Compare commits
7 commits
5b5612390d
...
3d1ecf2393
Author | SHA1 | Date | |
---|---|---|---|
Antoine Martin | 3d1ecf2393 | ||
Antoine Martin | c67d73920a | ||
Antoine Martin | 5271b38a6a | ||
Antoine Martin | 73cb52915f | ||
Antoine Martin | b5e1c6c608 | ||
Antoine Martin | 693e44a8fe | ||
Antoine Martin | a21e0fb568 |
2
.github/workflows/cachix.yaml
vendored
2
.github/workflows/cachix.yaml
vendored
|
@ -78,7 +78,7 @@ jobs:
|
|||
- boreal
|
||||
- hades
|
||||
- hephaestus
|
||||
- poseidon
|
||||
- thanatos
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
fish.enable = true;
|
||||
less.enable = true;
|
||||
mosh.enable = true;
|
||||
tmux.enable = true;
|
||||
|
||||
# setcap wrapper for network permissions
|
||||
bandwhich.enable = true;
|
||||
|
@ -20,12 +21,12 @@
|
|||
inherit
|
||||
(pkgs)
|
||||
# shell usage
|
||||
|
||||
|
||||
bat
|
||||
fd
|
||||
file
|
||||
ripgrep
|
||||
sd
|
||||
tmux
|
||||
tokei
|
||||
tree
|
||||
wget
|
||||
|
@ -33,38 +34,25 @@
|
|||
pciutils
|
||||
usbutils
|
||||
# development
|
||||
|
||||
|
||||
agenix
|
||||
alejandra
|
||||
git
|
||||
git-crypt
|
||||
git-lfs
|
||||
gnumake
|
||||
gnupg
|
||||
kakoune
|
||||
pinentry-qt
|
||||
python3
|
||||
vim
|
||||
# terminal utilities
|
||||
|
||||
bottom
|
||||
dogdns
|
||||
du-dust
|
||||
htop
|
||||
ldns # drill
|
||||
tealdeer
|
||||
unzip
|
||||
zip
|
||||
# nix pkgs lookup
|
||||
|
||||
nix-index
|
||||
agenix
|
||||
cachix
|
||||
;
|
||||
|
||||
inherit
|
||||
(pkgs.llvmPackages_16)
|
||||
bintools
|
||||
clang
|
||||
;
|
||||
};
|
||||
}
|
||||
|
|
38
flake.lock
38
flake.lock
|
@ -41,6 +41,25 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1702479765,
|
||||
"narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "master",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1653893745,
|
||||
|
@ -127,6 +146,22 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1697915759,
|
||||
"narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1701952659,
|
||||
"narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=",
|
||||
|
@ -145,10 +180,11 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"disko": "disko",
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-unstable-small": "nixpkgs-unstable-small"
|
||||
}
|
||||
}
|
||||
|
|
23
flake.nix
23
flake.nix
|
@ -42,6 +42,13 @@
|
|||
repo = "nixos-hardware";
|
||||
ref = "master";
|
||||
};
|
||||
|
||||
disko = {
|
||||
type = "github";
|
||||
owner = "nix-community";
|
||||
repo = "disko";
|
||||
ref = "master";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = {
|
||||
|
@ -49,6 +56,7 @@
|
|||
nixpkgs,
|
||||
home-manager,
|
||||
agenix,
|
||||
disko,
|
||||
...
