets/restic-server/lollo.age
@@ -1,15 +1,17 @@
 age-encryption.org/v1
--> X25519 mG3N7VAJDS01Vmb1xHgOhlKp9E/8MMmfDR9hoC+9PB0
-QMMoulMyDV71VbirjIXc8qf20KbYUdODZf5eOlcapyU
--> ssh-ed25519 YtLkIw QseF0LGaoFrytb3FnQhrJa11fit1ZpEGH//TpbJbJwc
-AZv2fzvN4X8wDMpaFBOI1sxUcYkTUJHsE/5Eg4PQ7Bo
--> ssh-ed25519 qAHlAg 3hzylEH5gF94SNX4Iw2JLZKlqGWEj6mwABYDPUistn8
-Qq1+h9IdMqXxLko25LPVGgAoXc8IAZmrVURpwTnJxEs
--> ssh-ed25519 NrwbpQ erpKcckboEGrsO6dqD4anwAo4LSha3t7SGCELAUzUmw
-lTfGRA2CQgV1Kgbtm7wW788gusc5iok0A1khnD1tOjE
--> ssh-ed25519 2LuoZg PZNvSXsTlEgkpsj9awQOetqZ7HGrYcEaYZPxxdKRoh8
-Qzuo8Irywmvs6Whqc0rL1ey18wJj0dApEWEHxGePtDU
--> q}.-grease GV;1$!UD $ZG&iKZ( ._p eD5!DMPL
-btlJpZPSI6nR6cE6WTBt0q+J52MU16FGLd2TRJi8YnH9Jiy5
---- MS8Sp5l90LflPT4u6LHMMWtE7QLTLn0F9LLX/lEaspQ
-V;fEVAOw֒V;:GQY;~zX4[x-
\ No newline at end of file
+-> X25519 f7ZsLFA7hebPgURQuHUOsc9LmtzeYEe2+JLFNJ+qlls
+UZYE/Sy7tqRVRi1DPtqi6UmTuDmLxdAyFilcUt1oMg8
+-> ssh-ed25519 V0uUrw Z6OCZbfcW5jQba/mKD6VX8nnzQxt8R0obEwsA2Typ3E
+R/MFOc9yBd5LoVB0dOeq8FjMLDrR1f2xp/mFX3orRD0
+-> ssh-ed25519 YtLkIw riIePiKpkE11kHmS3ipaJlcJlObQX5w83ms+crMg6CE
+kiIsCqNBPAhy2FoT/WdxvEvHNUu0wkl9tgRtIHR3xi8
+-> ssh-ed25519 qAHlAg 5btxsPDE2ZDwgG/suVIckRzVLITM2VjrJxBfBKcY1w8
+elyuZURdKiySCekh9nyze5zIt7cdWfyZmZqJlfutmwA
+-> ssh-ed25519 NrwbpQ YedRBsNTTKqR/RnXsP+iyYKDutZ4hU+MN0fG5CYI1Rg
+brgusZfWGielMjmgM7yGyBBi5E+PDKfSQKDWitqTjZk
+-> ssh-ed25519 2LuoZg uE9BIqUZ2PBu/3SjOUZ+qqP04VaraqwPxHuyWcyjLiY
++hg/aYuw1GsFIYLf/79dSb2BC4/PCSapYA7ZeNiyI3c
+-> SEC]V7o-grease .J<PSS Mi(g3L8;
+eTGuVpnIEuoy6kY6vj8
+--- hcmspisPZ/M6pA38DuN9+GnAV/DEmzQgee2kNvTz3Qc
+
oYhZTYM=YpRVb)&cvYqC-+
\ No newline at end of file

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -10,18 +10,19 @@ let
   desastro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEniZFbgj9w7fQ+MhTnE83MatgcuDI7c7qqx05DTQcun";
   taurus   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV+KOqhtBmT5/I6mGvzk4oOdcxdlHazxkDbSXWrVTjk";
   hector   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWH8uGtxkYfv3CA5Q3qqOvbaTvp9KItrdSiKXZdDUsx";
+  trabbi   = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/";
 
 in {
-  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah osterei taurus desastro lollo hector ];
+  "passwords/leah-at-f2k1-de.age".publicKeys                  = [ leah osterei taurus desastro lollo hector trabbi ];
 
 
   "spotify/username.age".publicKeys                           = [ leah lollo ];
   "spotify/password.age".publicKeys                           = [ leah lollo ];
 
 
-  "restic-server/lollo.age".publicKeys                        = [ leah osterei taurus hector lollo ];
-  "restic-server/desastro.age".publicKeys                     = [ leah osterei taurus hector lollo ];
-  "restic-server/hector.age".publicKeys                       = [ leah osterei taurus hector lollo desastro ];
+  "restic-server/lollo.age".publicKeys                        = [ leah trabbi osterei taurus hector lollo ];
+  "restic-server/desastro.age".publicKeys                     = [ leah trabbi osterei taurus hector lollo ];
+  "restic-server/hector.age".publicKeys                       = [ leah trabbi osterei taurus hector lollo desastro ];
 
 
   "stasicontainer/syncthing/key.age".publicKeys               = [ leah stasicontainer ];