makefu/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

init secrets

Browse source
This commit is contained in:
makefu 2023-06-10 20:53:47 +02:00
parent 00ae5602b3
commit f0c524a6ac
13 changed files with 399 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.sops.yaml Normal file
View file

@ -0,0 +1,17 @@
keys:
- &makefu F7B8DCE46BC6B0A8F95477C8563B8DFE2A0E2029
- &x_host age1hqe5hs2jz2fk5zvw346ajhwlagkheunacahpu42uruxu0nlnwy7qn9q5k6
creation_rules:
- path_regex: secrets/common.yaml$
key_groups:
- pgp:
- *makefu
- age:
- *x_host
# host secrets
- path_regex: 1systems/x/[^/]+\.yaml$
key_groups:
- pgp:
- *makefu
- age:
- *x_host

41
1systems/flake-x/config.nix
View file

@ -1,13 +1,14 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, self, ... }:
{
imports =
[
# ./x13
# ./x230
./x13
(self + "/2configs/default.nix")
## Common Hardware Components
#<nix-ld/modules/nix-ld.nix>
## <stockholm/makefu/2configs/hw/mceusb.nix>
## <stockholm/makefu/2configs/hw/rtl8812au.nix>
#<stockholm/makefu/2configs/hw/network-manager.nix>
@ -222,34 +223,32 @@
nixpkgs.config.allowUnfree = true;
nixpkgs.config.oraclejdk.accept_license = true;
environment.systemPackages = [ xxx ];
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
networking.firewall.allowedUDPPorts = [ 665 26061 1514 ];
networking.firewall.trustedInterfaces = [ "vboxnet0" "enp0s25" ];
# krebs.build.host = config.krebs.hosts.x;
krebs.build.host = config.krebs.hosts.x;
#krebs.tinc.retiolum.connectTo = lib.mkForce [ "gum" ];
#krebs.tinc.retiolum.extraConfig = "AutoConnect = no";
# environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; };
#state = [
# "/home/makefu/stockholm"
# "/home/makefu/.ssh/"
# "/home/makefu/.zsh_history"
# "/home/makefu/.bash_history"
# "/home/makefu/bin"
# "/home/makefu/.gnupg"
# "/home/makefu/.imapfilter"
# "/home/makefu/.mutt"
# "/home/makefu/docs"
# "/home/makefu/notes"
# "/home/makefu/.password-store"
# "/home/makefu/.secrets-pass"
# "/home/makefu/.config/syncthing"
#];
state = [
"/home/makefu/stockholm"
"/home/makefu/.ssh/"
"/home/makefu/.zsh_history"
"/home/makefu/.bash_history"
"/home/makefu/bin"
"/home/makefu/.gnupg"
"/home/makefu/.imapfilter"
"/home/makefu/.mutt"
"/home/makefu/docs"
"/home/makefu/notes"
"/home/makefu/.password-store"
"/home/makefu/.secrets-pass"
"/home/makefu/.config/syncthing"
];
# services.syncthing.user = lib.mkForce "makefu";
# services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";

1
1systems/flake-x/result Symbolic link
View file

@ -0,0 +1 @@
/nix/store/svjw1v86maxhw6l7wy6s1p7rsxm7582i-nixos-vm

21
1systems/flake-x/x13/default.nix
View file

@ -1,15 +1,18 @@
{ pkgs, lib, ... }:
{ pkgs, lib, nixos-hardware, self, ... }:
# new zfs deployment
{
imports = [
./zfs.nix
./input.nix
./disk.nix
./battery.nix
<stockholm/makefu/2configs/hw/bluetooth.nix>
<nixos-hardware/lenovo/thinkpad/l14/amd> # close enough
# <stockholm/makefu/2configs/hw/tpm.nix>
<stockholm/makefu/2configs/hw/ssd.nix>
# <stockholm/makefu/2configs/hw/xmm7360.nix>
(self + "/2configs/hw/bluetooth.nix")
(self + "/2configs/hw/tpm.nix")
(self + "/2configs/hw/ssd.nix")
# (self + "/2configs/hw/xmm7360.nix")
nixos-hardware.nixosModules.lenovo-thinkpad-l14-amd
];
boot.zfs.requestEncryptionCredentials = true;
networking.hostId = "f8b8e0a2";
@ -24,9 +27,7 @@
hardware.opengl.extraPackages = [ pkgs.amdvlk pkgs.rocm-opencl-icd pkgs.rocm-opencl-runtime ];
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
hardware.opengl.extraPackages32 = with pkgs; [ driversi686Linux.amdvlk ];
# is required for amd graphics support ( xorg wont boot otherwise )
#boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = lib.mkForce pkgs.linuxPackages;

