From a21e0fb568f99483665fabe63557d54fc470c079 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:29:54 +0100 Subject: [PATCH 01/14] hosts: add thanatos --- .github/workflows/cachix.yaml | 2 +- flake.lock | 38 ++++++++++++- flake.nix | 18 ++++++ hosts/thanatos/default.nix | 43 +++++++++++++++ hosts/thanatos/disko-configuration.nix | 52 ++++++++++++++++++ hosts/thanatos/hardware-configuration.nix | 25 +++++++++ hosts/thanatos/home.nix | 5 ++ hosts/thanatos/secrets.nix | 20 +++++++ modules/secrets/secrets.nix | 5 +- .../secrets/users/alarsyo-hashed-password.age | 31 +++++------ .../secrets/users/root-hashed-password.age | Bin 909 -> 792 bytes thanatos.nix | 23 ++++++++ 12 files changed, 242 insertions(+), 20 deletions(-) create mode 100644 hosts/thanatos/default.nix create mode 100644 hosts/thanatos/disko-configuration.nix create mode 100644 hosts/thanatos/hardware-configuration.nix create mode 100644 hosts/thanatos/home.nix create mode 100644 hosts/thanatos/secrets.nix create mode 100644 thanatos.nix diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 6563e90..9b4646b 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -78,7 +78,7 @@ jobs: - boreal - hades - hephaestus - - poseidon + - thanatos steps: - uses: actions/checkout@v4 diff --git a/flake.lock b/flake.lock index fcdce90..38be2d0 100644 --- a/flake.lock +++ b/flake.lock @@ -41,6 +41,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702479765, + "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=", + "owner": "nix-community", + "repo": "disko", + "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1653893745, @@ -127,6 +146,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1697915759, + "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1701952659, "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", @@ -145,10 +180,11 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9c829c1..6675c5f 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,13 @@ repo = "nixos-hardware"; ref = "master"; }; + + disko = { + type = "github"; + owner = "nix-community"; + repo = "disko"; + ref = "master"; + }; }; outputs = { @@ -49,6 +56,7 @@ nixpkgs, home-manager, agenix, + disko, ... } @ inputs: { @@ -147,6 +155,16 @@ ] ++ sharedModules; }; + + thanatos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + disko.nixosModules.default + ./thanatos.nix + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix new file mode 100644 index 0000000..5a6711d --- /dev/null +++ b/hosts/thanatos/default.nix @@ -0,0 +1,43 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.tmp.useTmpfs = true; + + networking.hostName = "thanatos"; # Define your hostname. + networking.domain = "lrde.epita.fr"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale.enable = true; + }; + + services = { + openssh.enable = true; + }; + + virtualisation.docker.enable = true; + + environment.systemPackages = with pkgs; [ + docker-compose + ]; +} diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix new file mode 100644 index 0000000..81e9c36 --- /dev/null +++ b/hosts/thanatos/disko-configuration.nix @@ -0,0 +1,52 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix new file mode 100644 index 0000000..2ff30b0 --- /dev/null +++ b/hosts/thanatos/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/thanatos/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/thanatos/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 28760e7..9c042d0 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,8 +5,9 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus]; + machines = [boreal hades hephaestus thanatos]; all = users ++ machines; in { @@ -34,6 +35,6 @@ in { "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "users/root-hashed-password.age".publicKeys = machines; + "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 1e7abbe..38b12ac 100644 --- a/modules/secrets/users/alarsyo-hashed-password.age +++ b/modules/secrets/users/alarsyo-hashed-password.