From 7aa5e0ba40cdac4474af0238ce2a91538cfb94bd Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 10 Jun 2022 16:56:15 +0200 Subject: [PATCH] hades: init --- flake.nix | 9 ++ hades.nix | 23 +++++ hosts/hades/configuration.nix | 84 ++++++++++++++++++ hosts/hades/default.nix | 66 ++++++++++++++ hosts/hades/hardware-configuration.nix | 25 ++++++ hosts/hades/home.nix | 5 ++ hosts/hades/secrets.nix | 20 +++++ modules/secrets/secrets.nix | 3 +- .../secrets/users/root-hashed-password.age | Bin 619 -> 821 bytes 9 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 hades.nix create mode 100644 hosts/hades/configuration.nix create mode 100644 hosts/hades/default.nix create mode 100644 hosts/hades/hardware-configuration.nix create mode 100644 hosts/hades/home.nix create mode 100644 hosts/hades/secrets.nix diff --git a/flake.nix b/flake.nix index bf6fc2c..5ed22ed 100644 --- a/flake.nix +++ b/flake.nix @@ -102,6 +102,15 @@ ++ sharedModules; }; + hades = nixpkgs.lib.nixosSystem rec { + inherit system; + modules = + [ + ./hades.nix + ] + ++ sharedModules; + }; + boreal = nixpkgs.lib.nixosSystem rec { inherit system; modules = diff --git a/hades.nix b/hades.nix new file mode 100644 index 0000000..26018f0 --- /dev/null +++ b/hades.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/hades + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? +} diff --git a/hosts/hades/configuration.nix b/hosts/hades/configuration.nix new file mode 100644 index 0000000..28590e3 --- /dev/null +++ b/hosts/hades/configuration.nix @@ -0,0 +1,84 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./hardware-configuration.nix + ]; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + # Replace with your public key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad" + ]; + users.users.root.initialHashedPassword = ""; + services.openssh.permitRootLogin = "prohibit-password"; + users.users.alarsyo = { + password = "toto"; + isNormalUser = true; + extraGroups = [ + "media" + "networkmanager" + "video" # for `light` permissions + "docker" + "wheel" # Enable ‘sudo’ for the user. + ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad" + ]; + }; + + + networking.useDHCP = false; + networking.interfaces.enp35s0.ipv4.addresses = [ + { + address = "95.217.121.60"; + prefixLength = 26; + } + ]; + networking.interfaces.enp35s0.ipv6.addresses = [ + { + address = "2a01:4f9:4a:3649::2"; + prefixLength = 64; + } + ]; + networking.defaultGateway = "95.217.121.1"; + networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; + networking.hostName = "hades"; + + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + efiSupport = false; + devices = [ "/dev/sda" "/dev/sdb" ]; + }; + + system.stateVersion = "22.05"; + + environment.systemPackages = with pkgs; [ + vim + tmux + git + (pkgs.callPackage "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/main.tar.gz"}/pkgs/agenix.nix" {}) + ]; + + nixpkgs.config.allowUnfree = true; + + nix = { + package = pkgs.nixStable; + + settings = { + experimental-features = ["nix-command" "flakes"]; + trusted-users = ["@wheel"]; + substituters = [ + "https://alarsyo.