diff --git a/flake.nix b/flake.nix index 329bc9c..f925a36 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,8 @@ ./public-keys ./lib ./overlays + ./modules + ./hosts ]; perSystem = { system, pkgs, config, ... }: { @@ -73,88 +75,11 @@ flake = let username = "barkeeper"; - system = "x86_64-linux"; in { - nixosConfigurations = { - nachtigall = self.nixos-flake.lib.mkLinuxSystem { - imports = [ - self.nixosModules.common - ./hosts/nachtigall - self.pub-solar.lib.linux.unlockZFSOnBoot - self.nixosModules.home-manager - self.nixosModules.linux - self.nixosModules.overlays - inputs.agenix.nixosModules.default - { - home-manager.users.${username} = { - imports = [ - self.homeModules.common - ]; - home.stateVersion = "23.05"; - }; - } - ]; - }; - }; + inherit username; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; - nixosModules = { - # Common nixos/nix-darwin configuration shared between Linux and macOS. - common = { pkgs, ... }: { - virtualisation.docker = { - enable = true; - extraOptions = '' - --data-root /var/lib/docker - ''; - storageDriver = "zfs"; - }; - - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.settings.PasswordAuthentication = false; - }; - - # NixOS specific configuration - linux = { pkgs, ... }: { - users.users.${username} = { - name = username; - group = username; - extraGroups = ["wheel"]; - isNormalUser = true; - openssh.authorizedKeys.keys = self.publicKeys.allAdmins; - }; - users.groups.${username} = {}; - - security.sudo.wheelNeedsPassword = false; - nix.settings.trusted-users = [ "root" username ]; - - # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = self.publicKeys.allAdmins; - }; - }; - - # All home-manager configurations are kept here. - homeModules = { - # Common home-manager configuration shared between Linux and macOS. - common = { pkgs, ... }: { - programs.git.enable = true; - programs.starship.enable = true; - programs.bash.enable = true; - programs.neovim = { - enable = true; - vimAlias = true; - viAlias = true; - defaultEditor = true; - # configure = { - # packages.myVimPackages = with pkgs.vimPlugins; { - # start = [vim-nix vim-surrund rainbow]; - # }; - # }; - }; - }; - }; - deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { sshUser = username; diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..8a2913b --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,18 @@ + { self, ... }: + { + flake = { + nixosConfigurations = { + nachtigall = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./nachtigall + self.nixosModules.overlays + self.nixosModules.unlock-zfs-on-boot + self.nixosModules.core + self.nixosModules.docker + ]; + }; + }; + }; + } diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 0aeb9a1..19b9048 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, flake, ... }: { # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. @@ -39,32 +39,9 @@ systemPackages = with pkgs; [ vim ]; }; - users.users.hakkonaut = { - description = "CI and automation user"; - home = "/home/hakkonaut"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "hakkonaut"; - isSystemUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6" - ]; - }; - # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets systemd.services.zfs-mount.enable = false; - users.groups.hakkonaut = {}; - - users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; - age.secrets."nachtigall-root-ssh-key" = { - file = "${flake.self}/secrets/nachtigall-root-ssh-key.age"; - path = "/root/.ssh/id_ed25519"; - mode = "400"; - owner = root; - }; - # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 4780506..9f3aabc 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -7,7 +7,6 @@ ./configuration.nix ./networking.nix - ./nix.nix ./apps/nginx.nix ./apps/collabora.nix diff --git a/hosts/nachtigall/networking.nix