diff --git a/.sops.yaml b/.sops.yaml index f7514fa..b4dd603 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 - &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67 - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du + - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y creation_rules: - path_regex: machines/Lilim/[^/]+.yaml$ key_groups: @@ -22,3 +23,9 @@ creation_rules: - *admins age: - *ophanim + - path_regex: machines/Sheol/[^/]+.yaml$ + key_groups: + - pgp: + - *admins + age: + - *sheol diff --git a/flake.nix b/flake.nix index c9d4eb7..cb90528 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,8 @@ nixpkgs-stable.url = "github:/NixOS/nixpkgs/nixos-24.05"; nixpkgs-unstable.url = "github:/NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:/NixOS/nixpkgs/nixos-unstable"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + impermanence.url = "github:nix-community/impermanence"; alejandra = { url = "github:kamadorueda/alejandra/3.0.0"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/machines/Sheol/august.nix b/machines/Sheol/august.nix new file mode 100644 index 0000000..710a169 --- /dev/null +++ b/machines/Sheol/august.nix @@ -0,0 +1,24 @@ +{ ... }: + +{ + users.users.august = { + isNormalUser = true; + createHome = false; + }; + services.openssh.extraConfig = '' + Match User august + AllowUsers august + PermitEmptyPasswords yes + ChrootDirectory /home/august + ForceCommand internal-sftp + ''; + sops.secrets."users/august/publicKey" = { + path = "/etc/ssh/authorized_keys.d/august"; + mode = "444"; + }; + fileSystems."/home/august/Videos" = { + device = "/mnt/WD/Videos/Movies/"; + options = [ "nofail" "bind" "x-systemd.automount" ]; + neededForBoot = false; + }; +} diff --git a/machines/Sheol/configuration.nix b/machines/Sheol/configuration.nix new file mode 100644 index 0000000..10468dc --- /dev/null +++ b/machines/Sheol/configuration.nix @@ -0,0 +1,28 @@ +{...}: { + services = { + avahi = { + enable = true; + openFirewall = true; + publish = { + enable = true; + workstation = true; + userServices = true; + }; + }; + cron.enable = false; + }; + # udp5353 1024-65535 + + networking.firewall = let + range = { + from = 1024; + to = 65535; + }; + in { + allowedUDPPorts = [ 5353 ]; + allowedUDPPortRanges = [ range ]; + allowedTCPPortRanges = [ range ]; + }; + networking.dhcpcd.extraConfig = "noarp"; + system.stateVersion = "24.05"; +} diff --git a/machines/Sheol/hardware-configuration.nix b/machines/Sheol/hardware-configuration.nix new file mode 100644 index 0000000..c91ae2b --- /dev/null +++ b/machines/Sheol/hardware-configuration.nix @@ -0,0 +1,66 @@ +{nixos-hardware, ...}: { + imports = [ + nixos-hardware.nixosModules.raspberry-pi-5 + ]; + + boot = { + kernelParams = [ "8250.nr_uarts=11" "console=ttyAMA10,9600" "console=tty0" ]; + supportedFilesystems = ["btrfs"]; + initrd.systemd.enableTpm2 = false; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = false; + }; + fileSystems = { + "/" = { + device = "none"; + fsType = "tmpfs"; + options = ["defaults" "size=2G" "mode=755" "noexec"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/F8BB-8019"; + fsType = "vfat"; + }; + "/nix" = { + device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd" "noatime"]; + neededForBoot = true; + }; + "/persist" = { + device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; + fsType = "btrfs"; + options = ["subvol=persist" "compress=zstd" "noexec"]; + neededForBoot = true; + }; + "/snapshots" = { + device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; + fsType = "btrfs"; + options = ["subvol=snapshots" "compress=zstd" "noexec"]; + neededForBoot = false; + }; + "/mnt/WD" = { + device = "/dev/disk/by-uuid/EA2866C92866947B"; + fsType = "ntfs"; + options = ["nofail" "x-systemd.automount"]; + neededForBoot = false; + }; + }; + + hardware = { + bluetooth = { + enable = true; + powerOnBoot = true; + }; + }; + + powerManagement = { + enable = true; + cpuFreqGovernor = "powersave"; + }; + + services = { + upower.enable = true; + }; + + time.timeZone = "Europe/Berlin"; +} diff --git a/machines/Sheol/impermanence.nix b/machines/Sheol/impermanence.nix new file mode 100644 index 0000000..e6d0f5a --- /dev/null +++ b/machines/Sheol/impermanence.nix @@ -0,0 +1,24 @@ +{impermanence, ...