ctucx.git: nixfiles

ctucx' nixfiles

commit 67149b508fb2dd033c4e917bb2a72b6d3d59d052
parent e47e8f6c1f266ed6e55370f44624a3d98380e62c
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 2 Dec 2024 16:06:38 +0100

machines: add `hector`

7 files changed, 175 insertions(+), 52 deletions(-)
M
flake.nix
|
1
+
A
machines/hector/default.nix
|
80
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
machines/hector/hardware-configuration.nix
|
39
+++++++++++++++++++++++++++++++++++++++
M
secrets/passwords/katja.age
|
43
++++++++++++++++++++++---------------------
M
secrets/restic-server/briefkasten.age
|
27
++++++++++++++-------------
M
secrets/restic-server/wanderduene.age
|
27
++++++++++++++-------------
M
secrets/secrets.nix
|
10
+++++-----
diff --git a/flake.nix b/flake.nix
@@ -50,6 +50,7 @@
 
       trabbi           = import ./machines/trabbi;
       wanderduene      = import ./machines/wanderduene;
+      hector           = import ./machines/hector;
     };
 
     colmenaHive         = inputs.colmena.lib.makeHive self.outputs.colmena;

diff --git a/machines/hector/default.nix b/machines/hector/default.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  #this enables the following services: dns
+  deployment.tags          = [ "dnsServer" ];
+
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP);
+
+  age.secrets.restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
+  age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age;
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd.network = {
+      enable = true;
+      ssh    = {
+        enable         = true;
+        port           = 22;
+        hostKeys       = [ /etc/ssh/ssh_host_rsa_key ];
+        authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      };
+
+      postCommands = ''
+        ip link set dev ens3 up
+        ip addr add ${config.networking.primaryIP}/128 dev ens3
+        ip route add default via fe80::1 dev ens3 onlink
+
+        ip addr add ${config.networking.primaryIP4}/22 dev ens3
+        ip route add default via ${config.networking.defaultGateway.address} dev ens3 onlink
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
+  };
+
+  networking = {
+    primaryIP    = "2a03:4000:34:23e::1";
+    primaryIP4   = "194.59.205.194";
+
+    resolvconf.enable = false;
+    nameservers       = [ "8.8.8.8" "1.1.1.1" ];
+
+    defaultGateway  = {
+      interface = "ens3";
+      address    = "194.59.204.1";
+    };
+    defaultGateway6 = {
+      interface = "ens3";
+      address   = "fe80::1";
+    };
+
+    interfaces.ens3 = {
+      ipv4.addresses = [{
+        address = config.networking.primaryIP4;
+        prefixLength = 22;
+      }];
+      ipv6.addresses = [{
+        address      = config.networking.primaryIP;
+        prefixLength = 64;
+      }];
+    };
+
+    nftables.enable = true;
+  };
+
+  services.email-notify.enable = true;
+
+  system.stateVersion = "24.11";
+  home-manager.users.katja.home.stateVersion = "24.11";
+
+}
+

diff --git a/machines/hector/hardware-configuration.nix b/machines/hector/hardware-configuration.nix
@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/1986cef8-3b9a-4473-a44f-08f48abd7e6e";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/b99dc901-2104-4193-909c-034d5d46d4bf";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/25F5-CEC1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