b/hosts/nachtigall/networking.nix index 82470b0..5328cc4 100644 --- a/hosts/nachtigall/networking.nix +++ b/hosts/nachtigall/networking.nix @@ -21,14 +21,4 @@ ]; networking.defaultGateway = "138.201.80.65"; networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; - - services.resolved = { - enable = true; - extraConfig = '' - DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net - FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net - Domains=~. - DNSOverTLS=yes - ''; - }; } diff --git a/lib/default.nix b/lib/default.nix index 20566ff..d7448e4 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -11,10 +11,6 @@ ## In configs, they can be used under "lib.our" deploy = import ./deploy.nix { inherit inputs lib; }; - - linux = { - unlockZFSOnBoot = import ./unlock-zfs-on-boot.nix {publicKeys = self.publicKeys.allAdmins;}; - }; }; }; } diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..16ac03f --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,26 @@ +{ self, ... }: +{ + flake = { + nixosModules = rec { + nix = import ./nix.nix; + networking = import ./networking.nix; + unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix; + docker = import ./docker.nix; + terminal-tooling = import ./terminal-tooling.nix; + users = import ./users.nix; + + core = { + imports = [ + nix + networking + terminal-tooling + users + ]; + + home-manager.users.${self.username} = { + home.stateVersion = "23.05"; + }; + }; + }; + }; +} diff --git a/modules/docker.nix b/modules/docker.nix new file mode 100644 index 0000000..8021dad --- /dev/null +++ b/modules/docker.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: { + virtualisation.docker = { + enable = true; + extraOptions = '' + --data-root /var/lib/docker + ''; + storageDriver = "zfs"; + }; +} diff --git a/modules/networking.nix b/modules/networking.nix new file mode 100644 index 0000000..bd27877 --- /dev/null +++ b/modules/networking.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + services.openssh.settings.PasswordAuthentication = false; + + services.resolved = { + enable = true; + extraConfig = '' + DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net + FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net + Domains=~. + DNSOverTLS=yes + ''; + }; +} diff --git a/hosts/nachtigall/nix.nix b/modules/nix.nix similarity index 95% rename from hosts/nachtigall/nix.nix rename to modules/nix.nix index ec0040b..c1e3218 100644 --- a/hosts/nachtigall/nix.nix +++ b/modules/nix.nix @@ -36,7 +36,7 @@ nixPath = [ "nixpkgs=${flake.inputs.nixpkgs}" - "nixos-config=${../../lib/compat/nixos}" + "nixos-config=${../lib/compat/nixos}" "home-manager=${flake.inputs.home-manager}" ]; }; diff --git a/modules/terminal-tooling.nix b/modules/terminal-tooling.nix new file mode 100644 index 0000000..c0d0050 --- /dev/null +++ b/modules/terminal-tooling.nix @@ -0,0 +1,18 @@ +{ flake, ... }: { + home-manager.users.${flake.self.username} = { + programs.git.enable = true; + programs.starship.enable = true; + programs.bash.enable = true; + programs.neovim = { + enable = true; + vimAlias = true; + viAlias = true; + defaultEditor = true; + # configure = { + # packages.myVimPackages = with pkgs.vimPlugins; { + # start = [vim-nix vim-surrund rainbow]; + # }; + # }; + }; + }; +} diff --git a/lib/unlock-zfs-on-boot.nix b/modules/unlock-zfs-on-boot.nix similarity index 92% rename from lib/unlock-zfs-on-boot.nix rename to modules/unlock-zfs-on-boot.nix index 529b272..2e507df 100644 --- a/lib/unlock-zfs-on-boot.nix +++ b/modules/unlock-zfs-on-boot.nix @@ -1,4 +1,4 @@ -{publicKeys}: { +{ flake, ... }: { # From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot boot.initrd.network = { enable = true; @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = publicKeys; + authorizedKeys = flake.self.publicKeys.admins; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/modules/users.nix b/modules/users.nix new file mode 100644 index 0000000..e08a2c7 --- /dev/null +++ b/modules/users.nix @@ -0,0 +1,36 @@ +{ flake, pkgs, ... }: { + users.users.