Add new machine Sheol.

This commit is contained in:
Kevin Baensch 2024-11-15 21:58:10 +01:00
parent 4da68279f4
commit 0b1b8b6acb
Signed by: derped
GPG key ID: C0F1D326C7626543
9 changed files with 246 additions and 0 deletions

View file

@ -3,6 +3,7 @@ keys:
- &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4 - &lilim age1w3uhx6han0frfvg2t3t3wnwnzpkplzeyhun0dmqpkqwscmzlz4ms3elug4
- &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67 - &marid age10vw4q40dq0tk9xzexeyn7cl6qka0hz7mfkmhv9g322k0u4dacd5sq8gg67
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
- &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y
creation_rules: creation_rules:
- path_regex: machines/Lilim/[^/]+.yaml$ - path_regex: machines/Lilim/[^/]+.yaml$
key_groups: key_groups:
@ -22,3 +23,9 @@ creation_rules:
- *admins - *admins
age: age:
- *ophanim - *ophanim
- path_regex: machines/Sheol/[^/]+.yaml$
key_groups:
- pgp:
- *admins
age:
- *sheol

View file

@ -5,6 +5,8 @@
nixpkgs-stable.url = "github:/NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable.url = "github:/NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:/NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:/NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:/NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:/NixOS/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
impermanence.url = "github:nix-community/impermanence";
alejandra = { alejandra = {
url = "github:kamadorueda/alejandra/3.0.0"; url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

24
machines/Sheol/august.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }:
{
users.users.august = {
isNormalUser = true;
createHome = false;
};
services.openssh.extraConfig = ''
Match User august
AllowUsers august
PermitEmptyPasswords yes
ChrootDirectory /home/august
ForceCommand internal-sftp
'';
sops.secrets."users/august/publicKey" = {
path = "/etc/ssh/authorized_keys.d/august";
mode = "444";
};
fileSystems."/home/august/Videos" = {
device = "/mnt/WD/Videos/Movies/";
options = [ "nofail" "bind" "x-systemd.automount" ];
neededForBoot = false;
};
}

View file

@ -0,0 +1,28 @@
{...}: {
services = {
avahi = {
enable = true;
openFirewall = true;
publish = {
enable = true;
workstation = true;
userServices = true;
};
};
cron.enable = false;
};
# udp5353 1024-65535
networking.firewall = let
range = {
from = 1024;
to = 65535;
};
in {
allowedUDPPorts = [ 5353 ];
allowedUDPPortRanges = [ range ];
allowedTCPPortRanges = [ range ];
};
networking.dhcpcd.extraConfig = "noarp";
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,66 @@
{nixos-hardware, ...}: {
imports = [
nixos-hardware.nixosModules.raspberry-pi-5
];
boot = {
kernelParams = [ "8250.nr_uarts=11" "console=ttyAMA10,9600" "console=tty0" ];
supportedFilesystems = ["btrfs"];
initrd.systemd.enableTpm2 = false;
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = false;
};
fileSystems = {
"/" = {
device = "none";
fsType = "tmpfs";
options = ["defaults" "size=2G" "mode=755" "noexec"];
};
"/boot" = {
device = "/dev/disk/by-uuid/F8BB-8019";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
neededForBoot = true;
};
"/persist" = {
device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409";
fsType = "btrfs";
options = ["subvol=persist" "compress=zstd" "noexec"];
neededForBoot = true;
};
"/snapshots" = {
device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409";
fsType = "btrfs";
options = ["subvol=snapshots" "compress=zstd" "noexec"];
neededForBoot = false;
};
"/mnt/WD" = {
device = "/dev/disk/by-uuid/EA2866C92866947B";
fsType = "ntfs";
options = ["nofail" "x-systemd.automount"];
neededForBoot = false;
};
};
hardware = {
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
powerManagement = {
enable = true;
cpuFreqGovernor = "powersave";
};
services = {
upower.enable = true;
};
time.timeZone = "Europe/Berlin";
}

View file

@ -0,0 +1,24 @@
{impermanence, ...}: {
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/etc/nixos"
# Stores auto assigned user/group ids
"/var/lib/nixos"
"/var/log"
# User directories
"/home/derped/.config/home-manager"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/var/lib/sops-nix/key.txt"
];
};
}