diff --git a/secrets/passwords/katja.age b/secrets/passwords/katja.age
@@ -1,23 +1,24 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZU9WaUxOMGs2emlWeHF2
-blo2RStiVlMxZkpjREd0UzdWVFJ5NU9qTXljCmI2VDhvUzg5QkRJS2VsNE5CWGNH
-N2Z6VGFIeUo2OGoweVh1YnhhUE5Wa0EKLT4gc3NoLWVkMjU1MTkgcThvY3pnIDRF
-R0x2L0pQaGdTTXRFdzBpQkx4UDBoSHRvRmVGa3A4ZVJza3ArcDNXeXMKNWQrd0hL
-L1l0ckJ3empIK1YvWTRza3JHVzhnbGQvNVlMZjNNZHJhZVMzUQotPiBzc2gtZWQy
-NTUxOSBPSlFWRFEgcDR0Yjc0ckoySnh2YS9mbUdWejJ2K1Z2ZURJb3JFTUlaL0JQ
-TUdVb25YTQpaMU9TNTg0ZnNVRmJ4bzdadnBiOW94MWdVOUFaUGZLdDB0UUxEemRz
-OGc0Ci0+IHNzaC1lZDI1NTE5IFpjeGI2ZyB0NnQ5VmRqb0x0Tjk2aVZsRjNVeWZs
-RGJHMEtOR1NLY3RYVzBXa2VReG1nCk8rSXNyeWRXbmdMRFJOWWk0RnM5LzE2OEY1
-aU9pVU1FYjVGQWd1bUE1RnMKLT4gc3NoLWVkMjU1MTkgNGhLQ013IDZ0TWJoaXhM
-NGxvWUxWSEFwc284ZXVvVExTWS9kU1V6dHhHbXU1bVJjMHMKbHlybmFKQkVIZ1B1
-Nnk3SDRMdm9qdE8zeUVVOS9aT1BGSlQzRU1acWtMNAotPiBzc2gtZWQyNTUxOSBW
-RVVFQ0EgL0VLRW45VmR0QVIyT3ZWejZtMHVGN0Nld3kyZTJ3Z3RFRWM1SkxhYlNt
-RQpkQ21SS0JQMmlKMThWQzdTL3hXcWdKQUFwa1ArN0IvV3BUekc3bVpxVVFrCi0+
-IHNzaC1lZDI1NTE5IFNZajZJZyBHcVlRSVNmSUMyVkJVeEJSRHBUT0ROMDdEb3dB
-UjFaMmczVExkdkgyTGxzCmNCOHBhekxqam1zYXJsaksrQ3BEUWRSdDNoNUE3UTBC
-cXlrR2ZTQXozbGsKLT4gbnctZ3JlYXNlIDBZXUwndSBkJlgKN1RrCi0tLSB4RkhT
-VXRiS0FwQ3JlYmNqamU5Z0ErSWY5TFZ2TW1PZ1BBSG1JMVVIWWprCoodEQVRfnjZ
-hgnM3A33VpekgtwvymsGlGNot/T4Sm7Q+E4rG4T8bY9BLQZCwcTNLuWlyvZMZzEm
-1tahMYrtM4RTACS4qNk97Y0kqjmkdCPHF+Ai6R3bWGvyV5Huv/HeOeynocc+Hikn
-EgpfWkF8tic/2O6DCtZ1gT5YWN+zRa4UPvUKr9LLe5hh3A==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWOFJKVkRueUVGNkhXaGVt
+TUFUNW13Unl3NGl4WFhydkFQZEFtTjZrY2cwCjUzRkRHTnpmSGRSbDZWa3E3OXE4
+akZKcWxnVzdJNk56R3d1bWVSRERrQVEKLT4gc3NoLWVkMjU1MTkgcThvY3pnIHVu
+T3R3eHQrWm1ZbGU1Wks2d1FDckJESWdxOCtiRW5QbFRrb1NySkd6eGMKSlY5U0dT
+Rlg1ZUx0OGRScmx1N2hES3Q1ekxKK3Q4NVVrSExseXlDQklJRQotPiBzc2gtZWQy
+NTUxOSBPSlFWRFEgYk0xazI0NXUwQzJHOERwdSs1VkJaWEhvRUkzWERldGM3ZVVa
+ajlhNXJCYwpLeUxFVjFtYWZLc3RwNkpPSnVYWC9RdTJ2L0FrK1lCUzZaOWNOckNU
+ejF3Ci0+IHNzaC1lZDI1NTE5IHlhTEhTUSA5akJLeDQrakZGQ3U2TWdzNXN2M3RO
+MU1aQjZCVkIzdFh5ODJkdHlyOFhFCk56cUwrekNUTlp5ZnV0U1kxaDFHOTdkVGhY
+d2xYa3lTYTE2N0Y2MWRsYjQKLT4gc3NoLWVkMjU1MTkgNGhLQ013IFp1MytrZVpy
+cSs0VUZIVXhwS0VkL0xsbkZBVTJLMmJLeHRwdjJQTmZ2R28KV1JabXhBclZleGds
+RVFuREVlVDR3a0VSZkpNZVZrQSttZ3ptN3RpeVdoOAotPiBzc2gtZWQyNTUxOSBW
+RVVFQ0EgK25EZlduZ2t2Zm9BZ3o0QW5pV3hDMDlqVWZ3UG01OFpTV3kxSXk5TzBE
+Ywp3bkhhUFFManRtWGpRNXkwWnF2SUw1WDhOU2REWVV4ekxlK2xTbmNnS1RrCi0+
+IHNzaC1lZDI1NTE5IFNZajZJZyB3YksvbXNFM2hKcTI3YWN3UDdwZ0JpeVVSb0Z5
+MzdSRWp6K0c2UEFBZ2hrCi9DOUpKcW04UXhlYno2akw2OUVNVnpxZnJsRDJEam1K
+T3NkUFlzMFJmbXcKLT4gXEBhTmtVLWdyZWFzZSAsU0FcWWUqUQpkakc1bjdkdnFh
+ZzRGdFdBcnBVCi0tLSA1VUhGUXVQZkVYTzFQZGtLTHpOWXRiM1hIc0ZLbmJzYk9G
+YzFlVTJzcmZFCpDrGYqNksnxW/YJ/TvPlg7IA+UVkdC11v5Lsn2awXmfhCeUnlBe
+mdTy9376TI6wjtFx8lWiY4y/0ZqfVmfE4f638HKmujQzC9/wBFPqeZwxSj9aQjiT
+t5mn/vANvfQeviGSlJVo0qlPclFL4Ts8HB0et3sebQaTytL4vEU4ApY6hokMkdIp
+oRngFQ==
 -----END AGE ENCRYPTED FILE-----

