Compare commits

...

7 commits

18 changed files with 281 additions and 55 deletions

View file

@ -78,7 +78,7 @@ jobs:
- boreal - boreal
- hades - hades
- hephaestus - hephaestus
- poseidon - thanatos
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

View file

@ -3,6 +3,7 @@
fish.enable = true; fish.enable = true;
less.enable = true; less.enable = true;
mosh.enable = true; mosh.enable = true;
tmux.enable = true;
# setcap wrapper for network permissions # setcap wrapper for network permissions
bandwhich.enable = true; bandwhich.enable = true;
@ -21,11 +22,11 @@
(pkgs) (pkgs)
# shell usage # shell usage
bat
fd fd
file file
ripgrep ripgrep
sd sd
tmux
tokei tokei
tree tree
wget wget
@ -34,37 +35,24 @@
usbutils usbutils
# development # development
agenix
alejandra alejandra
git git
git-crypt git-crypt
git-lfs git-lfs
gnumake gnumake
gnupg gnupg
kakoune
pinentry-qt pinentry-qt
python3 python3
vim vim
# terminal utilities # terminal utilities
bottom
dogdns dogdns
du-dust du-dust
htop htop
ldns # drill ldns # drill
tealdeer
unzip unzip
zip zip
# nix pkgs lookup
nix-index
agenix
cachix
;
inherit
(pkgs.llvmPackages_16)
bintools
clang
; ;
}; };
} }

View file

@ -41,6 +41,25 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1702479765,
"narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=",
"owner": "nix-community",
"repo": "disko",
"rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "disko",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1653893745, "lastModified": 1653893745,
@ -127,6 +146,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1697915759,
"narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1701952659, "lastModified": 1701952659,
"narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=",
@ -145,10 +180,11 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"disko": "disko",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"nixpkgs-unstable-small": "nixpkgs-unstable-small" "nixpkgs-unstable-small": "nixpkgs-unstable-small"
} }
} }

View file

@ -42,6 +42,13 @@
repo = "nixos-hardware"; repo = "nixos-hardware";
ref = "master"; ref = "master";
}; };
disko = {
type = "github";
owner = "nix-community";
repo = "disko";
ref = "master";
};
}; };
outputs = { outputs = {
@ -49,6 +56,7 @@
nixpkgs, nixpkgs,
home-manager, home-manager,
agenix, agenix,
disko,
... ...
} @ inputs: } @ inputs:
{ {
@ -97,10 +105,9 @@
{ {
nixpkgs = { nixpkgs = {
overlays = shared_overlays; overlays = shared_overlays;
config.permittedInsecurePackages = [ config.permittedInsecurePackages = [];
"zotero-6.0.26"
];
}; };
hardware.enableRedistributableFirmware = true;
} }
] ]
++ (nixpkgs.lib.attrValues self.nixosModules); ++ (nixpkgs.lib.attrValues self.nixosModules);
@ -147,6 +154,16 @@
] ]
++ sharedModules; ++ sharedModules;
}; };
thanatos = nixpkgs.lib.nixosSystem {
inherit system;
modules =
[
disko.nixosModules.default
./thanatos.nix
]
++ sharedModules;
};
}; };
} }
// inputs.flake-utils.lib.eachDefaultSystem (system: { // inputs.flake-utils.lib.eachDefaultSystem (system: {

View file

@ -34,12 +34,19 @@ in {
in { in {
boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";}; boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";};
hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";}; hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";};
poseidon = addGPGAgentForwarding {hostname = "poseidon.alarsyo.net";}; thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";};
pi = addGPGAgentForwarding { pi = addGPGAgentForwarding {
hostname = "pi.alarsyo.net"; hostname = "pi.alarsyo.net";
user = "pi"; user = "pi";
}; };
"thanatos.lrde.epita.fr" =
lib.hm.dag.entryBefore ["*.lrde.epita.fr"]
(addGPGAgentForwarding {
hostname = "lee.lrde.epita.fr";
user = "alarsyo";
});
"*.lrde.epita.fr" = { "*.lrde.epita.fr" = {
user = "amartin"; user = "amartin";
}; };

View file

@ -75,7 +75,10 @@
pipewire.enable = true; pipewire.enable = true;
tailscale.enable = true; tailscale = {
enable = true;
useRoutingFeatures = "both";
};
}; };
services = { services = {

View file

@ -133,7 +133,7 @@ in {
tailscale = { tailscale = {
enable = true; enable = true;
exitNode = true; useRoutingFeatures = "server";
}; };
transmission = { transmission = {

