Merge branch 'master' of git.bitlab21.com:sam/nixos
This commit is contained in:
commit
b0f9e82700
20
flake.lock
20
flake.lock
|
|
@ -539,11 +539,11 @@
|
|||
},
|
||||
"nix-secrets": {
|
||||
"locked": {
|
||||
"lastModified": 1737414957,
|
||||
"narHash": "sha256-vxLWYDP36oqzgkP25ERG2y9K871oI5GnIunKXsxb+Hs=",
|
||||
"lastModified": 1737453096,
|
||||
"narHash": "sha256-vxVmBzoCMsUj8U9WeWM9+6r/fj02Fdi+1h/JVth1e54=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "833847b2a343b536f29183b9dcac91e871dd3e19",
|
||||
"revCount": 245,
|
||||
"rev": "0ba083a18deed72f72e52a38413977d19d23d053",
|
||||
"revCount": 246,
|
||||
"type": "git",
|
||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||
},
|
||||
|
|
@ -633,11 +633,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1737404927,
|
||||
"narHash": "sha256-e1WgPJpIYbOuokjgylcsuoEUCB4Jl2rQXa2LUD6XAG8=",
|
||||
"lastModified": 1737452544,
|
||||
"narHash": "sha256-qA5D6Wm9JzrvUvD7zOvK29x5SvemGRyk9oahasLtHXI=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ae584d90cbd0396a422289ee3efb1f1c9d141dc3",
|
||||
"rev": "eea315cf7d26ae50d3873d56dcf87e8845a23fc5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -699,11 +699,11 @@
|
|||
"treefmt-nix": "treefmt-nix_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1737439105,
|
||||
"narHash": "sha256-5N2pMCQYz+6aBXHh648if/IIqPZtk/mvaBP3dPnFlmM=",
|
||||
"lastModified": 1737446658,
|
||||
"narHash": "sha256-R0z3fxhP6YZXZ7MCAmx3yhqBgOldZyQMHK4eJJY4gS8=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "ebc0c383da65e99b2b04a616e9911556d09bbc9b",
|
||||
"rev": "34215e55d69fe1292c4fee669444983d79cce53f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -11,10 +11,7 @@
|
|||
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
|
||||
dev = "/dev/nvme0n1"; # depends on target hardware
|
||||
encrypted = true; # currrently only applies to btrfs
|
||||
btrfsMountDevice =
|
||||
if encrypted
|
||||
then "/dev/mapper/crypted"
|
||||
else "/dev/root_vg/root";
|
||||
btrfsMountDevice = "/dev/mapper/crypted";
|
||||
user = "sam";
|
||||
impermanence = true;
|
||||
piholeIp = configVars.networking.addresses.pihole.ip;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,36 @@
|
|||
{
|
||||
device ? throw "Must define a device, e.g. /dev/sda",
|
||||
fsModule ? "Must specify submodule"
|
||||
}:
|
||||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
main = {
|
||||
type = "disk";
|
||||
inherit device;
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
priority = 1;
|
||||
name = "ESP";
|
||||
start = "1M";
|
||||
end = "128M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = ["umask=0077"];
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = import "${fsModule}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,11 +1,8 @@
|
|||
{ device, fsType, encrypted, impermanence, ... }:
|
||||
let
|
||||
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
|
||||
basic = import ./${fsType}/basic.nix { inherit device; };
|
||||
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
|
||||
basic = import ./basic.nix { inherit device; fsModule = fsModule; };
|
||||
luks = import ./luks.nix { inherit device; fsModule = fsModule; };
|
||||
in
|
||||
if fsType == "ext4" then basic
|
||||
else if fsType == "btrfs" && encrypted then luks
|
||||
else if fsType == "btrfs" then lvm
|
||||
else null
|
||||
if fsType == "btrfs" && encrypted then luks
|
||||
else basic
|
||||
|
|
|
|||
|
|
@ -108,6 +108,7 @@ in {
|
|||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
in {
|
||||
networking = {
|
||||
enableIPv6 = false;
|
||||
defaultGateway = "${gatewayIp}";
|
||||
interfaces.eth0.ipv4.addresses = [
|
||||
{
|
||||
|
|
|
|||
|
|
@ -90,6 +90,7 @@ in {
|
|||
pkgs.git
|
||||
pkgs.arion
|
||||
pkgs.lsof
|
||||
pkgs.podman-compose
|
||||
];
|
||||
|
||||
virtualisation = {
|
||||
|
|
|
|||
|
|
@ -100,6 +100,7 @@ in {
|
|||
pkgs.vim
|
||||
pkgs.git
|
||||
pkgs.arion
|
||||
pkgs.podman-compose
|
||||
pkgs.jdk
|
||||
];
|
||||
|
||||
|
|
|
|||
|
|
@ -9,8 +9,9 @@
|
|||
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
|
||||
dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
|
||||
encrypted = false; # currrently only applies to btrfs
|
||||
btrfsMountDevice = "/dev/root_vg/root";
|
||||
btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
|
||||
impermanence = true;
|
||||
|
||||
piholeIp = configVars.networking.addresses.pihole.ip;
|
||||
gatewayIp = configVars.networking.addresses.gateway.ip;
|
||||
merlinIp = configVars.networking.addresses.merlin.ip;
|
||||
|
|
@ -41,6 +42,21 @@ in {
|
|||
|
||||
# Import optional options
|
||||
../common/optional/openssh.nix
|
||||
../common/optional/restic-backup.nix
|
||||
../common/optional/docker.nix
|
||||
../common/optional/nix-ld.nix
|
||||
../common/optional/fileserver/nfs-server/homeshare.nix
|
||||
|
||||
# Nixos containers
|
||||
../common/optional/nixos-containers/docker.nix
|
||||
../common/optional/nixos-containers/baseddata-worker.nix
|
||||
../common/optional/nixos-containers/pihole.nix
|
||||
../common/optional/nixos-containers/semitamaps-worker.nix
|
||||
../common/optional/nixos-containers/nix-bitcoin.nix
|
||||
../common/optional/nixos-containers/postgres.nix
|
||||
../common/optional/nixos-containers/baseddata-worker.nix
|
||||
../common/optional/nixos-containers/backup-server.nix
|
||||
../common/optional/nixos-containers/metrics-server.nix
|
||||
|
||||
# This machine is used for remote building
|
||||
../common/optional/distributed-builds/remote-builder-machine.nix
|
||||
|
|
@ -56,11 +72,22 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
fileSystems."/mnt/main-ssd" = {
|
||||
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/btcnode" = {
|
||||
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "merlin";
|
||||
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
|
||||
defaultGateway = "${gatewayIp}";
|
||||
useDHCP = false;
|
||||
enableIPv6 = false;
|
||||
bridges = {
|
||||
br0 = {
|
||||
interfaces = ["eth0"];
|
||||
|
|
@ -79,6 +106,7 @@ in {
|
|||
environment.persistence."/persist" = {
|
||||
directories = [
|
||||
"/etc/zpool"
|
||||
"/var/lib/tailscale"
|
||||
];
|
||||
};
|
||||
|
||||
|
|
@ -87,6 +115,10 @@ in {
|
|||
enable = true;
|
||||
};
|
||||
|
||||
# enable tailscale
|
||||
services.tailscale.useRoutingFeatures = "server";
|
||||
services.tailscale.enable = true;
|
||||
|
||||
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg) [
|
||||
"nvidia-x11"
|
||||
|
|
@ -114,11 +146,6 @@ in {
|
|||
user = "admin";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/btcnode" = {
|
||||
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.supportedFilesystems = ["zfs"];
|
||||
boot.zfs.forceImportRoot = false;
|
||||
networking.hostId = "18aec5d7";
|
||||
|
|
|
|||
|
|
@ -57,17 +57,17 @@ in {
|
|||
# # bind mounts
|
||||
# ../common/optional/fileserver/bind-mounts/homeshare.nix
|
||||
|
||||
../common/optional/fileserver/nfs-server/homeshare.nix
|
||||
# ../common/optional/fileserver/nfs-server/homeshare.nix
|
||||
|
||||
# nixos-containers
|
||||
../common/optional/nixos-containers/nix-bitcoin.nix
|
||||
../common/optional/nixos-containers/postgres.nix
|
||||
../common/optional/nixos-containers/baseddata-worker.nix
|
||||
../common/optional/nixos-containers/semitamaps-worker.nix
|
||||
../common/optional/nixos-containers/backup-server.nix
|
||||
../common/optional/nixos-containers/docker.nix
|
||||
../common/optional/nixos-containers/pihole.nix
|
||||
../common/optional/nixos-containers/metrics-server.nix
|
||||
# ../common/optional/nixos-containers/nix-bitcoin.nix
|
||||
# ../common/optional/nixos-containers/postgres.nix
|
||||
# ../common/optional/nixos-containers/baseddata-worker.nix
|
||||
# ../common/optional/nixos-containers/semitamaps-worker.nix
|
||||
# ../common/optional/nixos-containers/backup-server.nix
|
||||
# ../common/optional/nixos-containers/docker.nix
|
||||
# ../common/optional/nixos-containers/pihole.nix
|
||||
# ../common/optional/nixos-containers/metrics-server.nix
|
||||
|
||||
# # Build nix derivations on remote machine
|
||||
# ../common/optional/distributed-builds/local-machine.nix
|
||||
|
|
@ -75,11 +75,11 @@ in {
|
|||
outputs.nixosModules.nixosAutoUpgrade
|
||||
];
|
||||
|
||||
fileSystems."/mnt/main-ssd" = {
|
||||
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
# fileSystems."/mnt/main-ssd" = {
|
||||
# device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
|
||||
# fsType = "ext4";
|
||||
# };
|
||||
#
|
||||
services.tailscale.useRoutingFeatures = "server";
|
||||
|
||||
boot = {
|
||||
|
|
@ -104,15 +104,15 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
enabledCollectors = ["systemd"];
|
||||
openFirewall = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
# services.prometheus = {
|
||||
# exporters = {
|
||||
# node = {
|
||||
# enable = true;
|
||||
# enabledCollectors = ["systemd"];
|
||||
# openFirewall = true;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
# system.services.nixosAutoUpgrade = {
|
||||
# enable = true;
|
||||
|
|
|
|||
|
|
@ -40,33 +40,40 @@ trap cleanup EXIT
|
|||
# Create the directory for target host keys
|
||||
install -d -m755 "$temp$persist/etc/ssh"
|
||||
|
||||
# Create ssh keys
|
||||
echo "Creating '$hostname' ssh keys"
|
||||
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
|
||||
# Extract ssh keys from secrets
|
||||
echo "Extracting ssh keys"
|
||||
ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
|
||||
echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key
|
||||
ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
|
||||
echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
|
||||
|
||||
# Extract luks key from secrets
|
||||
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
|
||||
echo "$luks_secret" > /tmp/luks_secret.key
|
||||
# # Extract luks key from secrets
|
||||
# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
|
||||
# echo "$luks_secret" > /tmp/luks_secret.key
|
||||
|
||||
# Generate age key from target host and user public ssh key
|
||||
echo "Generating age key from target host and user ssh key"
|
||||
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
|
||||
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
||||
# # Create ssh keys
|
||||
# echo "Creating '$hostname' ssh keys"
|
||||
# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
|
||||
|
||||
# Update .sops.yaml with new age key:
|
||||
SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
|
||||
sed -i "{
|
||||
# Remove any * and & entries for this host
|
||||
/[*&]$hostname/ d;
|
||||
# Inject a new age: entry
|
||||
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
|
||||
/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
|
||||
# Inject a new hosts: entry
|
||||
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
|
||||
}" "$SOPS_FILE"
|
||||
# # Generate age key from target host and user public ssh key
|
||||
# echo "Generating age key from target host and user ssh key"
|
||||
# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
|
||||
# echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
||||
|
||||
# Commit and push changes to sops file
|
||||
just update-sops-secrets && just update-flake-secrets && just update-flake
|
||||
# # Update .sops.yaml with new age key:
|
||||
# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
|
||||
# sed -i "{
|
||||
# # Remove any * and & entries for this host
|
||||
# /[*&]$hostname/ d;
|
||||
# # Inject a new age: entry
|
||||
# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
|
||||
# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
|
||||
# # Inject a new hosts: entry
|
||||
# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
|
||||
# }" "$SOPS_FILE"
|
||||
|
||||
# # Commit and push changes to sops file
|
||||
# just update-sops-secrets && just update-flake-secrets && just update-flake
|
||||
|
||||
# Copy current nix config over to target
|
||||
echo "copying current nix config to host"
|
||||
|
|
|
|||
Loading…
Reference in New Issue