podcast.savar.de: init

1systems/podcast.savar.de/config.nix

@@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+
+      # hardware
+      ./proxmox-vm
+
+      ../../2configs
+
+
+      # Monitoring
+      ../../2configs/nix-community/supervision.nix
+
+      # users
+      ../../2configs/home-manager
+      ../../2configs/home-manager/cli.nix
+
+
+      # Security
+      ../../2configs/sshd-totp.nix
+
+      # Tools
+      ../../2configs/tools/core.nix
+      ../../2configs/zsh-user.nix
+      ../../2configs/mosh.nix
+      # Networking
+      ../../2configs/tinc/retiolum.nix
+      ../../2configs/wireguard/wiregrill.nix
+
+      # services
+      ../../2configs/bgt/download.binaergewitter.de.nix
+
+      # backup
+      ../../2configs/backup/state.nix
+      # TODO: migration required
+      # ../../2configs/bgt/backup.nix
+
+      # misc
+      ../../2configs/support-nixos.nix
+      ../../2configs/headless.nix
+    ];
+
+  sops.secrets."ssh_host_rsa_key" = {};
+  sops.secrets."ssh_host_ed25519_key" = {};
+  services.openssh.hostKeys = lib.mkForce [
+    { bits = 4096; path = (config.sops.secrets."ssh_host_rsa_key".path); type = "rsa"; }
+    { path = config.sops.secrets."ssh_host_ed25519_key".path; type = "ed25519"; } ];
+
+  krebs.build.host = config.krebs.hosts.podcast.savar.de;
+
+  # Network
+  networking = {
+    firewall = {
+        allowedTCPPorts = [ 80 443 ];
+        allowPing = true;
+        logRefusedConnections = false;
+    };
+    nameservers = [ "8.8.8.8" ];
+  };
+}

1systems/podcast.savar.de/proxmox-vm/default.nix

@@ -0,0 +1,17 @@
+{ pkgs, lib, nixos-hardware, self, ... }:
+# new zfs deployment
+{
+  imports = [
+    ((import  ./disk-setup.nix ) { disks = [ "/dev/sda" "/dev/sdb"]; })
+  ];
+
+  swapDevices = [ ];
+  boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages;
+  hardware.enableRedistributableFirmware = true;
+
+}
+

1systems/podcast.savar.de/proxmox-vm/disk-setup.nix

@@ -0,0 +1,60 @@
+{ disks ? [ "/dev/sda" "/dev/sdb" ], ... }: {
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = {
+            boot = {
+              name = "boot";
+              size = "1M";
+              type = "EF02";
+            };
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpount = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "xfs";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+      storage = {
+        device = "/dev/sdb";
+        type = "disk";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = {
+            data = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "xfs";
+                mountpoint = "/data";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

