Merge branch 'master' of git.bitlab21.com:sam/nixos

2025-01-21 17:20:01 +00:00 · 2025-01-21 17:20:01 +00:00 · b0f9e82700
parent ba170a0ee4 33275e894f
commit b0f9e82700
11 changed files with 139 additions and 72 deletions
--- a/flake.lock
+++ b/flake.lock
@ -539,11 +539,11 @@
    },
    "nix-secrets": {
      "locked": {
-        "lastModified": 1737414957,
+        "lastModified": 1737453096,
-        "narHash": "sha256-vxLWYDP36oqzgkP25ERG2y9K871oI5GnIunKXsxb+Hs=",
+        "narHash": "sha256-vxVmBzoCMsUj8U9WeWM9+6r/fj02Fdi+1h/JVth1e54=",
        "ref": "refs/heads/master",
-        "rev": "833847b2a343b536f29183b9dcac91e871dd3e19",
+        "rev": "0ba083a18deed72f72e52a38413977d19d23d053",
-        "revCount": 245,
+        "revCount": 246,
        "type": "git",
        "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
      },
@ -633,11 +633,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1737404927,
+        "lastModified": 1737452544,
-        "narHash": "sha256-e1WgPJpIYbOuokjgylcsuoEUCB4Jl2rQXa2LUD6XAG8=",
+        "narHash": "sha256-qA5D6Wm9JzrvUvD7zOvK29x5SvemGRyk9oahasLtHXI=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "ae584d90cbd0396a422289ee3efb1f1c9d141dc3",
+        "rev": "eea315cf7d26ae50d3873d56dcf87e8845a23fc5",
        "type": "github"
      },
      "original": {
@ -699,11 +699,11 @@
        "treefmt-nix": "treefmt-nix_3"
      },
      "locked": {
-        "lastModified": 1737439105,
+        "lastModified": 1737446658,
-        "narHash": "sha256-5N2pMCQYz+6aBXHh648if/IIqPZtk/mvaBP3dPnFlmM=",
+        "narHash": "sha256-R0z3fxhP6YZXZ7MCAmx3yhqBgOldZyQMHK4eJJY4gS8=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "ebc0c383da65e99b2b04a616e9911556d09bbc9b",
+        "rev": "34215e55d69fe1292c4fee669444983d79cce53f",
        "type": "github"
      },
      "original": {
--- a/hosts/citadel/default.nix
+++ b/hosts/citadel/default.nix
@ -11,10 +11,7 @@
  fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
  dev = "/dev/nvme0n1"; # depends on target hardware
  encrypted = true; # currrently only applies to btrfs
-  btrfsMountDevice =
+  btrfsMountDevice = "/dev/mapper/crypted";
    if encrypted
    then "/dev/mapper/crypted"
    else "/dev/root_vg/root";
  user = "sam";
  impermanence = true;
  piholeIp = configVars.networking.addresses.pihole.ip;
--- a/hosts/common/disks/basic.nix
+++ b/hosts/common/disks/basic.nix
@ -0,0 +1,36 @@
 {
 device ? throw "Must define a device, e.g. /dev/sda",
 fsModule ? "Must specify submodule"
 }:
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        inherit device;
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              priority = 1;
              name = "ESP";
              start = "1M";
              end = "128M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = ["umask=0077"];
              };
            };
            root = {
              size = "100%";
              content = import "${fsModule}";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/common/disks/default.nix
+++ b/hosts/common/disks/default.nix
@ -1,11 +1,8 @@
 { device, fsType, encrypted, impermanence, ... }:
 let
  fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
-  basic = import ./${fsType}/basic.nix { inherit device; };
+  basic = import ./basic.nix { inherit device; fsModule = fsModule; };
  lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
  luks = import ./luks.nix { inherit device; fsModule = fsModule; };
 in
-if fsType == "ext4" then basic
+if fsType == "btrfs" && encrypted then luks
-else if fsType == "btrfs" && encrypted then luks
+else basic
 else if fsType == "btrfs" then lvm
 else null 
--- a/hosts/common/disks/ext4/basic.nix
+++ b/hosts/common/disks/ext4/basic.nix
--- a/hosts/common/optional/nixos-containers/docker.nix
+++ b/hosts/common/optional/nixos-containers/docker.nix
@ -108,6 +108,7 @@ in {
      secretsFile = "${secretsDirectory}/secrets.yaml";
    in {
      networking = {
        enableIPv6 = false;
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