View file

@ -0,0 +1,43 @@
{...}: {
imports = [
../../options/copySysConf.nix
];
config.machine = {
allowUnfree = true;
hostName = "Sheol";
networkD = {
enable = true;
waitOnline = false;
};
administrators = [
{
name = "derped";
id = 1337;
}
];
conffiles = [
"etcfiles"
"etcvars"
"zsh"
];
pkgs = [
"base"
];
services = [
"desktop"
"desktop::sway"
# "kodi"
"openssh"
"mullvad"
];
firewall = {
enable = true;
allowPing = true;
};
};
config.system.copySysConf = {
enable = false;
addToNixPath = false;
};
}

View file

@ -0,0 +1,39 @@
users:
derped:
password: ENC[AES256_GCM,data:SlJ9Gfjzq/JoZBc0VGKMJxzFM3fyyY/9hbp6bHZthpW8m3l89gkQlGQZQH8OCaWxL4kKwzLw7Ezk+U4Bb2IiR47qHwkHtKFShYqqr1aj25OSlGZTE22estf8ycq0Yj4B4NXI2U7C7NzDNA==,iv:qXuJxumWsICDNIBFvZKXM/fcMXJNtkPGaNJa7qmRgWY=,tag:5kppcClfTj9yKN9vsiwIkA==,type:str]
publicKey: ENC[AES256_GCM,data:RyVbnp2zLBxGHZBW2oOEk4q7dUTbjcrF/OCQyBVOgoQFujGJdOVspj/9U/fcT295TMI40CPnVc3diFGp8YuMh1j6GcaHlYCF5ea9YWVI3TEsMlx5bynudddJcMQMRkYztne1cuZnHAk=,iv:lqvhwYo/LSBD0ZtmIh/PS46ucSe/cV//1TmGf3qcv58=,tag:KewGGw20E7UE7eGAYEQ0Dg==,type:str]
august:
password: ""
publicKey: ENC[AES256_GCM,data:wWhmBAtMWLnN+u+PcE4nXrG3/g/nRjx6ROfcuhm2Ro3stNe9h2vsYK2x2ZtNod4rspO6DejUpyuyMo/LRedvZ9VD0Zvi4M5F1isPpaz7WF+PmMxr4w+pkgrHNZW12F+gUue/skSj6ahv,iv:iAyRUDSOVR90PFbsbzKKsBMpLtYZGYniuiwLQVCZg1g=,tag:dBCiRCKnYzqlab2PgqynxA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZDhGV3B6Y0VTYTFwWjM0
RDVleHE2c3NEWnBOVnRTZDBIUXBDdU5TNURNCnFucTloWHQ0WUNlbTFxa2NORjdO
SW9jb0p3bzN5cStOUU5MQ01rckk0MG8KLS0tIDYvQ25mMFR5bk10Zyt6RDh6aVRK
RUhOWHpGNHhFVGUxSnU2TmVvalBrdEUKnrIM8GA1OCGnuHAVgtwDyL5cp/8RrAPF
7Com5KRxlVaROjKODGV0PsrY4IF7q6BqJNjn2+idoeFoyTd+hVrDlg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-04T15:21:04Z"
mac: ENC[AES256_GCM,data:fZeinJhhoLJUSQvQ7D0Btmg1m2Mrtx0ekw+GTOh7m5EQpZs2s/+gHaZkT3mRQyl0xXyunlwx4bVjSsW1FgacLWSOwh9u+eRxh8L9MTibwWO+BRfwuaXCJ4bMplz5Sw+k16pBDrqAtoXH5tgM/qztU/A7S/qEuVX2FqW9MqUbTgk=,iv:X67CYrGrOzPZNomO4BSnpj8om3IYi0VKUVPFqBoejHY=,tag:Ct1/QbNzuv7Ig00PWECHpg==,type:str]
pgp:
- created_at: "2024-07-27T15:31:42Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdA/+yMc8iMH6sTHdUvd8b4woVi++CXmldJmys3XG3KHXQw
bClcTd1Tdx+TUMUXdcNF1lRpzRt/7G/paj01Bh+07TQ8dqmYDNN1K33oKep+CG7F
1GgBCQIQylvt/voidkxil0Xp15CZvDq4mdfReucx2qiS8I9ZTJ8qJGA3GFRtajWc
vfYj/dVUiTmDwxlAwXCyg/rP23G4TUHSXE5KG9Ub42hHJnA4tAS3rQp/c2cpurKI
19ABYTHyBe/HWg==
=AUQD
-----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted
version: 3.9.1

13
machines/Sheol/sops.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
lib,
...
}: {
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}