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo --> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg --> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs --> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk --> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww --> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 --> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T -wAOK28XvNSpz ---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 -{gh1Å\PyЯ@sHq8Jxw<翕kVħ T(N.;/)DWz{uNl%vކ50K0ͩnn8\kJOC7oً4cї \ No newline at end of file +-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY +JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs +-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4 +TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc +-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg +fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA +-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA +9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ +-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY +Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE +-> >)/-grease VfMC'D<: eQJ #XT +OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi +D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H +--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q +Xb;\hJ #Ⱦ>3PzQ{J Xe3Q!5$|MD;KZS.XS?з1j)H[hkƫ|g= \ No newline at end of file diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b373fa4646a546a93df31bcc1316b51dd34535cc..0988a496e8a79da8fb6e050550452c058ffe7668 100644 GIT binary patch delta 741 zcmeBWpTRakr#@3#-y+gI*f+z#*Eq_cuq-MyDbF!Cs;bD`A~~mf$HS>C-6g#^C^988Dm=Y1xzx}*9LB`MNk z;z#lNfTREy%Zv=~5XVA)xAI7XAit7AgA%`}yxekUb0-6*aOY�ux^+*FXcV!u*KH zqTo{ZlJLL?Gq)T+&-5_o?DC*WQ;$^r;IK^NFpr|70FS`3f;0nkpO}S)mPVB;m=sjH zX6L#F2St`U8YhPadDo|emv~v0n|hlYRhkw075YU4C28lUR^+=oa)ml2np!&N1SFOi z7Uh@}={q@vdt{_08b&(#IAvBQ=6jUoM;4{$Wk+RXqg$74ll~zAmgQ_vmQiLN9tg6|sJ2))y(l%YIF-x8FgHD=(lsO3*P=W% zP}|EpAl0YLBPhuvqS!^dDm^FCG|1D$$fCF~C?hmD-#@}Qz=BIxS69JJ-=p5tvZT<= zv?wJf$eR#TGTB)&!WRk{~U(BMz5 z&kfYIYSUJ45M3JLotRx&akuj9;aA^8_2Q56nO>@UA8FS1s>MOl`_em>mqMo|Wqn;F w{gP#!#iVC9TRwX(P*-kPchNGu-A3fbPsVv9BF~_;GFyBJo-9IhG$Su+$EVU}ssmR&W#iSy_ zfGfi}G1%D5*(tNYH@PggINLcW-`LqBRXfZ-wcIFQ+b1{2HNV8TLf^;4l}p!7p}06h zH#Nn`)YQ;Yp&-Jd(kNXaDxlKM(!@B>BcRkdKiJzM)Gfc#KPn_SC8gLs$0yx5s3Ii9 zD9WS4%stD5D>%`@*(}t^_a>s0RpH!K-mRbZVgz7s7 zo8)`>mgSoI7Ni6k1k^`5SLWqerZ`6B8B}Q}yPBHkN8}Zn_!tF+a=CbECznNfCWaV0 z=lD5>Tl%I3Bu9ihdRn+wl_YArS5~@udW3kTT823mqgxjhSQ_T%s9An3Zg9n9k*zmtt&~Vq)yAofwp55fN0X z9~hXQRu%5#?CX(S<`?GTXA)eHq@Prn4fb8FZhBE_VsWZMjBip*fI_sYxo=@mzJi8A zx^X}*SCDURQdm`?vtzPFNP$J3QDv5+n?Z=Fg|mmLVOWK>TcBBKM6PMNOMSR;M0jR? zl~1ydQ;A!tueo1vre&r@uql^mO1WiNUanbCc7?f@Us{NlbEIjQU!HeHg>Pb*aejz% zQL?k4V^CS1Sz3@;T8@ilKwc7;uCA^^WrTKlaAZzUu&JMKsCHVmV|a$Yc}96qZe?PT zlc%qNWmQOWg`<9IVx})wX}#Sx=JM{BhEFXPeq>BxQ!7}g|8(v#!|uuFf|%6!PHw>{cN7XU)h?>y>9u+O?r~j>`L7WB_5yfe0A*Eyz&>*b4^9o)l?nb zaEx6_=iHLBEQiI_j5DkQuCW#`*NIf!)V;Px{%fKA1j~H_KbKcL`eCD7Tohlxm6!T> LhVPzdUo1la_%SAT diff --git a/thanatos.nix b/thanatos.nix new file mode 100644 index 0000000..e0c2c2d --- /dev/null +++ b/thanatos.