5
1systems/flake-x/x13/disk.nix
View file

@ -1,4 +1,7 @@
{ disk ? "/dev/sda", ... }: {
{ ... }:
let
disk = "/dev/nvme0n1";
in {
disko.devices = {
disk = {
nvme = {

23
2configs/default.nix
View file

@ -1,13 +1,9 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
with lib;
{
imports = [
{
users.users =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
./secrets/user-passwords.nix
./editor/vim.nix
./binary-cache/nixos.nix
./minimal.nix
@ -16,9 +12,7 @@ with import <stockholm/lib>;
# users are super important
users.users = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
makefu = {
uid = 9001;
group = "users";
@ -27,10 +21,10 @@ with import <stockholm/lib>;
isNormalUser = true;
useDefaultShell = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
nix.settings.trusted-users = [ config.krebs.build.user.name ];
# nix.settings.trusted-users = [ config.krebs.build.user.name ];
nix.settings.experimental-features = [ "flakes" "nix-command" ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
@ -39,13 +33,12 @@ with import <stockholm/lib>;
krebs = {
enable = true;
dns.providers.lan = "hosts";
# dns.providers.lan = "hosts";
build.user = config.krebs.users.makefu;
};
boot.tmpOnTmpfs = true;
boot.tmp.useTmpfs = true;
environment.systemPackages = with pkgs; [
jq
@ -91,6 +84,6 @@ with import <stockholm/lib>;
defaults.email = "letsencrypt@syntax-fehler.de";
acceptTerms = true;
};
system.stateVersion = lib.mkDefault "20.03";
system.stateVersion = lib.mkDefault "23.05";
services.postgresql.package = pkgs.postgresql_14;
}

1
2configs/gui/gnome.nix
View file

@ -14,6 +14,7 @@ in
#};
};
programs.dconf.enable = true;
home-manager.users.${mainUser}.dconf = {
enable = true;
settings = {

3
2configs/minimal.nix
View file

@ -7,14 +7,13 @@
# the only true timezone (even after the the removal of DST)
time.timeZone = "Europe/Berlin";
networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
# networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
# we use gpg if necessary (or nothing at all)
programs.ssh.startAgent = false;
# all boxes look the same
nix.settings.sandbox = true;
nix.settings.cores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
# we configure users via nix
users.mutableUsers = false;

14
2configs/secrets/user-passwords.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/common.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"passwd/makefu".neededForUsers = true;
"passwd/root".neededForUsers = true;
};
users.users = {
makefu.passwordFile = config.sops.secrets."passwd/makefu".path;
root.passwordFile = config.sops.secrets."passwd/root".path;
};
}

25
3modules/krebs.nix
View file

@ -1,25 +1,26 @@
{ lib }:
{ lib, ... }:
# krebs emulation layer
{
options = with lib.types;{
krebs.hosts = mkOption {
default = {};
type = attrsOf anything;
};
options = with lib; with types;{
#krebs.enable = mkEnableOption "krebs";
#krebs.hosts = mkOption {
# default = {};
# type = attrsOf anything;
#};
krebs.build = mkOption {
default = {};
type = attrsOf anything;
};
krebs.users = mkOption {
default = {};
type = attrsOf anything;
};
#krebs.users = mkOption {
# default = {};
# type = attrsOf anything;
#};
};
config = {
users.makefu = {
krebs.users.makefu = {
name = "makefu";
mail = "makefu@x.r";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@x";
};
}
};
}

