diff --git a/flake.lock b/flake.lock index 4e02f07a..8fe19319 100644 --- a/flake.lock +++ b/flake.lock @@ -269,6 +269,21 @@ "type": "github" } }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home": { "inputs": { "nixpkgs": [ @@ -486,7 +501,32 @@ "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nur": "nur", - "nvfetcher": "nvfetcher" + "nvfetcher": "nvfetcher", + "triton-vmtools": "triton-vmtools" + } + }, + "triton-vmtools": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "nixos" + ] + }, + "locked": { + "dir": "vmtools", + "lastModified": 1664803886, + "narHash": "sha256-M2mk5H0PTSSQqdMqQWg/IGOARWwiPlaM8lSn3ObRPWU=", + "ref": "main", + "rev": "d79cc27c907062540594ea8998f17674ece1ca64", + "revCount": 23, + "type": "git", + "url": "https://git.b12f.io/pub-solar/infra?dir=vmtools" + }, + "original": { + "dir": "vmtools", + "ref": "main", + "type": "git", + "url": "https://git.b12f.io/pub-solar/infra?dir=vmtools" } }, "utils": { diff --git a/flake.nix b/flake.nix index 4ac60e8a..1ec91886 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,9 @@ nixos-hardware.url = "github:nixos/nixos-hardware"; nixos-generators.url = "github:nix-community/nixos-generators"; + + triton-vmtools.url = "git+https://git.b12f.io/pub-solar/infra?ref=main&dir=vmtools"; + triton-vmtools.inputs.nixpkgs.follows = "nixos"; }; outputs = @@ -50,6 +53,7 @@ , agenix , nvfetcher , deploy + , triton-vmtools , ... } @ inputs: digga.lib.mkFlake @@ -140,6 +144,7 @@ }; users = { pub-solar = { suites, ... }: { imports = suites.base; }; + barkeeper = { suites, ... }: { imports = suites.base; }; }; # digga.lib.importers.rakeLeaves ./users/hm; }; @@ -147,6 +152,11 @@ homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations; - deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { }; + deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { + flora6 = { + sshUser = "barkeeper"; + hostname = "infra-1.pub.solar"; + }; + }; }; } diff --git a/hosts/flora6/default.nix b/hosts/flora6/default.nix new file mode 100644 index 00000000..96070967 --- /dev/null +++ b/hosts/flora6/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./flora6.nix + ]; +} diff --git a/hosts/flora6/flora6.nix b/hosts/flora6/flora6.nix new file mode 100644 index 00000000..1c7c3113 --- /dev/null +++ b/hosts/flora6/flora6.nix @@ -0,0 +1,228 @@ +{ config, inputs, lib, pkgs, profiles, latestModulesPath, self, ... }: +let + psCfg = config.pub-solar; +in +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./triton-vmtools.nix + + profiles.base-user + profiles.users.root # make sure to configure ssh keys + profiles.users.barkeeper + + "${latestModulesPath}/services/web-apps/keycloak.nix" + ]; + disabledModules = [ "services/web-apps/keycloak.nix" ]; + + config = { + # # # + # # # pub.solar options + # # # + pub-solar.core ={ + disk-encryption-active = false; + iso-options.enable = true; + lite = true; + }; + + age.secrets.keycloak-database-password = { + file = "${self}/secrets/keycloak-database-password.age"; + mode = "700"; + #owner = "keycloak"; + }; + age.secrets.gitea-database-password = { + file = "${self}/secrets/gitea-database-password.age"; + mode = "700"; + owner = "gitea"; + }; + age.secrets.gitea-mailer-password = { + file = "${self}/secrets/gitea-mailer-password.age"; + mode = "700"; + owner = "gitea"; + }; + + # # # + # # # Host packages and configuration + # # # + + # caddy + services.caddy = { + enable = lib.mkForce true; + email = "admins@pub.solar"; + globalConfig = lib.mkForce ""; + virtualHosts = { + "auth.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :8080 + ''; + }; + "git.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :3000 + ''; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # keycloak + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.pub.solar"; + http-host = "127.0.0.1"; + http-port = 8080; + proxy = "edge"; + }; + }; + + # gitea + services.gitea = { + enable = true; + appName = "pub.solar git server"; + database = { + type = "postgres"; + passwordFile = config.age.secrets.gitea-database-password.path; + }; + domain = "git.pub.solar"; + httpAddress = "127.0.0.1"; + httpPort = 3000; + lfs.enable = true; + mailerPasswordFile = config.age.secrets.gitea-mailer-password.path; + rootUrl = "https://git.pub.solar"; + settings = { + mailer = { + ENABLED = true; + MAILER_TYPE = "smtp"; + HOST = "mail.greenbaum.cloud:465"; + FROM = ''"pub.solar git server" ''; + USER = "admins@pub.solar"; + }; + "repository.signing" = { + SIGNING_KEY = "default"; + MERGES = "always"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + }; + # uncomment after initial deployment, first user is admin user + # required to setup SSO (oauth openid-connect, keycloak auth provider) + service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + session.COOKIE_SECURE = lib.mkForce true; + }; + }; + # Required for gitea server side gpg signatures + # configured / setup manually in + # /var/lib/gitea/data/home/.gitconfig and + # /var/lib/gitea/data/home/.gnupg/ + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "curses"; + }; + # Required to make gpg work without a graphical environment? + # otherwise generating a new gpg key fails with this error: + # gpg: agent_genkey failed: No pinentry + # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 + environment.variables = { + GPG_TTY = "$(tty)"; + }; + + # netbird + + # Allow sudo without a password for the barkeeper user + security.sudo.extraRules = [ + { + users = [ "${psCfg.user.name}" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + + # # # + # # # Triton host specific options + # # # DO NOT ALTER below this line, changes might render system unbootable + # # # + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Force getting the hostname from cloud-init + networking.hostName = lib.mkDefault ""; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + vim + wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + services.cloud-init.enable = true; + services.cloud-init.ext4.enable = true; + services.cloud-init.network.enable = true; + # use the default NixOS cloud-init config, but add some SmartOS customization to it + environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' + datasource_list: [ SmartOS ] + + # Do not create the centos/ubuntu/debian user + users: [ ] + + # mount second disk with label ephemeral0, gets formated by cloud-init + # this will fail to get added to /etc/fstab as it's read-only, but should + # mount at boot anyway + mounts: + - [ vdb, /data, auto, "defaults,nofail" ] + ''; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + passwordAuthentication = false; + permitRootLogin = "no"; + }; + + # We manage the firewall with nix, too + # altough triton can also manage firewall rules via the triton fwrule subcommand + networking.firewall.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.05"; # Did you read the comment? + }; +} diff --git a/hosts/flora6/hardware-configuration.nix b/hosts/flora6/hardware-configuration.nix new file mode 100644 index 00000000..7dbf9542 --- /dev/null +++ b/hosts/flora6/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + }; + + fileSystems."/data" = + { device = "/dev/disk/by-label/ephemeral0"; + fsType = "ext4"; + options = [ + "defaults" + "nofail" + ]; + }; + + swapDevices = [ ]; + + networking.useDHCP = lib.mkDefault false; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/flora6/triton-vmtools.nix b/hosts/flora6/triton-vmtools.nix new file mode 100644 index 00000000..bbceeaab --- /dev/null +++ b/hosts/flora6/triton-vmtools.nix @@ -0,0 +1,6 @@ +{ pkgs, inputs, ... }: +{ + environment.systemPackages = with pkgs; [ + inputs.triton-vmtools.packages.${pkgs.system}.default + ]; +} diff --git a/overlays/overrides.nix b/overlays/overrides.nix index 4159bf32..ef856291 100644 --- a/overlays/overrides.nix +++ b/overlays/overrides.nix @@ -19,6 +19,8 @@ channels: final: prev: { tdesktop arduino arduino-cli + keycloak + gitea ; diff --git a/secrets/gitea-database-password.age b/secrets/gitea-database-password.age new file mode 100644 index 00000000..80501209 Binary files /dev/null and b/secrets/gitea-database-password.age differ diff --git a/secrets/gitea-mailer-password.age b/secrets/gitea-mailer-password.age new file mode 100644 index 00000000..31402acd --- /dev/null +++ b/secrets/gitea-mailer-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw YmqgCC6jO8dbKdRtOcwMJmFVH5fXvb5aRQbNwhEMCR4 +ZbvRe+jdAmZzsJ719ClYjKOPb2fdM48Q/U+pDb9X69Y +-> ssh-ed25519 BVsyTA YATHo0THjUnU4xBE/UpW1lvuXlL8x2d8i9K98OGCaxU +01u0QrGjXiPwTy8eMf0X0o6uv+0DJD7EWejzekLjVbI +-> e@>+!e-grease ]2Kg}7m u2DZ: +3GCB1HAwQBuQ81UJGa9XwnNx7+Fqz+939SZ93yTT7c5ri5qXiGvSJ/ILgrAVerkI +7QzVT5vUiucVCbrVp72ZHAWdOwlVXNQtvFdY +--- MkgkToekZHF+bxtIJA8vnbyAj1E6VSrqbnJ1rWUFc/E +.,Kgܾc‘~.LkE525t1u \ No newline at end of file diff --git a/secrets/keycloak-database-password.age b/secrets/keycloak-database-password.age new file mode 100644 index 00000000..3fb2c130 Binary files /dev/null and b/secrets/keycloak-database-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bac30e03..ba00b0ac 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,9 +1,12 @@ let # set ssh public keys here for your system and user - system = ""; - user = ""; - allKeys = [ system user ]; + teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + flora6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1"; + allKeys = [ flora6 teutat3s ]; + deployKeys = [ flora6 teutat3s ]; in { - "secret.age".publicKeys = allKeys; + "gitea-database-password.age".publicKeys = deployKeys; + "gitea-mailer-password.age".publicKeys = deployKeys; + "keycloak-database-password.age".publicKeys = deployKeys; } diff --git a/users/barkeeper/default.nix b/users/barkeeper/default.nix new file mode 100644 index 00000000..58e250e1 --- /dev/null +++ b/users/barkeeper/default.nix @@ -0,0 +1,35 @@ +{ config, hmUsers, pkgs, lib, ... }: +let + psCfg = config.pub-solar; +in +{ + config = { + home-manager.users = { inherit (hmUsers) barkeeper; }; + + pub-solar = { + # These are your personal settings + # The only required settings are `name` and `password`, + # The rest is used for programs like git + user = { + name = "barkeeper"; + description = "pub.solar infra user"; + password = "$6$pHMaL9DfxhvnLGy5$ka9bRU5p1lPTF0YHPZDM9Miq79iXuaXb6GLeALM1eX5djdsHYnpvVWjrmImWmcghGXsrDwpmXZPSJUU.gFpuA1"; + fullName = "pub.solar infra barkeeper"; + email = "crew@pub.solar"; + gpgKeyId = ""; + publicKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc" + + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup" + + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar" + ]; + }; + }; + }; +}