          {
--- a/hosts/common/optional/nixos-containers/pihole.nix
+++ b/hosts/common/optional/nixos-containers/pihole.nix
@ -90,6 +90,7 @@ in {
        pkgs.git
        pkgs.arion
        pkgs.lsof
        pkgs.podman-compose
      ];
      virtualisation = {
--- a/hosts/common/optional/nixos-containers/semitamaps-worker.nix
+++ b/hosts/common/optional/nixos-containers/semitamaps-worker.nix
@ -100,6 +100,7 @@ in {
        pkgs.vim
        pkgs.git
        pkgs.arion
        pkgs.podman-compose
        pkgs.jdk
      ];
--- a/hosts/merlin/default.nix
+++ b/hosts/merlin/default.nix
@ -9,8 +9,9 @@
  fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
  dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
  encrypted = false; # currrently only applies to btrfs
-  btrfsMountDevice = "/dev/root_vg/root";
+  btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
  impermanence = true;
  piholeIp = configVars.networking.addresses.pihole.ip;
  gatewayIp = configVars.networking.addresses.gateway.ip;
  merlinIp = configVars.networking.addresses.merlin.ip;
@ -41,6 +42,21 @@ in {
    # Import optional options
    ../common/optional/openssh.nix
    ../common/optional/restic-backup.nix
    ../common/optional/docker.nix
    ../common/optional/nix-ld.nix
    ../common/optional/fileserver/nfs-server/homeshare.nix
    # Nixos containers
    ../common/optional/nixos-containers/docker.nix
    ../common/optional/nixos-containers/baseddata-worker.nix
    ../common/optional/nixos-containers/pihole.nix
    ../common/optional/nixos-containers/semitamaps-worker.nix
    ../common/optional/nixos-containers/nix-bitcoin.nix
    ../common/optional/nixos-containers/postgres.nix
    ../common/optional/nixos-containers/baseddata-worker.nix
    ../common/optional/nixos-containers/backup-server.nix
    ../common/optional/nixos-containers/metrics-server.nix
    # This machine is used for remote building
    ../common/optional/distributed-builds/remote-builder-machine.nix
@ -56,11 +72,22 @@ in {
    };
  };
  fileSystems."/mnt/main-ssd" = {
    device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
    fsType = "ext4";
  };
  fileSystems."/mnt/btcnode" = {
    device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
    fsType = "btrfs";
  };
  networking = {
    hostName = "merlin";
    nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
    defaultGateway = "${gatewayIp}";
    useDHCP = false;
    enableIPv6 = false;
    bridges = {
      br0 = {
        interfaces = ["eth0"];
@ -79,6 +106,7 @@ in {
  environment.persistence."/persist" = {
    directories = [
      "/etc/zpool"
      "/var/lib/tailscale"
    ];
  };
@ -87,6 +115,10 @@ in {
    enable = true;
  };
  # enable tailscale
  services.tailscale.useRoutingFeatures = "server";
  services.tailscale.enable = true;
  nixpkgs.config.allowUnfreePredicate = pkg:
    builtins.elem (lib.getName pkg) [
      "nvidia-x11"
@ -114,11 +146,6 @@ in {
    user = "admin";
  };
  fileSystems."/mnt/btcnode" = {
    device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
    fsType = "btrfs";
  };
  boot.supportedFilesystems = ["zfs"];
  boot.zfs.forceImportRoot = false;
  networking.hostId = "18aec5d7";
--- a/hosts/semita/default.nix
+++ b/hosts/semita/default.nix
@ -57,17 +57,17 @@ in {
    # # bind mounts
    # ../common/optional/fileserver/bind-mounts/homeshare.nix
-    ../common/optional/fileserver/nfs-server/homeshare.nix
+    # ../common/optional/fileserver/nfs-server/homeshare.nix
    # nixos-containers
-    ../common/optional/nixos-containers/nix-bitcoin.nix
+    # ../common/optional/nixos-containers/nix-bitcoin.nix
-    ../common/optional/nixos-containers/postgres.nix
+    # ../common/optional/nixos-containers/postgres.nix
-    ../common/optional/nixos-containers/baseddata-worker.nix
+    # ../common/optional/nixos-containers/baseddata-worker.nix
-    ../common/optional/nixos-containers/semitamaps-worker.nix
+    # ../common/optional/nixos-containers/semitamaps-worker.nix