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/thanatos + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} From 693e44a8fec72a65dd24c1e6ce1043fd81cd1edc Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:39:14 +0100 Subject: [PATCH 02/14] base: programs: enable tmux globally --- base/programs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/base/programs.nix b/base/programs.nix index 5d69fe2..60b9f8a 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -3,6 +3,7 @@ fish.enable = true; less.enable = true; mosh.enable = true; + tmux.enable = true; # setcap wrapper for network permissions bandwhich.enable = true; From b5e1c6c608b780f2fb11fb5f6c786500b24150cd Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:39:30 +0100 Subject: [PATCH 03/14] base: programs: cleanup path --- base/programs.nix | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/base/programs.nix b/base/programs.nix index 60b9f8a..f5667b0 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -21,12 +21,12 @@ inherit (pkgs) # shell usage - + + bat fd file ripgrep sd - tmux tokei tree wget @@ -34,38 +34,25 @@ pciutils usbutils # development - + + agenix alejandra git git-crypt git-lfs gnumake gnupg - kakoune pinentry-qt python3 vim # terminal utilities - bottom dogdns du-dust htop ldns # drill - tealdeer unzip zip - # nix pkgs lookup - - nix-index - agenix - cachix - ; - - inherit - (pkgs.llvmPackages_16) - bintools - clang ; }; } From 73cb52915fa76ff0af3e22bd363774fd3ce4dcf7 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:43:53 +0100 Subject: [PATCH 04/14] services: tailscale: refacto --- hosts/boreal/default.nix | 5 ++++- hosts/hades/default.nix | 2 +- hosts/hephaestus/default.nix | 6 +++++- hosts/thanatos/default.nix | 5 ++++- services/tailscale.nix | 22 +++++++++------------- 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index c6d9c3f..f820f69 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -75,7 +75,10 @@ pipewire.enable = true; - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; }; services = { diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index 0cb891b..0e4191b 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -133,7 +133,7 @@ in { tailscale = { enable = true; - exitNode = true; + useRoutingFeatures = "server"; }; transmission = { diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix index f5cf2e4..5d4cced 100644 --- a/hosts/hephaestus/default.nix +++ b/hosts/hephaestus/default.nix @@ -49,7 +49,11 @@ # List services that you want to enable: my.services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + pipewire.enable = true; restic-backup = { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix index 5a6711d..15cf5ce 100644 --- a/hosts/thanatos/default.nix +++ b/hosts/thanatos/default.nix @@ -28,7 +28,10 @@ in { # List services that you want to enable: my.services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; }; services = { diff --git a/services/tailscale.nix b/services/tailscale.nix index 41fe9f8..6de7cc0 100644 --- a/services/tailscale.nix +++ b/services/tailscale.nix @@ -8,34 +8,30 @@ (lib) mkEnableOption mkIf + mkOption + types ; cfg = config.my.services.tailscale; in { options.my.services.tailscale = { enable = mkEnableOption "Tailscale"; - - # NOTE: still have to do `tailscale up --advertise-exit-node` - exitNode = mkEnableOption "Use as exit node"; + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + }; }; config = mkIf cfg.enable { services.tailscale = { enable = true; package = pkgs.tailscale; + openFirewall = true; + useRoutingFeatures = cfg.useRoutingFeatures; }; networking.firewall = { - trustedInterfaces = ["tailscale0"]; - allowedUDPPorts = [config.services.tailscale.port]; - # needed for exit node usage - checkReversePath = mkIf (!cfg.exitNode) "loose"; - }; - - # enable IP forwarding to use as exit node - boot.kernel.sysctl = mkIf cfg.exitNode { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.ip_forward" = true; + trustedInterfaces = [config.services.tailscale.interfaceName]; }; }; } From 