diff --git a/secrets/restic-server/briefkasten.age b/secrets/restic-server/briefkasten.age
@@ -1,15 +1,16 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRzAwL3NhRENPdDNISjZn
-d3lqam5SUm42eG4xTWwzei9rMlhtOFNiOGgwCk8zcnhJQWx2a1FrcG5MNmlqTHN3
-a2E2L2c5VTZxTW16YzdlbVNOK01SbVEKLT4gc3NoLWVkMjU1MTkgcThvY3pnIEJp
-SkY2QU9CWXhzRW1QOFRFVUt3R3Z0eE5qSnlSRVMzc092eWxoSjJuemsKUTZLRURh
-UytlSC9RbVd0WTNwWi9iSENkNzBtTFBHajdNMVQwek9rVGR1bwotPiBzc2gtZWQy
-NTUxOSA0aEtDTXcgWFZ1S3FraGlkM2lORFBkaUNGMXFIZEpqeCtOSThmN0x5OEla
-UXVRUmhrdwpEeW9Nd2lDZ3prRjhJay84bXprWkgzY2lDTG1zdk1tL0F2QU9Ed3g3
-aWpZCi0+IH58UCtbLWdyZWFzZSB2SilXQjYgKGx9My9YJEIKM1ppQXVwWVVEYzY4
-WTZEMzJycjFIeGpmOTlPT2lIeWx2ZlVvTTIxa05LZFc3OXNxWWVycWRydWdpR0Zq
-dldYVQpac3lEaldrS3hFZm5jeEdZWER3ekM2aUM2Y1dpZm5qYVY1aEg1QQotLS0g
-dnJwTW9JUzNJMVRLMmo1b3BtZ2t4a21CUUlacnBKYmQwSmM0TFkrNVF6UQqAVOk/
-rd8UqCUAsKFeCiNp5zX50MFpUrHBkzAJsmS6O8hT94A3czw72dfF19R4ozKFE2TR
-hwfwvVQ=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVb2hydmdWRE1VOUNFNnc3
+NTMzeHl1aUFBaVRMYzlCajFQRjZWMFZUbkRJCkJScUdkaVZWdXByZy90aWxqNk14
+dFM1Z1k2NENQT0ZXbmFESC9aR1dhWjQKLT4gc3NoLWVkMjU1MTkgcThvY3pnIDRP
+K1hVbFB5MG1LeDJ4WmxLeE84QkJDbnI1Q29CbFQvbncxeHB6K3BSQ3cKb0l3Wkwz
+VGZ0aUZuRnhwUVNmaGVwdnRTRVRxVlNUallLY0FSMjFQUEMwRQotPiBzc2gtZWQy
+NTUxOSB5YUxIU1EgQ010alpwaldkQ2JTR29lN29IY3R1NUpUYWFZVzZlNUdYSnlI
+dXBVcDJYNAptd3IyM3ZKK3JpcnN3Y3ZqK2RReGpBdmIwWEJndk1rdGpmNmZaY0hG
+RkpZCi0+IHNzaC1lZDI1NTE5IDRoS0NNdyBQbWhYZDVMVUVNdUNBK1JySXlDODdQ
+UGZUNnV4N3RmYnpKVWNRdVhGTGk4CmNmTlZpYnlBQVJueUVGWFFDcG5uNHRXK1dM
+bk5FREdmdjYrQ0ljK09zR2cKLT4gfVEuNG4kS1otZ3JlYXNlICUKTTVCNlNjQno4
+bHI4RTNUa1Y5UVN2dWxxYUxxWnBjOEEvTFBJd3h5QTNtbUJLaml0d3hwK01KWThn
+TStxUHJJawpkWlFjWGtVY1NrZnVVSjZFMGlRTHNZMGswTjAKLS0tIE1XTmdPNGlO
+SjNtd0FXblB2WTBUeldZUi9ieUYvaDU4MGR1a3Z3eWsyN0EKwmM0Mv7qGW+3+i1v
+xX3yf/yfUkTobMHtt2BArWXN/ySZCrvMXblJG55tDWbOiaco9eE284mzkarG
 -----END AGE ENCRYPTED FILE-----

