home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit 4cd1dd736ddcb95fdaa916f7e2043eee8786f317
parent 3f33854e6982810a66b8025ec2fdd4e78d0752bb
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Thu, 22 Feb 2024 12:26:37 +0100

systems: add "officially" athena and demeter

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mflake.nix | 8+++++++-
Mops/hosts.toml | 9+++++++--
Msecrets/db.192.168.1 | 3+++
Msecrets/db.home | 4++++
Msecrets/machines.nix | 10++++++++++
Msystems/hosts/athena.nix | 46+++++++++++++++++++++++++++++++++-------------
Asystems/hosts/demeter.nix | 83+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 147 insertions(+), 16 deletions(-)

diff --git a/flake.nix b/flake.nix @@ -134,11 +134,17 @@ # athena athena = inputs.nixpkgs-23_11.lib.nixosSystem { system = "aarch64-linux"; - modules = stableModules ++ [ + modules = commonModules ++ stableModules ++ [ ./systems/hosts/athena.nix ]; }; # demeter + demeter = inputs.nixpkgs-23_11.lib.nixosSystem { + system = "aarch64-linux"; + modules = commonModules ++ stableModules ++ [ + ./systems/hosts/demeter.nix + ]; + }; }; # TODO: expose some packages ? diff --git a/ops/hosts.toml b/ops/hosts.toml @@ -64,6 +64,12 @@ ssh = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8 addrs = { v4 = "10.100.0.1" } port = 51820 +[hosts.athena] +addrs = { v4 = "192.168.1.183" } + +[hosts.demeter] +addrs = { v4 = "192.168.1.182" } + [hosts.k8sn1] addrs = { v4 = "192.168.1.130" } @@ -76,4 +82,4 @@ addrs = { v4 = "192.168.1.132" } [ssh.keys] vincent = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius" ] houbeb = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius" ] -root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxstR3xEf87leVVDS3GVPx8Ap9+eP+OfkSvM26V54XP vincent@shikoku" ]- \ No newline at end of file +root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxstR3xEf87leVVDS3GVPx8Ap9+eP+OfkSvM26V54XP vincent@shikoku" ] diff --git a/secrets/db.192.168.1 b/secrets/db.192.168.1 @@ -22,6 +22,9 @@ $TTL 604800 24 IN PTR ns1.home. 24 IN PTR shikoku.home. +182 IN PTR demeter.home. +183 IN PTR athena.home. + ; OpenShift VM ;; Load Balancer 120 IN PTR vm0.home. diff --git a/secrets/db.home b/secrets/db.home @@ -27,6 +27,10 @@ aomi.home. IN A 192.168.1.23 *.aomi.home. IN A 192.168.1.23 shikoku.home. IN A 192.168.1.24 *.shikoku.home. IN A 192.168.1.24 +athena.home IN A 192.168.1.183 +*.athena.home IN A 192.168.1.183 +demeter.home IN A 192.168.1.182 +*.demeter.home IN A 192.168.1.182 ; OpenShift VMs ;; Load balancer diff --git a/secrets/machines.nix b/secrets/machines.nix @@ -25,6 +25,8 @@ let shikoku = "192.168.1.24"; synodine = "192.168.1.20"; wakasu = "192.168.1.77"; + demeter = "192.168.1.182"; + athena = "192.168.1.183"; }; }; wireguard = { @@ -208,6 +210,14 @@ in hostname = "${wireguard.ips.wakasu}"; remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; }; + "athena.home" = { + hostname = "${home.ips.athena}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "demeter.home" = { + hostname = "${home.ips.demeter}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; "dev.home" = { hostname = "${home.ips.dev}"; }; diff --git a/systems/hosts/athena.nix b/systems/hosts/athena.nix @@ -16,10 +16,27 @@ let in { imports = [ - # (import ../../users/vincent) - # (import ../../users/root) + (import ../../users/vincent) + (import ../../users/root) ]; + boot = { + kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; + initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + networking = { hostName = hostname; firewall.enable = false; # we are in safe territory :D @@ -30,19 +47,22 @@ in # }; }; - # core.boot.systemd-boot = lib.mkForce true; + profiles.base.systemd-boot = lib.mkForce false; + core.boot.systemd-boot = lib.mkForce false; + # boot.cleanTmpDir = lib.mkForce false; + # boot.loader.systemd-boot.enable = lib.mkForce false; # profiles.base.systemd-boot = lib.mkForce true; # - # modules = { - # services = { - # syncthing = { - # enable = true; - # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; - # }; - # avahi.enable = true; - # ssh.enable = true; - # }; - # }; + modules = { + services = { + # syncthing = { + # enable = true; + # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; + # }; + # avahi.enable = true; + ssh.enable = true; + }; + }; # # profiles = { # bind.enable = true; diff --git a/systems/hosts/demeter.nix b/systems/hosts/demeter.nix @@ -0,0 +1,83 @@ +{ pkgs, lib, ... }: + +with lib; +let + hostname = "demeter"; + # secretPath = ../../secrets/machines.nix; + # secretCondition = (builtins.pathExists secretPath); + # + # ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; + # ips = lists.optionals secretCondition ([ "${ip}/24" ]); + # endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; + # endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; + # endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; + + metadata = importTOML ../../ops/hosts.toml; +in +{ + imports = [ + (import ../../users/vincent) + (import ../../users/root) + ]; + + boot = { + kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; + initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + loader = { + grub.enable = false; + generic-extlinux-compatible.enable = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + + networking = { + hostName = hostname; + firewall.enable = false; # we are in safe territory :D + # bridges.br1.interfaces = [ "enp0s31f6" ]; + # useDHCP = false; + # interfaces.br1 = { + # useDHCP = true; + # }; + }; + + profiles.base.systemd-boot = lib.mkForce false; + core.boot.systemd-boot = lib.mkForce false; + # boot.cleanTmpDir = lib.mkForce false; + # boot.loader.systemd-boot.enable = lib.mkForce false; + # profiles.base.systemd-boot = lib.mkForce true; + # + modules = { + services = { + # syncthing = { + # enable = true; + # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; + # }; + # avahi.enable = true; + ssh.enable = true; + }; + }; + # + # profiles = { + # bind.enable = true; + # home = true; + # }; + + # services = { + # wireguard = { + # enable = true; + # ips = ips; + # endpoint = endpointIP; + # endpointPort = endpointPort; + # endpointPublicKey = endpointPublicKey; + # }; + # }; + security.apparmor.enable = true; + security.pam.enableSSHAgentAuth = true; +}