${flake.self.username} = { + name = flake.self.username; + group = flake.self.username; + extraGroups = ["wheel"]; + isNormalUser = true; + openssh.authorizedKeys.keys = flake.self.publicKeys.admins; + }; + users.groups.${flake.self.username} = {}; + + # TODO: Remove when we stop locking ourselves out. + users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins; + + users.users.hakkonaut = { + description = "CI and automation user"; + home = "/home/hakkonaut"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "hakkonaut"; + isSystemUser = true; + openssh.authorizedKeys.keys = flake.self.publicKeys.robots; + }; + + users.groups.hakkonaut = {}; + + users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; + age.secrets."nachtigall-root-ssh-key" = { + file = "${flake.self}/secrets/nachtigall-root-ssh-key.age"; + path = "/root/.ssh/id_ed25519"; + mode = "400"; + owner = root; + }; + + security.sudo.wheelNeedsPassword = false; +} diff --git a/public-keys/default.nix b/public-keys/default.nix index a5fdaa3..f7f05ee 100644 --- a/public-keys/default.nix +++ b/public-keys/default.nix @@ -2,7 +2,8 @@ { flake = { publicKeys = { - allAdmins = lib.attrsets.attrValues (import ./admins.nix); + admins = lib.attrsets.attrValues (import ./admins.nix); + robots = lib.attrsets.attrValues (import ./robots.nix); }; }; } diff --git a/public-keys/robots.nix b/public-keys/robots.nix new file mode 100644 index 0000000..83b6cb8 --- /dev/null +++ b/public-keys/robots.nix @@ -0,0 +1,7 @@ +{ + # Used for restic backups to droppie, a server run by @b12f + "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie"; + + # robot user on flora-6 + "hakkonaut@flora-6" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"; +} diff --git a/secrets/restic-password-droppie.age b/secrets/restic-password-droppie.age new file mode 100644 index 0000000..3fdc90b --- /dev/null +++ b/secrets/restic-password-droppie.age @@ -0,0 +1,29 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg tSrbeVPpTxjeuCg6JiOdeIcaGWq/PUOyXrt+ZNIWmzI +fz4B2nMu36G1DYPyNiu30Txx4cOLGyUreuBLqktORhY +-> ssh-ed25519 uYcDNw zySKp8qUnCKOCbIP17bWYvJ/TsKxLl/v/AEsfVQpHTc +SYqaUEXJ7mSA2wY6I3i/hirEiqvXVnWH1NYtXbaMzbw +-> ssh-rsa kFDS0A +MiyJjq7nn9B+PF9Lf6vD496FZUnUy5zI9H2kunJLhmYnr+7ZJaPGI+MW0cuPjsmM +1XhmUC72zA9WTiuReGijl9GhIyU0D6vPx+ezQrx18dUGRJEqnvk5C75SCUuPGtUi +DamPxJc781mnDSyW91MgRrqlBVwhfJ9Zmws3+/j8LODWb0T9Jvy0ywmFX4ilapr9 +6dqbNmwBZkfh2CKB9LtMG/DuSNicgHscpt4Mt7EogJRdgBrGIcA1u8BXUOwf+R8G +Ya8VzoQV0iVhGtbff3g/6/0+UX9KEZBQc/aiT2ItrgUmgMyjAZo13Dj3pD2wPdfa +t346symp7bcYxRea/U0hfmPdnixIKgBLTUZkzrMFza26QOvnSwiMxWY+//Vmbp3z +0YCsyOQTQJVB+Q0pYE0+9EVI9bInP0LxHhM7mIdJroscRtY1YphjZUlFmcUXk0iC +5g3/wdLr8KdT4aZ93m4WVgkBUzg8chhfMHb9uFvpHT9xeZHrV3u30TuJpmmuqMXK +JD3+9xRzNVHwvfZuhD8B3vkK2tYO7pTxJytkJtdolx/uSju8SCm9F4lwt5y8rQd4 +7676QS0IWS1WItcpLrsgk9nWZUNzy78gBc39jtJUOsFDqJSdAWACq/jgYpnx6Bja +5aZonRAp3fyCEavUpS4AQUJZGVx9EFp9LqXeUiIkCJU +-> ssh-ed25519 YFSOsg vJ7xw4zDSKBFuv8FT6ZnB83uGwHDnDsEwsvQ6urZkEk +gOkuwjOX8U/qmPuGrPPb+FYy6PuJjrgCNFYrukkaIPA +-> ssh-ed25519 iHV63A FzZRHQB39iDTLm4y1QLWtfDi3jZn6i59nuSlf0d5mww +5kiyKN7KFTv8pJgRAZTUMgR2+TInByFotDhAw307P6g +-> ssh-ed25519 BVsyTA rTjBaEI6AwwmpK9Q8elVJaSN60deXOMEmZPrsH9O1nY +HikNbHzx3BEJ3hn4YPFr2p/cnSu3qr9cvgdKCxN6xY8 +-> h|2u%UF\-grease Gcp2NG +y6OjgzrOYEVgrY2+fv8a1xrVuoHQIPncGuGeLI0zHh4xf1qbzD2vKYp+W1fRBE8d +/yPEGUe/T/ZjO+F4oF266HUR23wancFeFoGpfJgWQVS2oc0Z4aMuNebf/+Kw087W + +--- GJBLNxBoH7vI1mkcCmfbm9UiG4xuwIOWS7IaJKuO6cc +C3=,{-T -]̷q= =~}1l߄f_[U_AG.dra`UyPt+̽!< \ No newline at end of file