diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 6563e90..9b4646b 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -78,7 +78,7 @@ jobs: - boreal - hades - hephaestus - - poseidon + - thanatos steps: - uses: actions/checkout@v4 diff --git a/base/programs.nix b/base/programs.nix index 5d69fe2..f5667b0 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -3,6 +3,7 @@ fish.enable = true; less.enable = true; mosh.enable = true; + tmux.enable = true; # setcap wrapper for network permissions bandwhich.enable = true; @@ -20,12 +21,12 @@ inherit (pkgs) # shell usage - + + bat fd file ripgrep sd - tmux tokei tree wget @@ -33,38 +34,25 @@ pciutils usbutils # development - + + agenix alejandra git git-crypt git-lfs gnumake gnupg - kakoune pinentry-qt python3 vim # terminal utilities - bottom dogdns du-dust htop ldns # drill - tealdeer unzip zip - # nix pkgs lookup - - nix-index - agenix - cachix - ; - - inherit - (pkgs.llvmPackages_16) - bintools - clang ; }; } diff --git a/flake.lock b/flake.lock index fcdce90..38be2d0 100644 --- a/flake.lock +++ b/flake.lock @@ -41,6 +41,25 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1702479765, + "narHash": "sha256-wjNYsFhciYoJkZ/FBKvFj55k+vkLbu6C2qYQ7K+s8pI=", + "owner": "nix-community", + "repo": "disko", + "rev": "bd8fbc3f274288ac905bcea66bc2a5428abde458", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1653893745, @@ -127,6 +146,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1697915759, + "narHash": "sha256-WyMj5jGcecD+KC8gEs+wFth1J1wjisZf8kVZH13f1Zo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "51d906d2341c9e866e48c2efcaac0f2d70bfd43e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1701952659, "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", @@ -145,10 +180,11 @@ "root": { "inputs": { "agenix": "agenix", + "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9c829c1..54c4d61 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,13 @@ repo = "nixos-hardware"; ref = "master"; }; + + disko = { + type = "github"; + owner = "nix-community"; + repo = "disko"; + ref = "master"; + }; }; outputs = { @@ -49,6 +56,7 @@ nixpkgs, home-manager, agenix, + disko, ... } @ inputs: { @@ -97,10 +105,9 @@ { nixpkgs = { overlays = shared_overlays; - config.permittedInsecurePackages = [ - "zotero-6.0.26" - ]; + config.permittedInsecurePackages = []; }; + hardware.enableRedistributableFirmware = true; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); @@ -147,6 +154,16 @@ ] ++ sharedModules; }; + + thanatos = nixpkgs.lib.nixosSystem { + inherit system; + modules = + [ + disko.nixosModules.default + ./thanatos.nix + ] + ++ sharedModules; + }; }; } // inputs.flake-utils.lib.eachDefaultSystem (system: { diff --git a/home/ssh.nix b/home/ssh.nix index 0959bef..2c1f9a6 100644 --- a/home/ssh.nix +++ b/home/ssh.nix @@ -34,12 +34,19 @@ in { in { boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";}; hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";}; - poseidon = addGPGAgentForwarding {hostname = "poseidon.alarsyo.net";}; + thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";}; pi = addGPGAgentForwarding { hostname = "pi.alarsyo.net"; user = "pi"; }; + "thanatos.lrde.epita.fr" = + lib.hm.dag.entryBefore ["*.lrde.epita.fr"] + (addGPGAgentForwarding { + hostname = "lee.lrde.epita.fr"; + user = "alarsyo"; + }); + "*.lrde.epita.fr" = { user = "amartin"; }; diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index c6d9c3f..f820f69 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -75,7 +75,10 @@ pipewire.enable = true; - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; }; services = { diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index 