}: { + imports = [ + impermanence.nixosModules.impermanence + ]; + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/nixos" + # Stores auto assigned user/group ids + "/var/lib/nixos" + "/var/log" + # User directories + "/home/derped/.config/home-manager" + ]; + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/var/lib/sops-nix/key.txt" + ]; + }; +} diff --git a/machines/Sheol/options.nix b/machines/Sheol/options.nix new file mode 100644 index 0000000..73f1e32 --- /dev/null +++ b/machines/Sheol/options.nix @@ -0,0 +1,43 @@ +{...}: { + imports = [ + ../../options/copySysConf.nix + ]; + config.machine = { + allowUnfree = true; + hostName = "Sheol"; + networkD = { + enable = true; + waitOnline = false; + }; + administrators = [ + { + name = "derped"; + id = 1337; + } + ]; + conffiles = [ + "etcfiles" + "etcvars" + "zsh" + ]; + pkgs = [ + "base" + ]; + services = [ + "desktop" + "desktop::sway" + # "kodi" + "openssh" + "mullvad" + ]; + firewall = { + enable = true; + allowPing = true; + }; + }; + + config.system.copySysConf = { + enable = false; + addToNixPath = false; + }; +} diff --git a/machines/Sheol/secrets.yaml b/machines/Sheol/secrets.yaml new file mode 100644 index 0000000..a98f959 --- /dev/null +++ b/machines/Sheol/secrets.yaml @@ -0,0 +1,39 @@ +users: + derped: + password: ENC[AES256_GCM,data:SlJ9Gfjzq/JoZBc0VGKMJxzFM3fyyY/9hbp6bHZthpW8m3l89gkQlGQZQH8OCaWxL4kKwzLw7Ezk+U4Bb2IiR47qHwkHtKFShYqqr1aj25OSlGZTE22estf8ycq0Yj4B4NXI2U7C7NzDNA==,iv:qXuJxumWsICDNIBFvZKXM/fcMXJNtkPGaNJa7qmRgWY=,tag:5kppcClfTj9yKN9vsiwIkA==,type:str] + publicKey: ENC[AES256_GCM,data:RyVbnp2zLBxGHZBW2oOEk4q7dUTbjcrF/OCQyBVOgoQFujGJdOVspj/9U/fcT295TMI40CPnVc3diFGp8YuMh1j6GcaHlYCF5ea9YWVI3TEsMlx5bynudddJcMQMRkYztne1cuZnHAk=,iv:lqvhwYo/LSBD0ZtmIh/PS46ucSe/cV//1TmGf3qcv58=,tag:KewGGw20E7UE7eGAYEQ0Dg==,type:str] + august: + password: "" + publicKey: ENC[AES256_GCM,data:wWhmBAtMWLnN+u+PcE4nXrG3/g/nRjx6ROfcuhm2Ro3stNe9h2vsYK2x2ZtNod4rspO6DejUpyuyMo/LRedvZ9VD0Zvi4M5F1isPpaz7WF+PmMxr4w+pkgrHNZW12F+gUue/skSj6ahv,iv:iAyRUDSOVR90PFbsbzKKsBMpLtYZGYniuiwLQVCZg1g=,tag:dBCiRCKnYzqlab2PgqynxA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZDhGV3B6Y0VTYTFwWjM0 + RDVleHE2c3NEWnBOVnRTZDBIUXBDdU5TNURNCnFucTloWHQ0WUNlbTFxa2NORjdO + SW9jb0p3bzN5cStOUU5MQ01rckk0MG8KLS0tIDYvQ25mMFR5bk10Zyt6RDh6aVRK + RUhOWHpGNHhFVGUxSnU2TmVvalBrdEUKnrIM8GA1OCGnuHAVgtwDyL5cp/8RrAPF + 7Com5KRxlVaROjKODGV0PsrY4IF7q6BqJNjn2+idoeFoyTd+hVrDlg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T15:21:04Z" + mac: ENC[AES256_GCM,data:fZeinJhhoLJUSQvQ7D0Btmg1m2Mrtx0ekw+GTOh7m5EQpZs2s/+gHaZkT3mRQyl0xXyunlwx4bVjSsW1FgacLWSOwh9u+eRxh8L9MTibwWO+BRfwuaXCJ4bMplz5Sw+k16pBDrqAtoXH5tgM/qztU/A7S/qEuVX2FqW9MqUbTgk=,iv:X67CYrGrOzPZNomO4BSnpj8om3IYi0VKUVPFqBoejHY=,tag:Ct1/QbNzuv7Ig00PWECHpg==,type:str] + pgp: + - created_at: "2024-07-27T15:31:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DVbZwA9DOvl8SAQdA/+yMc8iMH6sTHdUvd8b4woVi++CXmldJmys3XG3KHXQw + bClcTd1Tdx+TUMUXdcNF1lRpzRt/7G/paj01Bh+07TQ8dqmYDNN1K33oKep+CG7F + 1GgBCQIQylvt/voidkxil0Xp15CZvDq4mdfReucx2qiS8I9ZTJ8qJGA3GFRtajWc + vfYj/dVUiTmDwxlAwXCyg/rP23G4TUHSXE5KG9Ub42hHJnA4tAS3rQp/c2cpurKI + 19ABYTHyBe/HWg== + =AUQD + -----END PGP MESSAGE----- + fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/machines/Sheol/sops.nix b/machines/Sheol/sops.nix new file mode 100644 index 0000000..33e5731 --- /dev/null +++ b/machines/Sheol/sops.nix @@ -0,0 +1,13 @@ +{ + config, + lib, + ... +}: { + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/persist/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + }; +}