5271b38a6a095ddffd112a2e48a0f0f8336f745f Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:44:22 +0100 Subject: [PATCH 05/14] flake: enable redistributable firmware --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 6675c5f..a9b8ed6 100644 --- a/flake.nix +++ b/flake.nix @@ -109,6 +109,7 @@ "zotero-6.0.26" ]; }; + hardware.enableRedistributableFirmware = true; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); From c67d73920a5a1c017bcd9a05c78d26049b8ac0fe Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:44:58 +0100 Subject: [PATCH 06/14] flake: remove zotero from insecure packages --- flake.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index a9b8ed6..54c4d61 100644 --- a/flake.nix +++ b/flake.nix @@ -105,9 +105,7 @@ { nixpkgs = { overlays = shared_overlays; - config.permittedInsecurePackages = [ - "zotero-6.0.26" - ]; + config.permittedInsecurePackages = []; }; hardware.enableRedistributableFirmware = true; } From 3d1ecf239379bdfae85e7396d1220468a2048b16 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Thu, 14 Dec 2023 13:45:10 +0100 Subject: [PATCH 07/14] home: ssh: thanatos config --- home/ssh.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/home/ssh.nix b/home/ssh.nix index 0959bef..2c1f9a6 100644 --- a/home/ssh.nix +++ b/home/ssh.nix @@ -34,12 +34,19 @@ in { in { boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";}; hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";}; - poseidon = addGPGAgentForwarding {hostname = "poseidon.alarsyo.net";}; + thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";}; pi = addGPGAgentForwarding { hostname = "pi.alarsyo.net"; user = "pi"; }; + "thanatos.lrde.epita.fr" = + lib.hm.dag.entryBefore ["*.lrde.epita.fr"] + (addGPGAgentForwarding { + hostname = "lee.lrde.epita.fr"; + user = "alarsyo"; + }); + "*.lrde.epita.fr" = { user = "amartin"; }; From c3fd5af18f2f92f39599cfe11339ba934c00705c Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:29:54 +0100 Subject: [PATCH 08/14] hosts: add thanatos --- .github/workflows/cachix.yaml | 2 +- flake.lock | 38 ++++++++++++- flake.nix | 18 ++++++ hosts/thanatos/default.nix | 43 +++++++++++++++ hosts/thanatos/disko-configuration.nix | 52 ++++++++++++++++++ hosts/thanatos/hardware-configuration.nix | 29 ++++++++++ hosts/thanatos/home.nix | 5 ++ hosts/thanatos/secrets.nix | 20 +++++++ modules/secrets/secrets.nix | 5 +- .../secrets/users/alarsyo-hashed-password.age | 31 +++++------ .../secrets/users/root-hashed-password.age | Bin 909 -> 792 bytes thanatos.nix | 23 ++++++++ 12 files changed, 246 insertions(+), 20 deletions(-) create mode 100644 hosts/thanatos/default.nix create mode 100644 hosts/thanatos/disko-configuration.nix create mode 100644 hosts/thanatos/hardware-configuration.nix create mode 100644 hosts/thanatos/home.nix create mode 100644 hosts/thanatos/secrets.nix create mode 100644 thanatos.nix diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 6563e90..9b4646b 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -78,7 +78,7 @@ jobs: - boreal - hades - hephaestus - - poseidon + - thanatos steps: - uses: actions/checkout@v4 diff --git a/flake.lock b/flake.lock index fcdce90..38be2d0 100644 --- a/flake.lock +++ b/flake.lock @@ -41,6 +41,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702479765, + "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=", + "owner": "nix-community", + "repo": "disko", + "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1653893745, @@ -127,6 +146,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1697915759, + "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1701952659, "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", @@ -145,10 +180,11 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9c829c1..6675c5f 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,13 @@ repo = "nixos-hardware"; ref = "master"; }; + + disko = { + type = "github"; + owner = "nix-community"; + repo = "disko"; + ref = "master"; + }; }; outputs = { @@ -49,6 +56,7 @@ nixpkgs, home-manager, agenix, + disko, ... } @ inputs: { @@ -147,6 +155,16 @@ ] ++ sharedModules; }; + + thanatos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + disko.nixosModules.default + ./thanatos.nix + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix new file mode 100644 index 0000000..5a6711d --- /dev/null +++ b/hosts/thanatos/default.nix @@ -0,0 +1,43 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.tmp.useTmpfs = true; + + networking.hostName = "thanatos"; # Define your hostname. + networking.domain = "lrde.epita.fr"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale.enable = true; + }; + + services = { + openssh.enable = true; + }; + + virtualisation.docker.enable = true; + + environment.systemPackages = with pkgs; [ + docker-compose + ]; +} diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix new file mode 100644 index 0000000..23357cd --- /dev/null +++ b/hosts/thanatos/disko-configuration.nix @@ -0,0 +1,52 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix new file mode 100644 index 0000000..f9e41a6 --- /dev/null +++ b/hosts/thanatos/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/thanatos/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/thanatos/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 28760e7..9c042d0 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,8 +5,9 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus]; + machines = [boreal hades hephaestus thanatos]; all = users ++ machines; in { @@ -34,6 +35,6 @@ in { "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "users/root-hashed-password.age".publicKeys = machines; + "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 1e7abbe..38b12ac 100644 --- a/modules/secrets/users/alarsyo-hashed-password.age +++ b/modules/secrets/users/alarsyo-hashed-password.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo --> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg --> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs --> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk --> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww --> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 --> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T -wAOK28XvNSpz ---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 -{gh1Å\PyЯ@sHq8Jxw<翕kVħ T(N.;/)DWz{uNl%vކ50K0ͩnn8\kJOC7oً4cї \ No newline at end of file +-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY +JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs +-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4 +TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc +-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg +fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA +-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA +9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ +-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY +Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE +-> >)/-grease VfMC'D<: eQJ #XT +OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi +D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H +--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q +Xb;\hJ #Ⱦ>3PzQ{J Xe3Q!5$|MD;KZS.XS?з1j)H[hkƫ|g= \ No newline at end of file diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b373fa4646a546a93df31bcc1316b51dd34535cc..0988a496e8a79da8fb6e050550452c058ffe7668 100644 GIT binary patch delta 741 zcmeBWpTRakr#@3#-y+gI*f+z#*Eq_cuq-MyDbF!Cs;bD`A~~mf$HS>C-6g#^C^988Dm=Y1xzx}*9LB`MNk z;z#lNfTREy%Zv=~5XVA)xAI7XAit7AgA%`}yxekUb0-6*aOY�ux^+*FXcV!u*KH zqTo{ZlJLL?Gq)T+&-5_o?DC*WQ;$^r;IK^NFpr|70FS`3f;0nkpO}S)mPVB;m=sjH zX6L#F2St`U8YhPadDo|emv~v0n|hlYRhkw075YU4C28lUR^+=oa)ml2np!