diff --git a/secrets/restic-server/wanderduene.age b/secrets/restic-server/wanderduene.age
@@ -1,15 +1,16 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3em40YlBGSkZHMks0VG03
-QnhaUVc3RFBlRHpIWFZHQTlyQ0M2U0hOZXpBCmdoL2ZydnNWdWxVSldjdGphUHQx
-cU9GVXRmS0tMYnk1QWZvcThyZXprL28KLT4gc3NoLWVkMjU1MTkgcThvY3pnIGFO
-aXZyVzVyczlLRjZQeWNSYnVOaElsMUJmY0xUN3BpL1RvYTVldGZaMUkKdVRoNHlp
-cjJ2YXdJUmg5QkhqMjJ6ZlNMbGp1V2N6WnBSRnMrZTZGc25NZwotPiBzc2gtZWQy
-NTUxOSA0aEtDTXcgOXlyN05GdDRrZ0ZMOUFSTzU5R2Q3NE9xTXRhV3NLYnpXOTh6
-TUVDSXpqcwpFMUZDL3ArdXk0cTc3eHRwR0h1QUZPS1hCTWZrSE1iY1N2LzlVbGEr
-STFBCi0+ID0tZ3JlYXNlIGVCYXl6JyR5IG47LSBMIERoNWswCkwxeWNmZTlOTHNT
-a203d3dOeWhabFNMbzJnK3A2RkxXZ2NwUk1wb0xSWHdkbmpuZGttWFJ1aDVRQjBa
-Yy9paG4KS3lTdQotLS0gZHZjZHZMZW1sVnJBakdhTUJtRTJXU0dFemIxekx6NXQ3
-SGs1V09VMXJocwpEEAO3SlZEJCknBeO/xINWrIsA9Zr/t7i+fJ3aqsFeWjf4gL7O
-K0XbqNmWUGInt4QL7fxQjXs6rrYSZfCS6QZmb4R+8SHsiVvtdpyWRVmlsJFq8cFm
-30uXcrY7ZLVy+EA=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqd2E5WXQ0OWsyTFZOTW85
+SDlGaTRaUGd6M01QajF3LzN6WUR6eWFwZEdFCkpNaW9SbzNUSzNROWgxT05Yamxu
+ODF1K0xycU1pSi93V1pLSDVnbmpjRUkKLT4gc3NoLWVkMjU1MTkgcThvY3pnIE9X
+bWtHeWRyODhEbTdpdUl0VThRYkFDVE9mS05IaDRTREZSNGRwcW85MU0KM2JYV1dB
+elhCVmhtUTA4UHJLU3drVG5zWFZCZ3Vna0NvS01YSXYxNDMxRQotPiBzc2gtZWQy
+NTUxOSB5YUxIU1EgcGZwYU8za0xSQkhPTlNrQ29jQWV5czFadVl0QVpWUUFkUGVw
+ZVpkS0tFWQp4OFk5dG51dG1YOWdhMlRBOUhzN2FMYmo3QjVkakhhTWxLTlJpbHA2
+YzBJCi0+IHNzaC1lZDI1NTE5IDRoS0NNdyBIRnhTSVBJVGgrMXhzRlRldXJwSEVV
+aHdrVy96VXo0dUJpU1ZkNkV2QjFJCllEZ0szei9xVUI0bDZuSklsRFhGakNEZGxj
+YWFpSXMvM0hyalBTcThnTHcKLT4gKiYpM1xZMS1ncmVhc2UgcQp2R3BoamhORGEy
+NnZFSmxmYlV4UjJuTlVEUW1tZnREUAotLS0gOUE3YUVXSjBpb3J4cFBEVTB1TThT
+MFQ3MFV1RUhaRWVYMGRpZUtTMWZzYwppkkLoOvEgc6ib9dmDkMN8TpnsQvTmrOsj
+av8JMvqkZERVqgJdbq8L/O+OZVuactFH5uvzfX9d34xSeaePETAmJMSWhvK4v0yy
+PqZ92bdwqbxqgEDVCCHuM1iBNzNg4k4=
 -----END AGE ENCRYPTED FILE-----