0cb891b..0e4191b 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -133,7 +133,7 @@ in { tailscale = { enable = true; - exitNode = true; + useRoutingFeatures = "server"; }; transmission = { diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix index f5cf2e4..5d4cced 100644 --- a/hosts/hephaestus/default.nix +++ b/hosts/hephaestus/default.nix @@ -49,7 +49,11 @@ # List services that you want to enable: my.services = { - tailscale.enable = true; + tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + pipewire.enable = true; restic-backup = { diff --git a/hosts/thanatos/default.nix b/hosts/thanatos/default.nix new file mode 100644 index 0000000..15cf5ce --- /dev/null +++ b/hosts/thanatos/default.nix @@ -0,0 +1,46 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). +{ + config, + lib, + pkgs, + ... +}: let + secrets = config.my.secrets; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./disko-configuration.nix + ./home.nix + ./secrets.nix + ]; + + boot.loader.grub.enable = true; + boot.tmp.useTmpfs = true; + + networking.hostName = "thanatos"; # Define your hostname. + networking.domain = "lrde.epita.fr"; + + # Set your time zone. + time.timeZone = "Europe/Paris"; + + # List services that you want to enable: + my.services = { + tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + }; + + services = { + openssh.enable = true; + }; + + virtualisation.docker.enable = true; + + environment.systemPackages = with pkgs; [ + docker-compose + ]; +} diff --git a/hosts/thanatos/disko-configuration.nix b/hosts/thanatos/disko-configuration.nix new file mode 100644 index 0000000..81e9c36 --- /dev/null +++ b/hosts/thanatos/disko-configuration.nix @@ -0,0 +1,52 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "8G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/thanatos/hardware-configuration.nix b/hosts/thanatos/hardware-configuration.nix new file mode 100644 index 0000000..2ff30b0 --- /dev/null +++ b/hosts/thanatos/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/thanatos/home.nix b/hosts/thanatos/home.nix new file mode 100644 index 0000000..3bb7dab --- /dev/null +++ b/hosts/thanatos/home.nix @@ -0,0 +1,5 @@ +{config, ...}: { + home-manager.users.alarsyo = { + my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight; + }; +} diff --git a/hosts/thanatos/secrets.nix b/hosts/thanatos/secrets.nix new file mode 100644 index 0000000..3fbc379 --- /dev/null +++ b/hosts/thanatos/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + options, + ... +}: { + config.age = { + secrets = let + toSecret = name: {...} @ attrs: + { + file = ./../../modules/secrets + "/${name}.age"; + } + // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 28760e7..9c042d0 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -5,8 +5,9 @@ let boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; hades = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxw8CtKUPAiPdKDEnuS7UyRrZN5BkUwsy5UPVF8V+lt root@hades"; hephaestus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7Cp+n5+huof68QlAoJV8bVf5h5p9kEZFAVpltWopdL root@hephaestus"; + thanatos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8JEAWk/8iSl8fN6/f76JkmVFwtyixTpLol4zSVsnVw root@thanatos"; - machines = [boreal hades hephaestus]; + machines = [boreal hades hephaestus thanatos]; all = users ++ machines; in { @@ -34,6 +35,6 @@ in { "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus]; "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus]; - "users/root-hashed-password.age".publicKeys = machines; + "users/root-hashed-password.age".publicKeys = machines ++ [alarsyo]; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [alarsyo]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age