commit 4cd1dd736ddcb95fdaa916f7e2043eee8786f317
parent 3f33854e6982810a66b8025ec2fdd4e78d0752bb
Author: Vincent Demeester <vincent@sbr.pm>
Date: Thu, 22 Feb 2024 12:26:37 +0100
systems: add "officially" athena and demeter
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
7 files changed, 147 insertions(+), 16 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -134,11 +134,17 @@
# athena
athena = inputs.nixpkgs-23_11.lib.nixosSystem {
system = "aarch64-linux";
- modules = stableModules ++ [
+ modules = commonModules ++ stableModules ++ [
./systems/hosts/athena.nix
];
};
# demeter
+ demeter = inputs.nixpkgs-23_11.lib.nixosSystem {
+ system = "aarch64-linux";
+ modules = commonModules ++ stableModules ++ [
+ ./systems/hosts/demeter.nix
+ ];
+ };
};
# TODO: expose some packages ?
diff --git a/ops/hosts.toml b/ops/hosts.toml
@@ -64,6 +64,12 @@ ssh = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8
addrs = { v4 = "10.100.0.1" }
port = 51820
+[hosts.athena]
+addrs = { v4 = "192.168.1.183" }
+
+[hosts.demeter]
+addrs = { v4 = "192.168.1.182" }
+
[hosts.k8sn1]
addrs = { v4 = "192.168.1.130" }
@@ -76,4 +82,4 @@ addrs = { v4 = "192.168.1.132" }
[ssh.keys]
vincent = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius" ]
houbeb = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius" ]
-root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxstR3xEf87leVVDS3GVPx8Ap9+eP+OfkSvM26V54XP vincent@shikoku" ]-
\ No newline at end of file
+root = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832", "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxstR3xEf87leVVDS3GVPx8Ap9+eP+OfkSvM26V54XP vincent@shikoku" ]
diff --git a/secrets/db.192.168.1 b/secrets/db.192.168.1
@@ -22,6 +22,9 @@ $TTL 604800
24 IN PTR ns1.home.
24 IN PTR shikoku.home.
+182 IN PTR demeter.home.
+183 IN PTR athena.home.
+
; OpenShift VM
;; Load Balancer
120 IN PTR vm0.home.
diff --git a/secrets/db.home b/secrets/db.home
@@ -27,6 +27,10 @@ aomi.home. IN A 192.168.1.23
*.aomi.home. IN A 192.168.1.23
shikoku.home. IN A 192.168.1.24
*.shikoku.home. IN A 192.168.1.24
+athena.home IN A 192.168.1.183
+*.athena.home IN A 192.168.1.183
+demeter.home IN A 192.168.1.182
+*.demeter.home IN A 192.168.1.182
; OpenShift VMs
;; Load balancer
diff --git a/secrets/machines.nix b/secrets/machines.nix
@@ -25,6 +25,8 @@ let
shikoku = "192.168.1.24";
synodine = "192.168.1.20";
wakasu = "192.168.1.77";
+ demeter = "192.168.1.182";
+ athena = "192.168.1.183";
};
};
wireguard = {
@@ -208,6 +210,14 @@ in
hostname = "${wireguard.ips.wakasu}";
remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
};
+ "athena.home" = {
+ hostname = "${home.ips.athena}";
+ remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
+ "demeter.home" = {
+ hostname = "${home.ips.demeter}";
+ remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
"dev.home" = {
hostname = "${home.ips.dev}";
};
diff --git a/systems/hosts/athena.nix b/systems/hosts/athena.nix
@@ -16,10 +16,27 @@ let
in
{
imports = [
- # (import ../../users/vincent)
- # (import ../../users/root)
+ (import ../../users/vincent)
+ (import ../../users/root)
];
+ boot = {
+ kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+ initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+ loader = {
+ grub.enable = false;
+ generic-extlinux-compatible.enable = true;
+ };
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/disk/by-label/NIXOS_SD";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ };
+
networking = {
hostName = hostname;
firewall.enable = false; # we are in safe territory :D
@@ -30,19 +47,22 @@ in
# };
};
- # core.boot.systemd-boot = lib.mkForce true;
+ profiles.base.systemd-boot = lib.mkForce false;
+ core.boot.systemd-boot = lib.mkForce false;
+ # boot.cleanTmpDir = lib.mkForce false;
+ # boot.loader.systemd-boot.enable = lib.mkForce false;
# profiles.base.systemd-boot = lib.mkForce true;
#
- # modules = {
- # services = {
- # syncthing = {
- # enable = true;
- # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
- # };
- # avahi.enable = true;
- # ssh.enable = true;
- # };
- # };
+ modules = {
+ services = {
+ # syncthing = {
+ # enable = true;
+ # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
+ # };
+ # avahi.enable = true;
+ ssh.enable = true;
+ };
+ };
#
# profiles = {
# bind.enable = true;
diff --git a/systems/hosts/demeter.nix b/systems/hosts/demeter.nix
@@ -0,0 +1,83 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+ hostname = "demeter";
+ # secretPath = ../../secrets/machines.nix;
+ # secretCondition = (builtins.pathExists secretPath);
+ #
+ # ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ # ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ # endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ # endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ # endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+
+ metadata = importTOML ../../ops/hosts.toml;
+in
+{
+ imports = [
+ (import ../../users/vincent)
+ (import ../../users/root)
+ ];
+
+ boot = {
+ kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+ initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+ loader = {
+ grub.enable = false;
+ generic-extlinux-compatible.enable = true;
+ };
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/disk/by-label/NIXOS_SD";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+ };
+
+ networking = {
+ hostName = hostname;
+ firewall.enable = false; # we are in safe territory :D
+ # bridges.br1.interfaces = [ "enp0s31f6" ];
+ # useDHCP = false;
+ # interfaces.br1 = {
+ # useDHCP = true;
+ # };
+ };
+
+ profiles.base.systemd-boot = lib.mkForce false;
+ core.boot.systemd-boot = lib.mkForce false;
+ # boot.cleanTmpDir = lib.mkForce false;
+ # boot.loader.systemd-boot.enable = lib.mkForce false;
+ # profiles.base.systemd-boot = lib.mkForce true;
+ #
+ modules = {
+ services = {
+ # syncthing = {
+ # enable = true;
+ # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
+ # };
+ # avahi.enable = true;
+ ssh.enable = true;
+ };
+ };
+ #
+ # profiles = {
+ # bind.enable = true;
+ # home = true;
+ # };
+
+ # services = {
+ # wireguard = {
+ # enable = true;
+ # ips = ips;
+ # endpoint = endpointIP;
+ # endpointPort = endpointPort;
+ # endpointPublicKey = endpointPublicKey;
+ # };
+ # };
+ security.apparmor.enable = true;
+ security.pam.enableSSHAgentAuth = true;
+}