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -8,16 +8,16 @@ let
   #servers
   briefkasten    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8mi9ZKPdhn20g9gyxE7NYBq/vAKemW4lhaQlLw5QVc";
 
+  hector          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILONdCJED/Lmd215tO8KBkJSl1E9ZdMyC+syxSqmo7o";
   trabbi          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBwzDl1dHpDIZxFfRBLQyFn85RVTsg7OgO3Eahdn3FTJ";
-  wanderduene-old = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEff3QkAesMYwquc49H5e2CjRH9Dv50/DjzqpCw97lPQ";
   wanderduene     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8uAvUnwhg3pnCdaaoclWDKV275SyNSyrkJON+R5Boi";
 
 in {
-  "passwords/leah-at-f2k1-de.age".publicKeys                        = [ main-key trabbi wanderduene wanderduene-old briefkasten ];
-  "passwords/katja.age".publicKeys                                  = [ main-key trabbi wanderduene wanderduene-old briefkasten coladose seifenkiste ];
+  "passwords/leah-at-f2k1-de.age".publicKeys                        = [ main-key trabbi wanderduene briefkasten ];
+  "passwords/katja.age".publicKeys                                  = [ main-key trabbi wanderduene hector briefkasten coladose seifenkiste ];
 
-  "restic-server/briefkasten.age".publicKeys                        = [ main-key trabbi briefkasten ];
-  "restic-server/wanderduene.age".publicKeys                        = [ main-key trabbi briefkasten ];
+  "restic-server/briefkasten.age".publicKeys                        = [ main-key trabbi hector briefkasten ];
+  "restic-server/wanderduene.age".publicKeys                        = [ main-key trabbi hector briefkasten ];
 
 
   "blechkasten/syncthing/key.age".publicKeys                        = [ main-key blechkasten ];