diff --git a/flake.lock b/flake.lock index 6b3fe35..b46eaaf 100644 --- a/flake.lock +++ b/flake.lock @@ -539,11 +539,11 @@ }, "nix-secrets": { "locked": { - "lastModified": 1737414957, - "narHash": "sha256-vxLWYDP36oqzgkP25ERG2y9K871oI5GnIunKXsxb+Hs=", + "lastModified": 1737453096, + "narHash": "sha256-vxVmBzoCMsUj8U9WeWM9+6r/fj02Fdi+1h/JVth1e54=", "ref": "refs/heads/master", - "rev": "833847b2a343b536f29183b9dcac91e871dd3e19", - "revCount": 245, + "rev": "0ba083a18deed72f72e52a38413977d19d23d053", + "revCount": 246, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -633,11 +633,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1737404927, - "narHash": "sha256-e1WgPJpIYbOuokjgylcsuoEUCB4Jl2rQXa2LUD6XAG8=", + "lastModified": 1737452544, + "narHash": "sha256-qA5D6Wm9JzrvUvD7zOvK29x5SvemGRyk9oahasLtHXI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ae584d90cbd0396a422289ee3efb1f1c9d141dc3", + "rev": "eea315cf7d26ae50d3873d56dcf87e8845a23fc5", "type": "github" }, "original": { @@ -699,11 +699,11 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1737439105, - "narHash": "sha256-5N2pMCQYz+6aBXHh648if/IIqPZtk/mvaBP3dPnFlmM=", + "lastModified": 1737446658, + "narHash": "sha256-R0z3fxhP6YZXZ7MCAmx3yhqBgOldZyQMHK4eJJY4gS8=", "owner": "nix-community", "repo": "NUR", - "rev": "ebc0c383da65e99b2b04a616e9911556d09bbc9b", + "rev": "34215e55d69fe1292c4fee669444983d79cce53f", "type": "github" }, "original": { diff --git a/hosts/citadel/default.nix b/hosts/citadel/default.nix index 4872b72..b10b81e 100644 --- a/hosts/citadel/default.nix +++ b/hosts/citadel/default.nix @@ -11,10 +11,7 @@ fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence dev = "/dev/nvme0n1"; # depends on target hardware encrypted = true; # currrently only applies to btrfs - btrfsMountDevice = - if encrypted - then "/dev/mapper/crypted" - else "/dev/root_vg/root"; + btrfsMountDevice = "/dev/mapper/crypted"; user = "sam"; impermanence = true; piholeIp = configVars.networking.addresses.pihole.ip; diff --git a/hosts/common/disks/basic.nix b/hosts/common/disks/basic.nix new file mode 100644 index 0000000..a05b8ce --- /dev/null +++ b/hosts/common/disks/basic.nix @@ -0,0 +1,36 @@ +{ +device ? throw "Must define a device, e.g. /dev/sda", +fsModule ? "Must specify submodule" +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + inherit device; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "128M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["umask=0077"]; + }; + }; + root = { + size = "100%"; + content = import "${fsModule}"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/disks/default.nix b/hosts/common/disks/default.nix index 45c392d..29d903a 100644 --- a/hosts/common/disks/default.nix +++ b/hosts/common/disks/default.nix @@ -1,11 +1,8 @@ { device, fsType, encrypted, impermanence, ... }: let fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; - basic = import ./${fsType}/basic.nix { inherit device; }; - lvm = import ./lvm.nix { inherit device; fsModule = fsModule; }; + basic = import ./basic.nix { inherit device; fsModule = fsModule; }; luks = import ./luks.nix { inherit device; fsModule = fsModule; }; in -if fsType == "ext4" then basic -else if fsType == "btrfs" && encrypted then luks -else if fsType == "btrfs" then lvm -else null +if fsType == "btrfs" && encrypted then luks +else basic diff --git a/hosts/common/disks/ext4/basic.nix b/hosts/common/disks/ext4/ext4.nix similarity index 100% rename from hosts/common/disks/ext4/basic.nix rename to hosts/common/disks/ext4/ext4.nix diff --git a/hosts/common/optional/nixos-containers/docker.nix b/hosts/common/optional/nixos-containers/docker.nix index 1b4a228..af4e4a2 100644 --- a/hosts/common/optional/nixos-containers/docker.nix +++ b/hosts/common/optional/nixos-containers/docker.nix @@ -108,6 +108,7 @@ in { secretsFile = "${secretsDirectory}/secrets.yaml"; in { networking = { + enableIPv6 = false; defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { diff --git a/hosts/common/optional/nixos-containers/pihole.nix b/hosts/common/optional/nixos-containers/pihole.nix index 6d9fcc2..781a4e9 100644 --- a/hosts/common/optional/nixos-containers/pihole.nix +++ b/hosts/common/optional/nixos-containers/pihole.nix @@ -90,6 +90,7 @@ in { pkgs.git pkgs.arion pkgs.lsof + pkgs.podman-compose ]; virtualisation = { diff --git a/hosts/common/optional/nixos-containers/semitamaps-worker.nix b/hosts/common/optional/nixos-containers/semitamaps-worker.nix index 0800157..7e24e52 100644 --- a/hosts/common/optional/nixos-containers/semitamaps-worker.nix +++ b/hosts/common/optional/nixos-containers/semitamaps-worker.nix @@ -100,6 +100,7 @@ in { pkgs.vim pkgs.git pkgs.arion + pkgs.podman-compose pkgs.jdk ]; diff --git a/hosts/merlin/default.nix b/hosts/merlin/default.nix index e6f4621..9442dea 100644 --- a/hosts/merlin/default.nix +++ b/hosts/merlin/default.nix @@ -9,8 +9,9 @@ fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f"; encrypted = false; # currrently only applies to btrfs - btrfsMountDevice = "/dev/root_vg/root"; + btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2"; impermanence = true; + piholeIp = configVars.networking.addresses.pihole.ip; gatewayIp = configVars.networking.addresses.gateway.ip; merlinIp = configVars.networking.addresses.merlin.ip; @@ -41,6 +42,21 @@ in { # Import optional options ../common/optional/openssh.nix + ../common/optional/restic-backup.nix + ../common/optional/docker.nix + ../common/optional/nix-ld.nix + ../common/optional/fileserver/nfs-server/homeshare.nix + + # Nixos containers + ../common/optional/nixos-containers/docker.nix + ../common/optional/nixos-containers/baseddata-worker.nix + ../common/optional/nixos-containers/pihole.nix + ../common/optional/nixos-containers/semitamaps-worker.nix + ../common/optional/nixos-containers/nix-bitcoin.nix + ../common/optional/nixos-containers/postgres.nix + ../common/optional/nixos-containers/baseddata-worker.nix + ../common/optional/nixos-containers/backup-server.nix + ../common/optional/nixos-containers/metrics-server.nix # This machine is used for remote building ../common/optional/distributed-builds/remote-builder-machine.nix @@ -56,11 +72,22 @@ in { }; }; + fileSystems."/mnt/main-ssd" = { + device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59"; + fsType = "ext4"; + }; + + fileSystems."/mnt/btcnode" = { + device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93"; + fsType = "btrfs"; + }; + networking = { hostName = "merlin"; nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"]; defaultGateway = "${gatewayIp}"; useDHCP = false; + enableIPv6 = false; bridges = { br0 = { interfaces = ["eth0"]; @@ -79,6 +106,7 @@ in { environment.persistence."/persist" = { directories = [ "/etc/zpool" + "/var/lib/tailscale" ]; }; @@ -87,6 +115,10 @@ in { enable = true; }; + # enable tailscale + services.tailscale.useRoutingFeatures = "server"; + services.tailscale.enable = true; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "nvidia-x11" @@ -114,11 +146,6 @@ in { user = "admin"; }; - fileSystems."/mnt/btcnode" = { - device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93"; - fsType = "btrfs"; - }; - boot.supportedFilesystems = ["zfs"]; boot.zfs.forceImportRoot = false; networking.hostId = "18aec5d7"; diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index 7c237ac..726fe8d 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -57,17 +57,17 @@ in { # # bind mounts # ../common/optional/fileserver/bind-mounts/homeshare.nix - ../common/optional/fileserver/nfs-server/homeshare.nix + # ../common/optional/fileserver/nfs-server/homeshare.nix # nixos-containers - ../common/optional/nixos-containers/nix-bitcoin.nix - ../common/optional/nixos-containers/postgres.nix - ../common/optional/nixos-containers/baseddata-worker.nix - ../common/optional/nixos-containers/semitamaps-worker.nix - ../common/optional/nixos-containers/backup-server.nix - ../common/optional/nixos-containers/docker.nix - ../common/optional/nixos-containers/pihole.nix - ../common/optional/nixos-containers/metrics-server.nix + # ../common/optional/nixos-containers/nix-bitcoin.nix + # ../common/optional/nixos-containers/postgres.nix + # ../common/optional/nixos-containers/baseddata-worker.nix + # ../common/optional/nixos-containers/semitamaps-worker.nix + # ../common/optional/nixos-containers/backup-server.nix + # ../common/optional/nixos-containers/docker.nix + # ../common/optional/nixos-containers/pihole.nix + # ../common/optional/nixos-containers/metrics-server.nix # # Build nix derivations on remote machine # ../common/optional/distributed-builds/local-machine.nix @@ -75,11 +75,11 @@ in { outputs.nixosModules.nixosAutoUpgrade ]; - fileSystems."/mnt/main-ssd" = { - device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59"; - fsType = "ext4"; - }; - + # fileSystems."/mnt/main-ssd" = { + # device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59"; + # fsType = "ext4"; + # }; + # services.tailscale.useRoutingFeatures = "server"; boot = { @@ -104,15 +104,15 @@ in { }; }; - services.prometheus = { - exporters = { - node = { - enable = true; - enabledCollectors = ["systemd"]; - openFirewall = true; - }; - }; - }; + # services.prometheus = { + # exporters = { + # node = { + # enable = true; + # enabledCollectors = ["systemd"]; + # openFirewall = true; + # }; + # }; + # }; # system.services.nixosAutoUpgrade = { # enable = true; diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 98b07ba..ad53ed8 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -40,33 +40,40 @@ trap cleanup EXIT # Create the directory for target host keys install -d -m755 "$temp$persist/etc/ssh" -# Create ssh keys -echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +# Extract ssh keys from secrets +echo "Extracting ssh keys" +ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key +ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub -# Extract luks key from secrets -luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") -echo "$luks_secret" > /tmp/luks_secret.key +# # Extract luks key from secrets +# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +# echo "$luks_secret" > /tmp/luks_secret.key -# Generate age key from target host and user public ssh key -echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") -echo -e "Host age key:\n$HOST_AGE_KEY\n" +# # Create ssh keys +# echo "Creating '$hostname' ssh keys" +# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -# Update .sops.yaml with new age key: -SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" -sed -i "{ -# Remove any * and & entries for this host -/[*&]$hostname/ d; -# Inject a new age: entry -# n matches the first line following age: and p prints it, then we transform it while reusing the spacing -/age:/{n; p; s/\(.*- \*\).*/\1$hostname/}; -# Inject a new hosts: entry -/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} -}" "$SOPS_FILE" +# # Generate age key from target host and user public ssh key +# echo "Generating age key from target host and user ssh key" +# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +# echo -e "Host age key:\n$HOST_AGE_KEY\n" -# Commit and push changes to sops file -just update-sops-secrets && just update-flake-secrets && just update-flake +# # Update .sops.yaml with new age key: +# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" +# sed -i "{ +# # Remove any * and & entries for this host +# /[*&]$hostname/ d; +# # Inject a new age: entry +# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing +# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/}; +# # Inject a new hosts: entry +# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} +# }" "$SOPS_FILE" + +# # Commit and push changes to sops file +# just update-sops-secrets && just update-flake-secrets && just update-flake # Copy current nix config over to target echo "copying current nix config to host"