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + }; + +} diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix new file mode 100644 index 0000000..82d2fcb --- /dev/null +++ b/hosts/hades/default.nix @@ -0,0 +1,66 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ./home.nix + ./secrets.nix + ]; + + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + efiSupport = false; + devices = [ "/dev/sda" "/dev/sdb" ]; + }; + + networking.hostName = "hades"; # Define your hostname. + networking.domain = "alarsyo.net"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + networking.useDHCP = false; + networking.interfaces.enp35s0.ipv4.addresses = [ + { + address = "95.217.121.60"; + prefixLength = 26; + } + ]; + networking.interfaces.enp35s0.ipv6.addresses = [ + { + address = "2a01:4f9:4a:3649::2"; + prefixLength = 64; + } + ]; + networking.defaultGateway = "95.217.121.1"; + networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; + my.networking.externalInterface = "enp35s0"; + + # List services that you want to enable: + my.services = { + tailscale = { + enable = true; + exitNode = true; + }; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = "no"; + services.openssh.passwordAuthentication = false; + + # Takes a long while to build + documentation.nixos.enable = false; +} diff --git a/hosts/hades/hardware-configuration.nix b/hosts/hades/hardware-configuration.nix new file mode 100644 index 0000000..e15d951 --- /dev/null +++ b/hosts/hades/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/2a24010c-14bd-439b-b30b-d0e18db69952"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hades/home.nix b/hosts/hades/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/hades/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/hades/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 7e1ce4b..68137cc 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -3,10 +3,11 @@ let users = [alarsyo]; boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; + hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; - machines = [boreal poseidon zephyrus]; + machines = [boreal hades poseidon zephyrus]; all = users ++ machines; in { diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b0ef183c39e301610cb269a98de8f0305c4535d5..0eff2bd9fdc3617698476bd5896a0828f2e51559 100644 GIT binary patch literal 821 zcmZ9~%j?^8003|pxI<;T$qv7R5r;ZM&7(=$;1H5Dk6+tw+ayiX<}#Az-8N10P7hNY zLv|T#WA5O|!Mu3c&x?*tR5lm`@iq|gvdQq^5M>@j96qkUzucNbdZ>NZ7l%OEo9!mP=TwCL}bEUA_aOmYWRL~RFXofp~4og{%5k}5Ea{y2yy z$W~ov?lgDHj(1qwQGDK!At$6g!BaG4(`Je>A>%BErM3#^num!?ttI%n05+XAiOCIh z0xwG5a%R(fjN0-fLEuVn<$R!3Ylf!`-(nm-2I&4MJ**jWJ{>Yp!NnrWWA56p@jlxc z(rn1r3S}7ksNgU=#R?-lQ00UQ&_;hdSd|9N_|sDNoFUsML}KT7Sjx2Kd_k2lVZn|d z_9mHpSX<(r6qXPIXVbhDgl*HxnIIW$LM>f~lr5VCK#~16+?z}@3yvKhG*~cgOEobA zIH~BlTFz=ewDzE!!P;AU~X6~+IOHJi|ca)(HWbn>dQ3C?K8+IrLDoWk2y*#O>x zcDfCyuE>uB&`7HX^q=bKm#+L)Jc&Q)-1+D#_c9~>dgbVm(YwD~`&>MGp65Yryri*I3E7^+TNG*&#rS{9DMrZ?KdCoePBI&tv*{p;50=XcNf-Td3v&mRmP?-}=&%~$`p`SkYJCk`&% GzxFRdvmvbj delta 570 zcmV-A0>%Bc2I~ZnC6jLf2Ukr(WokDwZh3K8a%WRYX>Vp&d2>ZJV@YawV^vLNa8go9 zR91CRYQ3`5tQfx|aRY*-#H(6CpH)ClrL0B_pVlPiZMr311ZZt|TVpud!G)F;3 zFp=>We|Bh8baQe;cvDkBO)xKLG)Qw(bWdbrcWY=)H)c;)Vl+!pSu}P{Lup5I3Nv(T zb8dM|V{$i0P)RXPN@R0XR#jF?Fj^~4GI>QVw3N1b$b8~1dWn?ln zH8D9LSyxR_YiA%-IC?T`X-IZTMo)1~Sa4@^e@tsgZgX`qFluB_YHV>&Mmb7DaYi+B zdTL_|WMpVCQCE05VsA5UHb`nWVop&;L}4*jGc|WgH)wiPYBXzfGeSXhQ%ZLVEj}Pj zG$wUoUrK8&XL4m>b7de}I%6+6Uw0riMr}nyAX;!cbTvsvMQ1T@a%5UVc{Wy7aSAOhEg*C^bxTA-Zgz4(IWur@NLErSctUJi zcQ;vBQgU};LUe6!c5HexL`_#UGztJF)AQF7-@sxQSU!O@jjkyKh-tJhdR82If&5ot2z2`!ZDq7GAa(aAbYDki}O|RJE z*t6;V^(2iiXv0cYXI&{EhPV@m7s#_(3qxQWuaK=3p}IE(;rr7mR_3{@z6q-qQQW6o IUI{Bh58Cj~!~g&Q