-    ../common/optional/nixos-containers/backup-server.nix
+    # ../common/optional/nixos-containers/backup-server.nix
-    ../common/optional/nixos-containers/docker.nix
+    # ../common/optional/nixos-containers/docker.nix
-    ../common/optional/nixos-containers/pihole.nix
+    # ../common/optional/nixos-containers/pihole.nix
-    ../common/optional/nixos-containers/metrics-server.nix
+    # ../common/optional/nixos-containers/metrics-server.nix
    # # Build nix derivations on remote machine
    # ../common/optional/distributed-builds/local-machine.nix
@ -75,11 +75,11 @@ in {
    outputs.nixosModules.nixosAutoUpgrade
  ];
-  fileSystems."/mnt/main-ssd" = {
+  # fileSystems."/mnt/main-ssd" = {
-    device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
+  #   device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
-    fsType = "ext4";
+  #   fsType = "ext4";
-  };
+  # };
-
+  #
  services.tailscale.useRoutingFeatures = "server";
  boot = {
@ -104,15 +104,15 @@ in {
    };
  };
-  services.prometheus = {
+  # services.prometheus = {
-    exporters = {
+  #   exporters = {
-      node = {
+  #     node = {
-        enable = true;
+  #       enable = true;
-        enabledCollectors = ["systemd"];
+  #       enabledCollectors = ["systemd"];
-        openFirewall = true;
+  #       openFirewall = true;
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
  # system.services.nixosAutoUpgrade = {
  #   enable = true;
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -40,33 +40,40 @@ trap cleanup EXIT
 # Create the directory for target host keys
 install -d -m755 "$temp$persist/etc/ssh"
-# Create ssh keys
+# Extract ssh keys from secrets
-echo "Creating '$hostname' ssh keys"
+echo "Extracting ssh keys"
-ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
+ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
 echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key 
 ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
 echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
-# Extract luks key from secrets
+# # Extract luks key from secrets
-luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
+# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
-echo "$luks_secret" > /tmp/luks_secret.key
+# echo "$luks_secret" > /tmp/luks_secret.key
-# Generate age key from target host and user public ssh key
+# # Create ssh keys
-echo "Generating age key from target host and user ssh key"
+# echo "Creating '$hostname' ssh keys"
-HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
+# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
 echo -e "Host age key:\n$HOST_AGE_KEY\n"
-# Update .sops.yaml with new age key:
+# # Generate age key from target host and user public ssh key
-SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
+# echo "Generating age key from target host and user ssh key"
-sed -i "{
+# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
-# Remove any * and & entries for this host
+# echo -e "Host age key:\n$HOST_AGE_KEY\n"
 /[*&]$hostname/ d;
 # Inject a new age: entry
 # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
 /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
 # Inject a new hosts: entry
 /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
 }" "$SOPS_FILE"
-# Commit and push changes to sops file
+# # Update .sops.yaml with new age key:
-just update-sops-secrets && just update-flake-secrets && just update-flake
+# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
 # sed -i "{
 # # Remove any * and & entries for this host
 # /[*&]$hostname/ d;
 # # Inject a new age: entry
 # # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
 # /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
 # # Inject a new hosts: entry
 # /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
 # }" "$SOPS_FILE"
 # # Commit and push changes to sops file
 # just update-sops-secrets && just update-flake-secrets && just update-flake
 # Copy current nix config over to target
 echo "copying current nix config to host"