View file

@ -49,7 +49,11 @@
# List services that you want to enable: # List services that you want to enable:
my.services = { my.services = {
tailscale.enable = true; tailscale = {
enable = true;
useRoutingFeatures = "client";
};
pipewire.enable = true; pipewire.enable = true;
restic-backup = { restic-backup = {

View file

@ -0,0 +1,46 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
lib,
pkgs,
...
}: let
secrets = config.my.secrets;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disko-configuration.nix
./home.nix
./secrets.nix
];
boot.loader.grub.enable = true;
boot.tmp.useTmpfs = true;
networking.hostName = "thanatos"; # Define your hostname.
networking.domain = "lrde.epita.fr";
# Set your time zone.
time.timeZone = "Europe/Paris";
# List services that you want to enable:
my.services = {
tailscale = {
enable = true;
useRoutingFeatures = "both";
};
};
services = {
openssh.enable = true;
};
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
docker-compose
];
}

View file

@ -0,0 +1,52 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["compress=zstd" "noatime"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["compress=zstd" "noatime"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["compress=zstd" "noatime"];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "8G";
};
};
};
};
};
};
};
};
};
}

View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

5
hosts/thanatos/home.nix Normal file
View file

@ -0,0 +1,5 @@
{config, ...}: {
home-manager.users.alarsyo = {
my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
};
}

View file

@ -0,0 +1,20 @@
{
config,
lib,
options,
...
}: {
config.age = {
secrets = let
toSecret = name: {...} @ attrs:
{
file = ./../../modules/secrets + "/${name}.age";
}
// attrs;
in
lib.mapAttrs toSecret {
"users/alarsyo-hashed-password" = {};
"users/root-hashed-password" = {};
};
};
}

View file

@ -5,8 +5,9 @@ let
boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades";
hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus";
thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos";
machines = [boreal hades hephaestus]; machines = [boreal hades hephaestus thanatos];
all = users ++ machines; all = users ++ machines;
in { in {
@ -34,6 +35,6 @@ in {
"restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus];
"restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus];
"users/root-hashed-password.age".publicKeys = machines; "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo];
"users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo];
} }

View file

@ -1,17 +1,16 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY
XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs
-> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4
OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc
-> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg
41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA
-> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA
8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk 9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ
-> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY
1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE
-> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -> >)/-grease VfMC'D<: eQJ #XT
r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi
-> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H
wAOK28XvNSpz --- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q
--- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 þXÑb;\hJù Ô#ÖȾ§>3Pzý˜QÈèÏÖ{¿Jž ÒXÝe²ë3Q!ó¥¸5Å$ü»€|MÆD;Kú³Z”S.»¸ëXè<58>S?­À œÐ·1j)«¬H[ËhkÆ«­©¤¶|g=
{gh1ÕßÃ…±ž\Py<50>ðЯ@s™ªý¹H„§q8—JxèÔw<žüç¿•k»öÕVħ© T†¿“¥õ¬<C3B5><EFBFBD> <EFBFBD>”N¼ô.;™/)ÞD¯Wz{uÞNlÆ%±ávöÞ†50K0ÂóÍ©nn±8°ï£\kJ¬OüCª7oáÙ4ÿcÑ—

View file

@ -8,34 +8,30 @@
(lib) (lib)
mkEnableOption mkEnableOption
mkIf mkIf
mkOption
types
; ;
cfg = config.my.services.tailscale; cfg = config.my.services.tailscale;
in { in {
options.my.services.tailscale = { options.my.services.tailscale = {
enable = mkEnableOption "Tailscale"; enable = mkEnableOption "Tailscale";
useRoutingFeatures = mkOption {
# NOTE: still have to do `tailscale up --advertise-exit-node` type = types.enum ["none" "client" "server" "both"];
exitNode = mkEnableOption "Use as exit node"; default = "none";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.tailscale = { services.tailscale = {
enable = true; enable = true;
package = pkgs.tailscale; package = pkgs.tailscale;
openFirewall = true;
useRoutingFeatures = cfg.useRoutingFeatures;
}; };
networking.firewall = { networking.firewall = {
trustedInterfaces = ["tailscale0"]; trustedInterfaces = [config.services.tailscale.interfaceName];
allowedUDPPorts = [config.services.tailscale.port];
# needed for exit node usage
checkReversePath = mkIf (!cfg.exitNode) "loose";
};
# enable IP forwarding to use as exit node
boot.kernel.sysctl = mkIf cfg.exitNode {
"net.ipv6.conf.all.forwarding" = true;
"net.ipv4.ip_forward" = true;
}; };
}; };
} }

23
thanatos.nix Normal file
View file

@ -0,0 +1,23 @@
{...}: {
imports = [
# Default configuration
./base
# Module definitions
./modules
# Service definitions
./services
# Host-specific config
./hosts/thanatos
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}