200
flake.lock Normal file
View file

@ -0,0 +1,200 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686222354,
"narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=",
"owner": "nix-community",
"repo": "disko",
"rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1685662779,
"narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686391840,
"narHash": "sha256-5S0APl6Mfm6a37taHwvuf11UHnAX0+PnoWQbsYbMUnc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0144ac418ef633bfc9dbd89b8c199ad3a617c59f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-ld": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1682533818,
"narHash": "sha256-2Fzjk3jL7rlyLjPKWy05zU8SGm04M3mbzohk51vkw3Y=",
"owner": "Mic92",
"repo": "nix-ld",
"rev": "29f15b1f7e37810689974ef169496c51f6403a1b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "nix-ld",
"type": "github"
}
},
"nix-writers": {
"flake": false,
"locked": {
"lastModified": 1677612737,
"narHash": "sha256-UaCKZ4PbMZU6UZH7XNFcjRtd5jheswl66rjZDBfQgp8=",
"ref": "refs/heads/master",
"rev": "66a1f6833464bbb121b6d94247ad769f277351f8",
"revCount": 39,
"type": "git",
"url": "https://cgit.krebsco.de/nix-writers"
},
"original": {
"type": "git",
"url": "https://cgit.krebsco.de/nix-writers"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1686217350,
"narHash": "sha256-Nb9b3m/GEK8jyFsYfUkXGsqj6rH05GgJ2QWcNNbK7dw=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e4b34b90f27696ec3965fa15dcbacc351293dc67",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1686331006,
"narHash": "sha256-hElRDWUNG655aqF0awu+h5cmDN+I/dQcChRt2tGuGGU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85bcb95aa83be667e562e781e9d186c57a07d757",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"nix-ld": "nix-ld",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"stockholm": "stockholm"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1685848844,
"narHash": "sha256-Iury+/SVbAwLES76QJSiKFiQDzmf/8Hsq8j54WF2qyw=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "a522e12ee35e50fa7d902a164a9796e420e6e75b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stockholm": {
"inputs": {
"nix-writers": "nix-writers",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1686400260,
"narHash": "sha256-nW2GqH3yYZl5XRYHN4MpaaO4r01GNEMSPjklJmdIUic=",
"path": "/home/makefu/stockholm-flakes",
"type": "path"
},
"original": {
"path": "/home/makefu/stockholm-flakes",
"type": "path"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

75
flake.nix Normal file
View file

@ -0,0 +1,75 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.inputs.nixpkgs-stable.follows = "";
nixos-hardware.url = "github:NixOS/nixos-hardware";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nix-ld.url = "github:Mic92/nix-ld";
nix-ld.inputs.nixpkgs.follows = "nixpkgs";
# stockholm.url = "git+https://cgit.lassul.us/stockholm?ref=flakeify";
stockholm.url = "path:///home/makefu/stockholm-flakes";
stockholm.inputs.nixpkgs.follows = "nixpkgs";
};
description = "Flakes of makefu";
outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, ...}@inputs: let
in {
nixosModules =
let
inherit (nixpkgs) lib;
in builtins.listToAttrs
(map
(name: {name = lib.removeSuffix ".nix" name; value = import (./3modules + "/${name}");})
(lib.filter
(name: name != "default.nix" && !lib.hasPrefix "." name)
(lib.attrNames (builtins.readDir ./3modules))));
nixosConfigurations.x = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit (inputs) nixos-hardware self stockholm;
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [(self: super: { stockholm.lib = stockholm.lib; })] ;
};
};
modules = [
disko.nixosModules.disko
nix-ld.nixosModules.nix-ld
sops-nix.nixosModules.sops
stockholm.nixosModules.krebs
stockholm.nixosModules.hosts
stockholm.nixosModules.users
stockholm.nixosModules.build
stockholm.nixosModules.dns
stockholm.nixosModules.kartei
stockholm.nixosModules.sitemap
self.nixosModules.state
#self.nixosModules.krebs
./1systems/flake-x/config.nix
];
};
};
}

34
secrets/common.yaml Normal file
View file

@ -0,0 +1,34 @@
passwd:
makefu: ENC[AES256_GCM,data:Z3b+aYQtENF0g/iSpQRSy2lxh2qToT7YfHDVDOPfpVaiSPdoFA0jEyWQ0Vk70AVNMQa7wPrXjbMLKdfTmnS7mKzc9Ivjr8gA9lSfcs3L8MY+Y0fSAtuoPJncIcvt1uL+pLUvSow7hHWg8A==,iv:H9RS2U6WjCIJ2GySw2QdXm4538wvTgVYVU3/hNEUCME=,tag:RT3OK41TZgmOtNEFz19Eug==,type:str]
root: ENC[AES256_GCM,data:nxxIQPFgZu8YyI8HASuO0Tj7ABWxnqcPOztSGEk0R6YZCYMeOeoTgyH2/Wa325ul3iry8vnDsbBa+2S2Y0b+oV/wnPgIoa7LKjHYlIseCArB/LD9+oi8XRkJbsQSISEmoMyobmYc5SysNg==,iv:wkMyMkeL8hrTIG9PUrqwBnrUY92U9OotkP9rz9zKs5A=,tag:xiazIbBkR8505qrOsWn26Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-06-10T17:34:46Z"
mac: ENC[AES256_GCM,data:0Fyw+XASLLE2MhvJJ0mR0zvdu2YiGv2Ud4Fq34/RdRCx0+S+9qhwQbe93M6F7ZN4udeHQj4Nory3dg3nJlABQY2DDS3BXhA9OX7SR8p5SJ9uKWNwhpavBXPBgzU381NJNB+2KX/KByszkGRJ4DS8QQ5ELWn+9guLdvPPitAjbs8=,iv:wTzFPC+I4g3CDU6lqS9GBHHdYmAAqUCf2nTjJDAdSO4=,tag:OnByw19WU0cOx6lHvJcq6Q==,type:str]
pgp:
- created_at: "2023-06-10T17:32:09Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA9JutVRDNegnARAAm0iApGGZ3oT5K1WbIgbTSglPpyOl92GYojEh+0w0AU/1
6+s2uSBO/7/fIRFOObLeK0TojHX2rJhwD6Q6+M7A2Lei3RYURZvwjL0A5IhTCBUd
pYIsGrEURshz7yOVKiqrTnjIWxfmkBjCIeukLbhKyW+mMD2O1WhDloUnCHtviXNa
W8S8TTnRg9r36hUYjnP7tp9PWAmJZpcP8QpGoeYJwxQN9/Yp9czg70X5pcTz9IXO
MIgXMKFgj/ShfMgKdUjI8N80IG+b8DOQWpkVJGduUJd2JT5TpFKIuqLpbMbnKGhz
Jso4s6cV9ZX+ZC/NId46idAlhODBiiEd8lKydq8uYh/W4UcRqz4q7nYtyb541cWz
hNVO4DRDWGW2U7dabhmtHHaNB1OxzbeRh3+xto7pMkxCGXZ9NX5D+ARgDagTEW+6
D7aqqxH6gykoZdDKd8u22iJVEoHdqRcoFUXNtr4ETIpjzzMWvOqhwe8CcdA6ySjF
Pm27TpCKVEJOWTWEz0/AaQhdBz6WLI7W5ldaFDOt3f7/OTxzg8GApGwDyXydWKHl
2/kn9pbGhgvYjTSfK17NwhSQicQznRjXR7XMv1Vh6vs7IeMEZ/eUFJkGSLyxquza
Fa7+2gJL/cA1x2Vh81h3bb0QxELM/RnV+mpdpNAIlxlQxU4uq+lw5iJTJrr58mHS
UQHaIaiBd21CACz79Yb0TgJTSSjoYVgv7bbYk1KMfk6hlegF2FN7txe4RHVs7yVi
Myv/27m1bKuwlrXqbxbzvy8hF845y7WUd6T0UEBkBTxKFw==
=i/3A
-----END PGP MESSAGE-----
fp: F7B8DCE46BC6B0A8F95477C8563B8DFE2A0E2029
unencrypted_suffix: _unencrypted
version: 3.7.3