|
||||
} @ inputs:
|
||||
{
|
||||
|
@ -97,10 +105,9 @@
|
|||
{
|
||||
nixpkgs = {
|
||||
overlays = shared_overlays;
|
||||
config.permittedInsecurePackages = [
|
||||
"zotero-6.0.26"
|
||||
];
|
||||
config.permittedInsecurePackages = [];
|
||||
};
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
}
|
||||
]
|
||||
++ (nixpkgs.lib.attrValues self.nixosModules);
|
||||
|
@ -147,6 +154,16 @@
|
|||
]
|
||||
++ sharedModules;
|
||||
};
|
||||
|
||||
thanatos = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules =
|
||||
[
|
||||
disko.nixosModules.default
|
||||
./thanatos.nix
|
||||
]
|
||||
++ sharedModules;
|
||||
};
|
||||
};
|
||||
}
|
||||
// inputs.flake-utils.lib.eachDefaultSystem (system: {
|
||||
|
|
|
@ -34,12 +34,19 @@ in {
|
|||
in {
|
||||
boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";};
|
||||
hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";};
|
||||
poseidon = addGPGAgentForwarding {hostname = "poseidon.alarsyo.net";};
|
||||
thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";};
|
||||
pi = addGPGAgentForwarding {
|
||||
hostname = "pi.alarsyo.net";
|
||||
user = "pi";
|
||||
};
|
||||
|
||||
"thanatos.lrde.epita.fr" =
|
||||
lib.hm.dag.entryBefore ["*.lrde.epita.fr"]
|
||||
(addGPGAgentForwarding {
|
||||
hostname = "lee.lrde.epita.fr";
|
||||
user = "alarsyo";
|
||||
});
|
||||
|
||||
"*.lrde.epita.fr" = {
|
||||
user = "amartin";
|
||||
};
|
||||
|
|
|
@ -75,7 +75,10 @@
|
|||
|
||||
pipewire.enable = true;
|
||||
|
||||
tailscale.enable = true;
|
||||
tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "both";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
|
|
|
@ -133,7 +133,7 @@ in {
|
|||
|
||||
tailscale = {
|
||||
enable = true;
|
||||
exitNode = true;
|
||||
useRoutingFeatures = "server";
|
||||
};
|
||||
|
||||
transmission = {
|
||||
|
|
|
@ -49,7 +49,11 @@
|
|||
|
||||
# List services that you want to enable:
|
||||
my.services = {
|
||||
tailscale.enable = true;
|
||||
tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "client";
|
||||
};
|
||||
|
||||
pipewire.enable = true;
|
||||
|
||||
restic-backup = {
|
||||
|
|
46
hosts/thanatos/default.nix
Normal file
46
hosts/thanatos/default.nix
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
secrets = config.my.secrets;
|
||||
in {
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./disko-configuration.nix
|
||||
./home.nix
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.tmp.useTmpfs = true;
|
||||
|
||||
networking.hostName = "thanatos"; # Define your hostname.
|
||||
networking.domain = "lrde.epita.fr";
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "Europe/Paris";
|
||||
|
||||
# List services that you want to enable:
|
||||
my.services = {
|
||||
tailscale = {
|
||||
enable = true;
|
||||
useRoutingFeatures = "both";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
};
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker-compose
|
||||
];
|
||||
}
|
52
hosts/thanatos/disko-configuration.nix
Normal file
52
hosts/thanatos/disko-configuration.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
main = {
|
||||
type = "disk";
|
||||
device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
boot = {
|
||||
size = "1M";
|
||||
type = "EF02"; # for grub MBR
|
||||
};
|
||||
ESP = {
|
||||
size = "512M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "btrfs";
|
||||
subvolumes = {
|
||||
"/root" = {
|
||||
mountpoint = "/";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/home" = {
|
||||
mountpoint = "/home";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/swap" = {
|
||||
mountpoint = "/.swapvol";
|
||||
swap.swapfile.size = "8G";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
25
hosts/thanatos/hardware-configuration.nix
Normal file
25
hosts/thanatos/hardware-configuration.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
5
hosts/thanatos/home.nix
Normal file
5
hosts/thanatos/home.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{config, ...}: {
|
||||
home-manager.users.alarsyo = {
|
||||
my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
|
||||
};
|
||||
}
|
20
hosts/thanatos/secrets.nix
Normal file
20
hosts/thanatos/secrets.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
options,
|
||||
...
