derped/nixos
1
0
Fork 0
Code Releases Activity

machines/Ophanim: migrate to new server

Browse source
This commit is contained in:
Kevin Baensch 2025-03-21 23:18:32 +01:00
parent af81fb7b47
commit 80926102f4
Signed by: derped
GPG key ID: C0F1D326C7626543
5 changed files with 161 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -2,7 +2,7 @@ keys:
- &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
- &lilim age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d
- &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7
- &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
- &ophanim age1q49xu8zdt77s6h2gcsf4842k4tzzuhc5svr6f7saqy90muf6c9eqfa9s3e
- &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y
creation_rules:
- path_regex: machines/Lilim/[^/]+.yaml$

110
machines/Ophanim/hardware-configuration.nix
View file

@ -1,36 +1,114 @@
{
nixpkgs,
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
"${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd.availableKernelModules = [
loader.systemd-boot = {
enable = true;
};
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "btrfs" ];
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"sd_mod"
"sr_mod"
"virtio_blk"
];
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
loader.grub = {
enable = true;
device = "/dev/sda"; # or "nodev" for efi only
};
fileSystems =
let
btrfsDev = "13d40c4f-baaa-4a17-9032-b25aad202384";
in
{
"/" = {
device = "none";
fsType = "tmpfs";
neededForBoot = true;
options = [
"defaults"
"size=4G"
"mode=755"
"noexec"
];
};
"/tmp" = {
device = "/dev/disk/by-uuid/${btrfsDev}";
fsType = "btrfs";
options = [
"noexec"
"noatime"
"compress=zstd"
"subvol=tmp"
];
neededForBoot = true;
};
"/snapshots" = {
device = "/dev/disk/by-uuid/${btrfsDev}";
fsType = "btrfs";
options = [
"noexec"
"noatime"
"compress=zstd"
"subvol=snapshots"
];
neededForBoot = false;
};
"/persist" = {
device = "/dev/disk/by-uuid/${btrfsDev}";
fsType = "btrfs";
options = [
"noexec"
"noatime"
"compress=zstd"
"subvol=persist"
];
neededForBoot = true;
};
"/nix" = {
device = "/dev/disk/by-uuid/${btrfsDev}";
fsType = "btrfs";
options = [
"noatime"
"compress=zstd"
"subvol=nix"
];
neededForBoot = true;
};
"/boot" = {
device = "/dev/disk/by-uuid/5491-80AC";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
time.timeZone = "Europe/Berlin";
fileSystems."/" = {
device = "/dev/disk/by-uuid/fa0c2ff3-59f9-4c00-8153-c2c2ef0f0e84";
fsType = "ext4";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

57
machines/Ophanim/options.nix
View file

@ -25,6 +25,11 @@ in
"baensch"
];
}
{
name = "august";
aliases = [
];
}
];
allowUnfree = true;
conffiles = [
@ -35,19 +40,39 @@ in
pkgs = [
"base"
"server"
"nvim"
"nvim::cmp"
"nvim::fugitive"
"nvim::harpoon"
"nvim::kanagawa-nvim"
"nvim::lsp"
"nvim::lsp::bash"
"nvim::lsp::nix-nil"
"nvim::lsp::python"
"nvim::lualine"
"nvim::nvim-highlight"
"nvim::telescope"
"nvim::tmux-navigate"
"nvim::treesitter"
"nvim::trim"
"nvim::undotree"
];
services = [
"acme"
"btrbk"
"btrfs"
"fail2ban"
"forgejo"
"tandoor"
# "hydra"
"impermanence"
"mailserver"
"mariaDB"
"nextcloud"
"nginx"
"openssh"
"radicale"
"tmux"
"tt-rss"
# TODO: re-add sservices
# "tandoor"
# "tt-rss"
];
vHosts =
let
@ -58,11 +83,9 @@ in
domain = base;
service = "simple";
}
# { domain = "builder.${base}"; service = "hydra"; }
# { domain = "cache.${base}"; service = "cache"; }
{
domain = "storage.${base}";
service = "nextcloud";
domain = "cal.${base}";
service = "radicale";
}
{
domain = "mail.${base}";
@ -72,14 +95,14 @@ in
domain = "git.${base}";
service = "forgejo";
}
{
domain = "food.${base}";
service = "tandoor";
}
{
domain = "feed.${base}";
service = "tt-rss";
}
# {
# domain = "food.${base}";
# service = "tandoor";
# }
# {
# domain = "feed.${base}";
# service = "tt-rss";
# }
];
firewall = {
enable = true;
@ -88,12 +111,10 @@ in
22
80
443
7776
];
allowedTCPPorts = [
80
443
7776
];
};
};

35
machines/Ophanim/secrets.yaml
View file

@ -3,6 +3,8 @@ users:
password: ENC[AES256_GCM,data:LODa3S3CpToxDcILSXIAwjZKq+KBh2HwnmxM6NLjuGpHWLGG+olvYxYju4vd1bF4c0OFdKfJFzM99JENt+OLp7tR/NQhvpiu6f1IhcxSrjJTBTXHlRHSGm2JD3a7HB3E7DUH,iv:MrhBrInvFbHq086pc9cyvtXVSLBDDuuWFGm1KLnElk8=,tag:VqxDD1PXgZzeTGogtFgbrQ==,type:str]
mail: ENC[AES256_GCM,data:b8/EiGUiUmCsxeOSFLE4lETrdi6Dn6wpWdYyNb22kHo/Ws0PXMLu4FJKeP/lZj0kKigdm4I94eEYyC8UmZKcJtilW/JtUpfmGzDkiGTxY7VxVFZYbamsQ1wq1r3BuWZorn+m,iv:+kyH2h+0++NnR/NPyUOPkEj1HSMI7+gciCXuebdlvkc=,tag:J6ltTqx34sJbkUAaiZJR6g==,type:str]
publicKey: ENC[AES256_GCM,data:n1o+2pBdstnnC7b3Oub8Cen6JYZzR4ouaVlANsqxr2B8apPgY3ZaWoYO7b773MiKlhfPGPDpnL6H+jBGRc+adUjuaLFl2fnWwHCo8bIe/esIMf+bgyMefodg35R6j02bT0BM8dQGRyU/Qw==,iv:zCZdEvdTNvz/pAG6fAlsG5ZTCzOyfpo5OJswFa9n0ws=,tag:efQOpShXKmTJeK3odLt7cw==,type:str]
august:
mail: ENC[AES256_GCM,data:zEeONrOporN+UsMuPmwatyNGp1Iz4UQKKRAQeQB7GDbu4BK4xyr/Q62XoMMsj+UYj0Eq6yIvtWmmzttmcY3WpWiTb3wMtRmvzzpogD51P1aFwA/RJ5k5tcICFvZUOT+DkTTZ0mVlj7QmMA==,iv:4gND1l7sg1TpS9qLqbiJZhbTwR9z2eo1RnaFL7ne78E=,tag:NWFI+oNtTDT/39s1HD0+Cw==,type:str]
services:
forgejo:
dbPass: ENC[AES256_GCM,data:TStfvP4VP9StXzxPU0GKyxZqXCj/+OLc2nE+FZWKbi95yn9BEFAyFQ==,iv:ZmM1+I1ipE5yHXMX4GYh6GqBr3B3Cycym24obHQG59M=,tag:C9kdJlEZUdGTS/N2NtuWdw==,type:str]
@ -19,29 +21,28 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du
- recipient: age1q49xu8zdt77s6h2gcsf4842k4tzzuhc5svr6f7saqy90muf6c9eqfa9s3e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F
Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX
cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl
Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbCsvRFhFOC8xdTZ1dEJk
QlNiNE9mTnhHSWpEbG1KdVJZUllFSHUwcWlnCkhhMlFFanUyRjBSNXg2ZDdOVytm
Z2t6L1hoUktXczc2SkErMHU5ZDVIYWMKLS0tIFZQMGhZV0V6bmxLdWswZGg1cE9I
ZUd6NXpIbkRhc0ZIM3BQc3ZRTHZSMFkKlHPJymevA5mrcZ66n4PIcxUtGwiQRUpS
ctRke10aLmPCPe3C+Vy90wXxU8CShNXrCrgn0eaXlr5Pc+U2gvJt4w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-21T11:05:34Z"
mac: ENC[AES256_GCM,data:50Qe5aBO/xT5VFxfyIvB1hB32MlxSsXdIrG2zwDf5lGyk8cYKr8i5LZX7TQfzaREW9CgwPt7K4bxbGqAPG6wOVCgN+GYbVqpWgORfftMRzy0oVFY+zbb+oewmy7lh/Da0z1+6+P+GECoGakduChOcWYfrjxQk7ODEz0RE4aX1Cs=,iv:+DSaPLZTrYHTY0LpUKjBn+NlhO+QKQh2wrVfNNLZoOc=,tag:d1ixNV6w1vJlHJHcjS64ow==,type:str]
lastmodified: "2025-03-01T21:06:52Z"
mac: ENC[AES256_GCM,data:UZrrHrfX5cH0LUp42BeesAzceHmwx4Hbz/Ihgko/hhXZQwhEMezyzXO0w02EPxjiHWCVi2xJpk1BzXzUJOzSJgG8uu7CURF3ku0jg6u5MPjDznJOK3LxUjJCS3aRKdbim4Xxa041o82tV8EYFmV3VqhQsyuAvVhyUlHzmb4pxKg=,iv:6vq6+hOflbHBRS7Lt+4wlWFdnRwRS+5VikwaVk0vPhU=,tag:UA/MF3UkhgM9VaEc9wGYnA==,type:str]
pgp:
- created_at: "2023-09-10T17:32:58Z"
enc: |
- created_at: "2025-02-27T11:57:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w
08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL
1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY
dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR
LkjqppMzPP/4OQ==
=+ryG
hF4DVbZwA9DOvl8SAQdAQFSn85CwMlRwwf/UmjERCDCuAD/fZJCjZ5VQunVLHmkw
OtFuf326h6CAid2gchi4eOGt+ezJ79gWjN9JMjfeLm04PM6RtzMZzjPrBKwuTv0b
0l4BRonGkbjvU+Ne47i6n7gmoyMOG7yCQWI2RnIip/+9A39zTUsZDpzBrF1Qp0rn
SS0WC3MxUm2fah8ow/8u9KKRh5m9daFTDSM1otowdoqUnPWtCC8TESjrhfC+wCKu
=R9C3
-----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.9.4

9
machines/Ophanim/sops.nix
View file

@ -1,13 +1,10 @@
{
config,
lib,
...
}:
_:
{
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
};