secrets/podcast.savar.de.yaml

@@ -0,0 +1,36 @@
+wiregrill.priv: ENC[AES256_GCM,data:U83dDn8q+KZ8QZh69Z/8eHmOHYugXMeRtkTMpv/4x0qkqz9ku9dsZxCFOcA=,iv:aJskz6nYgi82XwjsQcUkluYLNQ/tb0zQG53Rtvts3js=,tag:74JTYUtQY9qcIjaD9NCTOg==,type:str]
+retiolum.priv: ENC[AES256_GCM,data:yG1CvrFYy40gzKxoDUDWxCdOTR0G4WYFWygWpf1igOfjeJmCQKbwt46ydimPU1+GhyIxy1J8UjwRp18/OkydgXjNE3Whj3l0ZUCRH2k+iBJ0/CFrwE0hEvVZfcACxpw6IMKadR0biucBZ0nCAy9nQv9lzYgddXJD4Kji3Ksp6tK4leV02iFmeEZP5qweCX5Of4bGGJovM9QffRobC9uNRHKktxTKdtNeh06SS8ybyDVnmUQTuw0u8GlC0CoUlqnrTxXqAzdFWDThs7V+hAHYXrDOpRvd+79R4k2N6rdFuZZiyfoyZw0ww37q25V09PKIaDhK+T791lOE0SqQBSWI0cfSmGOw183vHeVRhppnrnx5aGsb/vxdIqF7Bzr++7dq4rw2Mx8jvS7WaoisMicINPBxXfp6Kw8uByQOWcwiEI+C8u+QkmQwxuwj0Xv0Xp/HeXAZIkgzcD9eFsg/Zz1s1i148lyt8ist9hCplK06fnroeq3xnRMnegsND/lDIfr64xcmQPMH4fUaNrZZ7x35/cNMk1NSqpXiLpJa7BS04iNUau4XGgLa/D4nHgJP8XvOoHg+tMxYAPyjsikAt7Lu0Isgn8zMMjZvB88NLgz0QoY4MSxc/hgMtMDbh7eoAxltSTNnJksZ7+mSzSkLdGI57RClErZWaYyw7YA71lyj35QP98X/00hVjMJ9Jc93L3LqaM3dgmgyL2UW+fWJUsTb9EbKbsfLULnKjRe0yFRgzmPJiC/JeoqLV+z33+SMH30JeXCLZIu4UZOZfXxxkVWMZlFLQfLoQ9dDKYPROyM+7bCIIYfBGZpqVcPfv/GdGcbXXccqTAB+D0udi9cHJzRpNpaw96YQjRB8Qf886etu9sLESuj9MmVPJqvz+QS4DDxJi4eDhSt/SNWQ4nUnsMI/6MYv5vkvkg+yQfbSSD1dtpmC85wNLGzIr4B2evYfeF4ghOjjz6CqnsH5ikekhIO7bDJtRKkZJ5RSe5N+ij3Y3ulWFB3emGDrcre+rVhFgxRrAFy9R7KY5/iysawChmBK3xe1tNJVkmv2JnK4A6Sr2iaTvB0XkRk7SwPHLcbFkSj2eFP77Kq52nAQjTQApm32YGazd+QkATjm+dQGtHJT+V+VS74SlndIhJG0Q02ggB/F2RK2ToBCPl5PZtF1Nd4ZLTjS0FcHsOKAn/hu/LuRnlroC/XwR28KlnPWJ8+d8lKaFq4yMjqI+9gPtBa8rnUIrpakHLkn36TNCssPEKSqYHe+SJ5TaGZpdVKuKf63gHhkekGptFXp08XoMUgFy6zXiO1CcKz9gItUjf9a/w79BlWL+AJR+i/0g21Mv4CrSQUT5zVJBowVr+TV43UUVb7kzuQPOaPwW2NDSPDsn43UTASoDX4Xn4bkQX1k52L3ET0tb9X7zS/GmHExj9ks5DX/T0wjR7pt0nuWO7r+MD4IB96Y3Qo80DL38TV7jKK7HSfZydc/ZyVFBj5dhzzpZVnQZt3spOTaZIrXpyiKhOxdNVNtzqJ3ohDQHXClTNCreZTAnjFoFLhhNSytpYncjgIGCaJD235Ykx9/jjtQLGf8ZvHZoHvKiPxo5DoH+fcR0XGysO1rukRbfxfoCRlWHHCGMqlyL5yz+OPBaPe58tNtMGck8/vF/sHUyuawuNWPoyUpVW0eDVv2fr3x6iKq7xmcOuphJC8lfa5MHikYSogrOQSE4jSPd/kklGxh01QWG4+4criyFacdqNyfv6DphVMZvT08/qFByDRAS7fSc3hbEbnkvIES6rvuuXOGj+rYcb25aS55NqJ6mYgqLtOiyGJHV9Ei2cVHGhfF203eLTEBBcneqcp/74qm+Hc/DSZBrT4QrM06omV0VeBwG1g5qdC8HhxwwLCwAXn18DFh5cnbULQmMBhuOv441WKzZQrp9qUsKg6XHe2/kGkFYT32hscoENeIt7w892KwEdd1FgVkDC8zFx/wTCAioH5i+t5VkU6NwI/0+2RX2VxMBLhb/fTvkokKlD+Ms/rktVvyrm48A04V03JWxuk4GaDzxcBKrSxBKMz5C9nHKbjVMcjL06+rUHcCNCS1XTohYsw6I09FMl5SR18ca+Rw5vugMSGtODbffeAr9ffZrdgP0H6emiNFs5anVmhwMZwr1LqFMUm/TILoa+HmsQzuJujZJVSdk7eRW+O7NC87DYB0t1wa3Q32KQXjlf2bkY3vZ7eMYuuAiI3B48Z/PKwgsrR5sA==,iv:yX3OY3pZcRElJj9bx15iy+WtjtEmq0B00gOZGVIp9vw=,tag:ebboL0eotEsMYZRrz3L5Jg==,type:str]
+retiolum.pub: ENC[AES256_GCM,data:ulsH7ux2jJ+SuhbazYYpup/mZiS17LgTK8Et25FDky617UHtVrnwU+oeoVEIMVSnTNgLWMf0LIxVh9ZvE5SJrog44EmK4qb0DcsEbi3h0uBv3u3aOD9sqbZ8mXf3WrspQYxiPo/vdo21wXzRd8RuZ2DtD4c9gVIURgrmiIaJmoMY0w/33lFU7Ql/4a3aj4ZhSyRdCo+slHzC4V4XmaSycRSBk+97moWv3QbtKZ1mhmajygMOrIywlgktF7+5Ly41YQ+5gCZG2sUa7DYOR37gTfGWAT9ejKtXoPDByaQlIPssXGY7o2v8QGSprYtq/lztgaticqddv6H2vx+paDXvC5doo+N8StyPJDb447nGD7UVxm8pAxio31PNiHS9sFkxscWxdvg1TW8QssWpDLT0GgciVtMCliEO+z7ld354/Or6QQwCRTxeB9rTsL16K5CnfDM8nS/oJDz1R0kk1M6ylQGLyUcoFlu11WlJPj1s238orfyU4Ow8p2rQC6vBO3iIo8wSPVr//7unnZ8EBQDQcHV7g75LpzBXuk2oZWjVkUn+mhBU90OwI2kj,iv:N1mLdBI0nn+okxN7MQQQpbl9IEvqsWIFS/Jlsq1Qc8E=,tag:ZJLPPdV+UBYl/ERetYJzaA==,type:str]
+retiolum_ed25519.priv: ENC[AES256_GCM,data:Ur+poq8KhYv9nXecqBUf+FiCnfnMmMtyZFq66GMzx+XfRneQN2T5ml8dL4ZotZvFEfI9O2ktvvq9lBuBVIORoh0vLLkat6A2W1r/Ik1Ay6YrXQY+RBZ9wgJhK+5bjZCvxHnXMRsyFV2bDCn+qdskwwoOwN8gOSdbIEqb1JwRDRItimP09Dzqlp4sWEA38ss+KvRClKkGkmtZLv84J/sqFU5/VJulUR0o7VOA3EOYws74HHvNTwAk1WKhCF6+DkBwDUfcD+/rO3w=,iv:7H+gPCoAihQKHPGUQNDseR2oNXhnZTlrj72T7Nw/1H8=,tag:Ylc85mC9JwNgzEZFK532+g==,type:str]
+retiolum_ed25519.pub: ENC[AES256_GCM,data:YfCvNpctdVayKJCHO+7l7IcetN97AYjepmylE3/8hImIuQGKrjdcyK75KsROqBL1CYsLx/5z2zbPMT9mzk+9,iv:T5D2izRKjOZ/fl9NfQI9CsEl3/lTg+ZMrEG6yZXY/P0=,tag:TQdR5Na9yqUd5z0QPRrx/w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-08-17T18:06:56Z"
+    mac: ENC[AES256_GCM,data:7pB3ob8vSSWNJXvPnxbtuJ8zxJbJguSHyGtX2JxZy6G4eY3d2NJGKP2iMs271fNggb9J8h/+WoqLGGgteUCfcWp0ZmvYwtNusNJlKkiiT2gDf2Y6OSSBHaWs8aqo4wkKC+4aqfculHpqkS5PLSRrmJjWzsABjC0o5y5rh1a1KG0=,iv:l4vnC6lc2THwiLVprUDeCpaiS+hj1YdgdgXJzGtrz7s=,tag:YOT6R4NP8VMHNS6mw29qwA==,type:str]
+    pgp:
+        - created_at: "2023-08-17T17:56:29Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA9JutVRDNegnAQ//Q2T6b8ZkNqWkMydWZMHLkN2L64x1U5mgqqCyAsfsUrcR
+            EW6OU17S/QW+Wldrbf/5iwu1cSfC/EyEpG4PPZb0Rk96bdka/dVYPFWEBgsM1bsZ
+            QBTPDzdN+HVVK0oPmaIqydvk8NKAFSxxVJvBaFQRSJntQQXIpH0NRwT8VVpZl4d3
+            rvy64kLnKHKqB8u/dzznlu+NKPEietwqfjO/xDimwrNNMZIW4kWGk26+OpyJxpV8
+            mWunx/0wcWd/G/GmSKkWgxMMI59HwHUeDhzqzbaebmvuD4aEiNhkgRxZHDLk9hmu
+            izPOcpzgHETDXgb9Z+0u+eb4zt1/8AtY/FEqD3LrpgeTgJH69lOpqlWiTqo4nVOM
+            1Vq1NgUJErFpsuk//sbnviQNXqJC39hz9q9sYGOt/O9x6jZQlioSbp17Bs0UAiQN
+            L+6UOsOacMrJTyvQBMLnFilrPK1bFZRerpzW2hNF2TLBLBjhWyVN6FjJgMc9aHIn
+            OzTcS4BEs6rgCkQ12l3iFApSE7/Si0a+2556bdS3Q7GLSGFuWJyT85A3+9jm91id
+            Kq12WbkLH3QWoVkoxYmGB6K748Zfz802zXmsmvCTYuVV/3PeZO2pa4QnKJCtHqgh
+            taeelDEGGGzLRjglEGGbJBl6tIikdqsWs+rvRGYiexIkr+XzbnzMJqztYdg+Wm7S
+            UQE9lt/9soRywdcTGp0196WB37U5KoqcdXgHg+Q6wFGttaaUv0+CM5KPQ4O1EWSH
+            5t2HNE1/a0IpdJb+l+ZBT47r6ZV83O6jLF7nwsTtR1V+2A==
+            =0MWG
+            -----END PGP MESSAGE-----
+          fp: F7B8DCE46BC6B0A8F95477C8563B8DFE2A0E2029
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3