|
||||
}: {
|
||||
config.age = {
|
||||
secrets = let
|
||||
toSecret = name: {...} @ attrs:
|
||||
{
|
||||
file = ./../../modules/secrets + "/${name}.age";
|
||||
}
|
||||
// attrs;
|
||||
in
|
||||
lib.mapAttrs toSecret {
|
||||
"users/alarsyo-hashed-password" = {};
|
||||
"users/root-hashed-password" = {};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -5,8 +5,9 @@ let
|
|||
boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
|
||||
hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades";
|
||||
hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus";
|
||||
thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos";
|
||||
|
||||
machines = [boreal hades hephaestus];
|
||||
machines = [boreal hades hephaestus thanatos];
|
||||
|
||||
all = users ++ machines;
|
||||
in {
|
||||
|
@ -34,6 +35,6 @@ in {
|
|||
"restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus];
|
||||
"restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus];
|
||||
|
||||
"users/root-hashed-password.age".publicKeys = machines;
|
||||
"users/root-hashed-password.age".publicKeys = machines ++ [alarsyo];
|
||||
"users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo];
|
||||
}
|
||||
|
|
|
@ -1,17 +1,16 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo
|
||||
XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo
|
||||
-> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU
|
||||
OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg
|
||||
-> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4
|
||||
41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs
|
||||
-> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho
|
||||
8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk
|
||||
-> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI
|
||||
1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww
|
||||
-> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc
|
||||
r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10
|
||||
-> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T
|
||||
wAOK28XvNSpz
|
||||
--- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8
|
||||
{gh1ÕßÃ…±ž\Py<50>ðЯ@s™ªý¹H„§q8—JxèÔw<žüç¿•k»öÕVħ©
T‹†¿“¥õ¬<C3B5>…<EFBFBD> <EFBFBD>(«”N¼ô.;™/)ÞD¯Wz{uÞNlÆ%±ávöÞ†50K0ÂóÍ©n”n±8°ï£\kJ¬OüCª7oáÙ‹4ÿcÑ—
|
||||
-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY
|
||||
JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs
|
||||
-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4
|
||||
TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc
|
||||
-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg
|
||||
fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA
|
||||
-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA
|
||||
9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ
|
||||
-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY
|
||||
Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE
|
||||
-> >)/-grease VfMC'D<: eQJ #XT
|
||||
OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi
|
||||
D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H
|
||||
--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q
|
||||
þXÑb;\hJù Ô#ÖȾ§>3Pzý˜QÈèÏÖ{¿Jž
ÒXÝe²ë3Q!ó¥¸5Å$ü»€|MÆD;Kú³Z”S.»¸ëXè<58>S?À œÐ·1j)«¬H[ËhkÆ«©¤¶|g=
|
Binary file not shown.
|
@ -8,34 +8,30 @@
|
|||
(lib)
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
types
|
||||
;
|
||||
|
||||
cfg = config.my.services.tailscale;
|
||||
in {
|
||||
options.my.services.tailscale = {
|
||||
enable = mkEnableOption "Tailscale";
|
||||
|
||||
# NOTE: still have to do `tailscale up --advertise-exit-node`
|
||||
exitNode = mkEnableOption "Use as exit node";
|
||||
useRoutingFeatures = mkOption {
|
||||
type = types.enum [ "none" "client" "server" "both" ];
|
||||
default = "none";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
package = pkgs.tailscale;
|
||||
openFirewall = true;
|
||||
useRoutingFeatures = cfg.useRoutingFeatures;
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
allowedUDPPorts = [config.services.tailscale.port];
|
||||
# needed for exit node usage
|
||||
checkReversePath = mkIf (!cfg.exitNode) "loose";
|
||||
};
|
||||
|
||||
# enable IP forwarding to use as exit node
|
||||
boot.kernel.sysctl = mkIf cfg.exitNode {
|
||||
"net.ipv6.conf.all.forwarding" = true;
|
||||
"net.ipv4.ip_forward" = true;
|
||||
trustedInterfaces = [config.services.tailscale.interfaceName];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
23
thanatos.nix
Normal file
23
thanatos.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
{...}: {
|
||||
imports = [
|
||||
# Default configuration
|
||||
./base
|
||||
|
||||
# Module definitions
|
||||
./modules
|
||||
|
||||
# Service definitions
|
||||
./services
|
||||
|
||||
# Host-specific config
|
||||
./hosts/thanatos
|
||||
];
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
Loading…
Reference in a new issue