&N1SFOi z7Uh@}={q@vdt{_08b&(#IAvBQ=6jUoM;4{$Wk+RXqg$74ll~zAmgQ_vmQiLN9tg6|sJ2))y(l%YIF-x8FgHD=(lsO3*P=W% zP}|EpAl0YLBPhuvqS!^dDm^FCG|1D$$fCF~C?hmD-#@}Qz=BIxS69JJ-=p5tvZT<= zv?wJf$eR#TGTB)&!WRk{~U(BMz5 z&kfYIYSUJ45M3JLotRx&akuj9;aA^8_2Q56nO>@UA8FS1s>MOl`_em>mqMo|Wqn;F w{gP#!#iVC9TRwX(P*-kPchNGu-A3fbPsVv9BF~_;GFyBJo-9IhG$Su+$EVU}ssmR&W#iSy_ zfGfi}G1%D5*(tNYH@PggINLcW-`LqBRXfZ-wcIFQ+b1{2HNV8TLf^;4l}p!7p}06h zH#Nn`)YQ;Yp&-Jd(kNXaDxlKM(!@B>BcRkdKiJzM)Gfc#KPn_SC8gLs$0yx5s3Ii9 zD9WS4%stD5D>%`@*(}t^_a>s0RpH!K-mRbZVgz7s7 zo8)`>mgSoI7Ni6k1k^`5SLWqerZ`6B8B}Q}yPBHkN8}Zn_!tF+a=CbECznNfCWaV0 z=lD5>Tl%I3Bu9ihdRn+wl_YArS5~@udW3kTT823mqgxjhSQ_T%s9An3Zg9n9k*zmtt&~Vq)yAofwp55fN0X z9~hXQRu%5#?CX(S<`?GTXA)eHq@Prn4fb8FZhBE_VsWZMjBip*fI_sYxo=@mzJi8A zx^X}*SCDURQdm`?vtzPFNP$J3QDv5+n?Z=Fg|mmLVOWK>TcBBKM6PMNOMSR;M0jR? zl~1ydQ;A!tueo1vre&r@uql^mO1WiNUanbCc7?f@Us{NlbEIjQU!HeHg>Pb*aejz% zQL?k4V^CS1Sz3@;T8@ilKwc7;uCA^^WrTKlaAZzUu&JMKsCHVmV|a$Yc}96qZe?PT zlc%qNWmQOWg`<9IVx})wX}#Sx=JM{BhEFXPeq>BxQ!7}g|8(v#!|uuFf|%6!PHw>{cN7XU)h?>y>9u+O?r~j>`L7WB_5yfe0A*Eyz&>*b4^9o)l?nb zaEx6_=iHLBEQiI_j5DkQuCW#`*NIf!)V;Px{%fKA1j~H_KbKcL`eCD7Tohlxm6!T> LhVPzdUo1la_%SAT diff --git a/thanatos.nix b/thanatos.nix new file mode 100644 index 0000000..e0c2c2d --- /dev/null +++ b/thanatos.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/thanatos + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} From f9c3ebc5c2a06204f3ce47e4ff4d3b0fe3fec3c9 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:39:14 +0100 Subject: [PATCH 09/14] base: programs: enable tmux globally --- base/programs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/base/programs.nix b/base/programs.nix index 5d69fe2..60b9f8a 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -3,6 +3,7 @@ fish.enable = true; less.enable = true; mosh.enable = true; + tmux.enable = true; # setcap wrapper for network permissions bandwhich.enable = true; From 2a49eea1bfa9f59b7543e9ff2e176ae1df2e6580 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:39:30 +0100 Subject: [PATCH 10/14] base: programs: cleanup path --- base/programs.nix | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/base/programs.nix b/base/programs.nix index 60b9f8a..0f82f19 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -22,11 +22,11 @@ (pkgs) # shell usage + bat fd file ripgrep sd - tmux tokei tree wget @@ -35,37 +35,24 @@ usbutils # development + agenix alejandra git git-crypt git-lfs gnumake gnupg - kakoune pinentry-qt python3 vim # terminal utilities - bottom dogdns du-dust htop ldns # drill - tealdeer unzip zip - # nix pkgs lookup - - nix-index - agenix - cachix - ; - - inherit - (pkgs.llvmPackages_16) - bintools - clang ; }; } From 89c861c9742ae70d09d13b6b2eaa27f40573efe6 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:43:53 +0100 Subject: [PATCH 11/14] services: tailscale: refacto --- hosts/boreal/default.nix | 5 ++++- hosts/hades/default.nix | 2 +- hosts/hephaestus/default.nix | 6 +++++- hosts/thanatos/default.nix | 5 ++++- services/tailscale.nix | 22 +++++++++------------- 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index c6d9c3f..f820f69 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -75,7 +75,10 @@ pipewire.enable = true; - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; }; services = { diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index 0cb891b..0e4191b 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -133,7 +133,7 @@ in { tailscale = { enable = true; - exitNode = true; + useRoutingFeatures = "server"; }; transmission = { diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix index f5cf2e4..5d4cced 100644 --- a/hosts/hephaestus/default.nix +++ b/hosts/hephaestus/default.nix @@ -49,7 +49,11 @@ # List services that you want to enable: my.services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + pipewire.enable = true; restic-backup = { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix index 5a6711d..15cf5ce 100644 --- a/hosts/thanatos/default.nix +++ b/hosts/thanatos/default.nix @@ -28,7 +28,10 @@ in { # List services that you want to enable: my.services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; }; services = { diff --git a/services/tailscale.nix b/services/tailscale.nix index 41fe9f8..b963b94 100644 --- a/services/tailscale.nix +++ b/services/tailscale.nix @@ -8,34 +8,30 @@ (lib) mkEnableOption mkIf + mkOption + types ; cfg = config.my.services.tailscale; in { options.my.services.tailscale = { enable = mkEnableOption "Tailscale"; - - # NOTE: still have to do `tailscale up --advertise-exit-node` - exitNode = mkEnableOption "Use as exit node"; + useRoutingFeatures = mkOption { + type = types.enum ["none" "client" "server" "both"]; + default = "none"; + }; }; config = mkIf cfg.enable { services.tailscale = { enable = true; package = pkgs.tailscale; + openFirewall = true; + useRoutingFeatures = cfg.useRoutingFeatures; }; networking.firewall = { - trustedInterfaces = ["tailscale0"]; - allowedUDPPorts = [config.services.tailscale.port]; - # needed for exit node usage - checkReversePath = mkIf (!cfg.exitNode) "loose"; - }; - - # enable IP forwarding to use as exit node - boot.kernel.sysctl = mkIf cfg.exitNode { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.ip_forward" = true; + trustedInterfaces = [config.services.tailscale.interfaceName]; }; }; } From de09c23a639c7d214da426c105e47b5e513276e7 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:44:22 +0100 Subject: [PATCH 12/14] flake: enable redistributable firmware --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 6675c5f..a9b8ed6 100644 --- a/flake.nix +++ b/flake.nix @@ -109,6 +109,7 @@ "zotero-6.0.26" ]; }; + hardware.enableRedistributableFirmware = true; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); From eeb2f7fadfaad56e1b1c72aa7a728876a0dc919c Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 13 Dec 2023 17:44:58 +0100 Subject: [PATCH 13/14] flake: remove zotero from insecure packages --- flake.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index a9b8ed6..54c4d61 100644 --- a/flake.nix +++ b/flake.nix @@ -105,9 +105,7 @@ { nixpkgs = { overlays = shared_overlays; - config.permittedInsecurePackages = [ - "zotero-6.0.26" - ]; + config.permittedInsecurePackages = []; }; hardware.enableRedistributableFirmware = true; } From 5b5612390d2ac9d79e24ba089f274690166846cd Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Thu, 14 Dec 2023 13:45:10 +0100 Subject: [PATCH 14/14] home: ssh: thanatos config --- home/ssh.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/home/ssh.nix b/home/ssh.nix index 0959bef..2c1f9a6 100644 --- a/home/ssh.nix +++ b/home/ssh.nix @@ -34,12 +34,19 @@ in { in { boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";}; hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";}; - poseidon = addGPGAgentForwarding {hostname = "poseidon.alarsyo.net";}; + thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";}; pi = addGPGAgentForwarding { hostname = "pi.alarsyo.net"; user = "pi"; }; + "thanatos.lrde.epita.fr" = + lib.hm.dag.entryBefore ["*.lrde.epita.fr"] + (addGPGAgentForwarding { + hostname = "lee.lrde.epita.fr"; + user = "alarsyo"; + }); + "*.lrde.epita.fr" = { user = "amartin"; };