index 1e7abbe..38b12ac 100644 --- a/modules/secrets/users/alarsyo-hashed-password.age +++ b/modules/secrets/users/alarsyo-hashed-password.age @@ -1,17 +1,16 @@ age-encryption.org/v1 --> ssh-ed25519 YWMQkg edb6vOJgAg7qUtsk3wot1lDT0guqrhkVO4q647At/Xo -XlX07p/2byuBzWeR3khI/B255/4IwjiWEiOEgO6Jmzo --> ssh-ed25519 pX8y2g yn4fQ1E54ReKViSKMjyIQWfbHlqwXmAn225hRUt2sVU -OVciEEE58TS7gkJV2kS75hL0z+mzn/I9cFYZQ9m4fCg --> ssh-ed25519 SYm+hA 3hLgW/LWQ6ilt1hYdHsA6M4YvSkrQauES77Mk0elkG4 -41l9uzYv/6raDNSBGrbH7hULv0cYFY65SlhpuSburHs --> ssh-ed25519 z6Eu8Q GE324833mb5ff9C+TN3SqazvwW0ZZiqBb56cs8bKjho -8Aogd9tN2sN8DSmKJUfuCifiRMKpD7Cn6CLLazQ2qjk --> ssh-ed25519 ZQuVNA 2plMxBUBbv3ScEdXBnkvtt/qlP+dG/8+O8gHBChL8lI -1GpPm9oFARwDQfTT25isUZlGKn6BaanIQoiLDzlxzww --> ssh-ed25519 k2gHjw JlNEYLQixP7LEb0FJu5O54pu1B72WWsml5ELNcFESEc -r8QUuLhEEFyst0JeWd1jahkrcMV/b9KGHj8PSZUZJ10 --> _a@Yy?HU-grease /wJ2a` WIyE6 ewMVR h,D)T -wAOK28XvNSpz ---- hlIXSQ9X6OM5/uPv+3PMfkuIfiKWpkbdWNHed+q/Hr8 -{gh1Å\PyЯ@sHq8Jxw<翕kVħ T(N.;/)DWz{uNl%vކ50K0ͩnn8\kJOC7oً4cї \ No newline at end of file +-> ssh-ed25519 YWMQkg nA65XHF5xsaW5JPGfWYLDtCq0DQQpN6FBbbnDKL23BY +JyzLfx9QXRV4jXQWvsXMEO7Y9Maf6VAQZU0QiEyA0rs +-> ssh-ed25519 pX8y2g 0AuwR4Dv6bulcow+LOd6XsF/U+Ly8fQDIuHcksijCk4 +TXyxasso2OmK8RswWOk6oP7+q6iS2WTwYsy0CF07gtc +-> ssh-ed25519 SYm+hA coVEtWHcu5Zc17TuVLTzWe7RiXjJ53wjjRfLidwjUgg +fx5hl1hPiRxQLHIN2mrvB9tc+xMTwqHM1DXZY75s/MA +-> ssh-ed25519 6UUuZw 2bfWgdMEj+POlLejgzl3GZN1M3xt5Qoif9M2BwGV4QA +9pLL7KegernUFqbNklKDho5IRgw9VVZGaphgmcfnohQ +-> ssh-ed25519 k2gHjw yxVoANLjqXRU97oymWtIEr4ZQ9OVvlRsC2Y2jsvkJWY +Q37kBzgMyWkpcLO/3FFMtmDO16/17+i57DmALUDL/kE +-> >)/-grease VfMC'D<: eQJ #XT +OcrPfgaTtzKItA7HfjeBUc68U7ol1sewRCFKg0iAeSVT1jiv3/O7hkz5MbMAsuoi +D8hkNjdXn3TDBVc1OcIS2iX5xOdpvP3ePs6TgX9H +--- mAY7j62sU6rXvZu84PkvkMqZ5M139fV/RlJidRYCo9Q +Xb;\hJ #Ⱦ>3PzQ{J Xe3Q!5$|MD;KZS.XS?з1j)H[hkƫ|g= \ No newline at end of file diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age index b373fa4..0988a49 100644 Binary files a/modules/secrets/users/root-hashed-password.age and b/modules/secrets/users/root-hashed-password.age differ diff --git a/services/tailscale.nix b/services/tailscale.nix index 41fe9f8..6de7cc0 100644 --- a/services/tailscale.nix +++ b/services/tailscale.nix @@ -8,34 +8,30 @@ (lib) mkEnableOption mkIf + mkOption + types ; cfg = config.my.services.tailscale; in { options.my.services.tailscale = { enable = mkEnableOption "Tailscale"; - - # NOTE: still have to do `tailscale up --advertise-exit-node` - exitNode = mkEnableOption "Use as exit node"; + useRoutingFeatures = mkOption { + type = types.enum [ "none" "client" "server" "both" ]; + default = "none"; + }; }; config = mkIf cfg.enable { services.tailscale = { enable = true; package = pkgs.tailscale; + openFirewall = true; + useRoutingFeatures = cfg.useRoutingFeatures; }; networking.firewall = { - trustedInterfaces = ["tailscale0"]; - allowedUDPPorts = [config.services.tailscale.port]; - # needed for exit node usage - checkReversePath = mkIf (!cfg.exitNode) "loose"; - }; - - # enable IP forwarding to use as exit node - boot.kernel.sysctl = mkIf cfg.exitNode { - "net.ipv6.conf.all.forwarding" = true; - "net.ipv4.ip_forward" = true; + trustedInterfaces = [config.services.tailscale.interfaceName]; }; }; } diff --git a/thanatos.nix b/thanatos.nix new file mode 100644 index 0000000..e0c2c2d --- /dev/null +++ b/thanatos.nix @@ -0,0 +1,23 @@ +{...}: { + imports = [ + # Default configuration + ./base + + # Module definitions + ./modules + + # Service definitions + ./services + + # Host-specific config + ./hosts/thanatos + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +}