From 3b7c72f326609892372baed5fd4a765269138849 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 13 Apr 2024 15:43:01 +0200 Subject: [PATCH] cleanup --- README.md | 2 +- flake.nix | 3 +- nix/default.nix | 77 ++++++++++++------ nix/flake/deploy.nix | 4 +- nix/flake/nixos.nix | 4 +- nix/machines/atlas.nix | 9 -- .../certificates/atlas/host_ed25519.crt | 1 - .../certificates/atlas/user_ed25519.crt | 1 - .../certificates/jefke/host_ed25519.crt | 1 - .../certificates/jefke/user_ed25519.crt | 1 - .../certificates/lewis/host_ed25519.crt | 1 - .../certificates/lewis/user_ed25519.crt | 1 - nix/machines/default.nix | 32 -------- nix/machines/jefke.nix | 8 -- nix/machines/lewis.nix | 8 -- nix/machines/warwick.nix | 1 - nix/modules/default.nix | 1 - nix/modules/monitoring/default.nix | 17 ++-- nix/modules/monitoring/gatus-endpoints.nix | 14 ++-- nix/modules/networking/default.nix | 2 +- nix/modules/ssh-certificates.nix | 70 ---------------- nix/modules/storage.nix | 4 +- .../terraform-database/postgresql_server.crt | 67 --------------- nix/physical.nix | 55 ------------- nix/secrets/atlas_host_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/atlas_user_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/jefke_host_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/jefke_user_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/lewis_host_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/lewis_user_ed25519.age | Bin 1161 -> 0 bytes nix/secrets/secrets.nix | 12 +-- 31 files changed, 77 insertions(+), 319 deletions(-) delete mode 100644 nix/machines/certificates/atlas/host_ed25519.crt delete mode 100644 nix/machines/certificates/atlas/user_ed25519.crt delete mode 100644 nix/machines/certificates/jefke/host_ed25519.crt delete mode 100644 nix/machines/certificates/jefke/user_ed25519.crt delete mode 100644 nix/machines/certificates/lewis/host_ed25519.crt delete mode 100644 nix/machines/certificates/lewis/user_ed25519.crt delete mode 100644 nix/modules/ssh-certificates.nix delete mode 100644 nix/modules/terraform-database/postgresql_server.crt delete mode 100644 nix/physical.nix delete mode 100644 nix/secrets/atlas_host_ed25519.age delete mode 100644 nix/secrets/atlas_user_ed25519.age delete mode 100644 nix/secrets/jefke_host_ed25519.age delete mode 100644 nix/secrets/jefke_user_ed25519.age delete mode 100644 nix/secrets/lewis_host_ed25519.age delete mode 100644 nix/secrets/lewis_user_ed25519.age diff --git a/README.md b/README.md index 7985e4f..be0645d 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Nix definitions to configure our servers at home. ### Bootstrapping -We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). +We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets. diff --git a/flake.nix b/flake.nix index b641f01..6c31cf0 100644 --- a/flake.nix +++ b/flake.nix @@ -40,9 +40,8 @@ hostSystem = "x86_64-linux"; hostPkgs = import nixpkgs { system = hostSystem; }; machines = (hostPkgs.lib.modules.evalModules { modules = [ (import ./nix/machines) ]; }).config.machines; - physicalMachines = hostPkgs.lib.filterAttrs (n: v: v.isPhysical) machines; in - flake-utils.lib.meld (inputs // { inherit hostPkgs machines physicalMachines; }) [ + flake-utils.lib.meld (inputs // { inherit hostPkgs machines; }) [ ./nix/flake/scripts ./nix/flake/checks.nix ./nix/flake/deploy.nix diff --git a/nix/default.nix b/nix/default.nix index 976d457..1b11de3 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,15 +1,16 @@ -{ pkgs, lib, machine, disko, agenix, ... }: { +{ pkgs, config, lib, machine, disko, agenix, nixos-hardware, ... }: { imports = [ ./modules ./globals.nix machine.nixosModule disko.nixosModules.disko agenix.nixosModules.default - ./physical.nix - ]; + ] ++ lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4; config = { time.timeZone = "Europe/Amsterdam"; + hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware; + age.identityPaths = [ "/etc/age_ed25519" ]; i18n = { defaultLocale = "en_US.UTF-8"; @@ -49,23 +50,10 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" ]; - programs = { - ssh = { - knownHosts = { - dmz = { - hostNames = [ "*.dmz" ]; - publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x"; - certAuthority = true; - }; - }; - }; - - neovim = { - enable = true; - vimAlias = true; - viAlias = true; - }; + programs.neovim = { + enable = true; + vimAlias = true; + viAlias = true; }; environment.systemPackages = with pkgs; [ @@ -91,8 +79,51 @@ rsync ]; - nixpkgs.overlays = [ - (final: prev: { lib = prev.lib // (import ./net.nix prev); }) - ]; + nixpkgs = { + config.allowUnfree = true; + overlays = [ (final: prev: { lib = prev.lib // (import ./net.nix prev); }) ]; + }; + + boot = lib.mkIf (! machine.isRaspberryPi) { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + initrd = { + kernelModules = [ ]; + + availableKernelModules = [ + "ahci" + "xhci_pci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + }; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + nix = { + package = pkgs.nixFlakes; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + system = { + stateVersion = "23.05"; + + activationScripts.diff = '' + if [[ -e /run/current-system ]]; then + ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" + fi + ''; + }; }; } diff --git a/nix/flake/deploy.nix b/nix/flake/deploy.nix index 0977958..17405df 100644 --- a/nix/flake/deploy.nix +++ b/nix/flake/deploy.nix @@ -1,9 +1,9 @@ -{ self, hostPkgs, physicalMachines, deploy-rs, ... }: +{ self, hostPkgs, machines, deploy-rs, ... }: let mkDeployNodes = nodeDef: builtins.mapAttrs (name: machine: nodeDef name machine) - physicalMachines; + machines; in { deploy = { diff --git a/nix/flake/nixos.nix b/nix/flake/nixos.nix index 16efe15..6e1fbec 100644 --- a/nix/flake/nixos.nix +++ b/nix/flake/nixos.nix @@ -1,11 +1,11 @@ -{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, agenix, nixos-hardware, kubenix, disko, ... }: +{ nixpkgs, nixpkgs-unstable, machines, dns, agenix, nixos-hardware, kubenix, disko, ... }: let mkNixosSystems = systemDef: builtins.mapAttrs (name: machine: nixpkgs.lib.nixosSystem (systemDef name machine) ) - physicalMachines; + machines; in { nixosConfigurations = mkNixosSystems (name: machine: { diff --git a/nix/machines/atlas.nix b/nix/machines/atlas.nix index 1d61c19..dfcfd1b 100644 --- a/nix/machines/atlas.nix +++ b/nix/machines/atlas.nix @@ -1,21 +1,12 @@ { machines.atlas = { - kind = "physical"; arch = "x86_64-linux"; - isHypervisor = true; nixosModule.lab = { storage = { osDisk = "/dev/sda"; dataPartition = "/dev/nvme0n1p1"; }; - - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./certificates/atlas/host_ed25519.crt; - userCert = builtins.readFile ./certificates/atlas/user_ed25519.crt; - }; }; }; - } diff --git a/nix/machines/certificates/atlas/host_ed25519.crt b/nix/machines/certificates/atlas/host_ed25519.crt deleted file mode 100644 index 44e70c7..0000000 --- a/nix/machines/certificates/atlas/host_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIH4CQGHwWytKnkn7lYjT6G1NyPzINvfroZgwCLoOLO74AAAAIOMoSSEqM4VUBWUeFweJbqK9z7Ygp7fkX22hyWmgCNg8AAAAAAAAAAAAAAACAAAACWF0bGFzLmh5cAAAAA0AAAAJYXRsYXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQAYModSEVNG06xvAcRn8XFeCp/iXFeqVcbtfT1NmmMkyIgybkXhJyHjp89BPg0zeAaoScFx8Xpsdd8CsxTeP+QU= root@atlas diff --git a/nix/machines/certificates/atlas/user_ed25519.crt b/nix/machines/certificates/atlas/user_ed25519.crt deleted file mode 100644 index 660f82a..0000000 --- a/nix/machines/certificates/atlas/user_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIItpNkjaH8o51VKydwHYbbLxXMtf4euzojFKPxz+XqdwAAAAIG1vJNH1p8l8HlmYMT/vHGTjEnIul7ORQhutNnKiXlgqAAAAAAAAAAAAAAABAAAACWF0bGFzLmh5cAAAABsAAAAJYXRsYXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQIW4tC+FJA6bKFUfRVcHLWz1u3ZL/GRTWD2WCW4ApHq7no6ODeMwE10noNt/42mwYjFmjwR+cd9EuMyUErXmaw8= root@atlas diff --git a/nix/machines/certificates/jefke/host_ed25519.crt b/nix/machines/certificates/jefke/host_ed25519.crt deleted file mode 100644 index 5243924..0000000 --- a/nix/machines/certificates/jefke/host_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHzQMMRr2vNtTW3joxPzQYjFFu3iI/WyIRVD18YKY61CAAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9uAAAAAAAAAAAAAAACAAAACWplZmtlLmh5cAAAAA0AAAAJamVma2UuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQPNDgNAOmp5Gl//mjEHF2H5Yi8GIFfyiRm8nJ2UkGXzpNr3+bQvQhPigziuXO0+8910yY9QzXTfvc4mgAT1gpgU= root@jefke diff --git a/nix/machines/certificates/jefke/user_ed25519.crt b/nix/machines/certificates/jefke/user_ed25519.crt deleted file mode 100644 index 522a1de..0000000 --- a/nix/machines/certificates/jefke/user_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKdTRygvLfapNY6umK+TdoqWDIq4ZzXLZlUJ/lVvkuqtAAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69AAAAAAAAAAAAAAABAAAACWplZmtlLmh5cAAAABsAAAAJamVma2UuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQI36zBw4Epr1ijXBk7T5JENgisn4SbVTLkhYBWCquHcAv3nFFJOEZ1kdC/SfYaDwmXb/rNybpr3942wF0xD3/ws= root@jefke diff --git a/nix/machines/certificates/lewis/host_ed25519.crt b/nix/machines/certificates/lewis/host_ed25519.crt deleted file mode 100644 index a430a63..0000000 --- a/nix/machines/certificates/lewis/host_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAP9Xu3G75HcVIVhrgiCKSM+YTkaCbTqI18NBdWikIlHAAAAIKfbZauF+7q3s7VxhvxdPT7XDapch0P3tD//U4/70D6cAAAAAAAAAAAAAAACAAAACWxld2lzLmh5cAAAAA0AAAAJbGV3aXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGHtz4FNkj0LuplU+12A/sx0bE4QeHLYhctXag9DSMGJz9yOpyMpK3PPKkm6leLdGYs7RUjxwXvcj+f4k16VXA0= root@atlas diff --git a/nix/machines/certificates/lewis/user_ed25519.crt b/nix/machines/certificates/lewis/user_ed25519.crt deleted file mode 100644 index 027e49d..0000000 --- a/nix/machines/certificates/lewis/user_ed25519.crt +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGqYC+tRPZ24WMroezrFgxtm8YObweMCTpz/y+dbGrzKAAAAIEuhHYB6zdSsfvLm4zXfuUbUCkUgPRu6rdt1rninA7PwAAAAAAAAAAAAAAABAAAACWxld2lzLmh5cAAAABsAAAAJbGV3aXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGV0nCPl4HDo1Q24NnFcPc1/FPYxwkWg864eUp5hdbttL4f8h7YLtZw6k8hHIn50wVdHEJkUwYrXgR1dwYhfEwA= root@atlas diff --git a/nix/machines/default.nix b/nix/machines/default.nix index b01597a..484e80c 100644 --- a/nix/machines/default.nix +++ b/nix/machines/default.nix @@ -2,21 +2,6 @@ let machineOpts = { config, ... }: { options = { - kind = lib.mkOption { - type = lib.types.enum [ "physical" "virtual" ]; - description = '' - Whether this machine is physical or virtual. - ''; - }; - - hypervisorName = lib.mkOption { - default = null; - type = with lib.types; nullOr str; - description = '' - The host name of the hypervisor hosting this virtual machine. - ''; - }; - arch = lib.mkOption { default = null; type = with lib.types; nullOr str; @@ -30,23 +15,6 @@ let type = lib.types.bool; }; - isHypervisor = lib.mkOption { - default = false; - type = lib.types.bool; - }; - - # Derived value - isPhysical = lib.mkOption { - default = config.kind == "physical"; - type = lib.types.bool; - }; - - # Derived value - isVirtual = lib.mkOption { - default = config.kind == "virtual"; - type = lib.types.bool; - }; - nixosModule = lib.mkOption { default = { ... }: { }; type = lib.types.anything; diff --git a/nix/machines/jefke.nix b/nix/machines/jefke.nix index 81ba3ed..b5c194b 100644 --- a/nix/machines/jefke.nix +++ b/nix/machines/jefke.nix @@ -1,8 +1,6 @@ { machines.jefke = { - kind = "physical"; arch = "x86_64-linux"; - isHypervisor = true; nixosModule.lab = { storage = { @@ -10,12 +8,6 @@ dataPartition = "/dev/nvme0n1p1"; }; - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./certificates/jefke/host_ed25519.crt; - userCert = builtins.readFile ./certificates/jefke/user_ed25519.crt; - }; - k3s.enable = true; }; }; diff --git a/nix/machines/lewis.nix b/nix/machines/lewis.nix index d7fbfd5..9e1314c 100644 --- a/nix/machines/lewis.nix +++ b/nix/machines/lewis.nix @@ -1,8 +1,6 @@ { machines.lewis = { - kind = "physical"; arch = "x86_64-linux"; - isHypervisor = true; nixosModule.lab = { backups.enable = true; @@ -13,12 +11,6 @@ osDisk = "/dev/sda"; dataPartition = "/dev/nvme0n1p1"; }; - - ssh = { - useCertificates = true; - hostCert = builtins.readFile ./certificates/lewis/host_ed25519.crt; - userCert = builtins.readFile ./certificates/lewis/user_ed25519.crt; - }; }; }; } diff --git a/nix/machines/warwick.nix b/nix/machines/warwick.nix index 174a001..c0bebf0 100644 --- a/nix/machines/warwick.nix +++ b/nix/machines/warwick.nix @@ -1,6 +1,5 @@ { machines.warwick = { - kind = "physical"; arch = "aarch64-linux"; isRaspberryPi = true; diff --git a/nix/modules/default.nix b/nix/modules/default.nix index 4303f06..b35e378 100644 --- a/nix/modules/default.nix +++ b/nix/modules/default.nix @@ -1,7 +1,6 @@ { imports = [ ./storage.nix - ./ssh-certificates.nix ./backups.nix ./networking ./data-sharing.nix diff --git a/nix/modules/monitoring/default.nix b/nix/modules/monitoring/default.nix index 7fc634e..1e46165 100644 --- a/nix/modules/monitoring/default.nix +++ b/nix/modules/monitoring/default.nix @@ -38,17 +38,12 @@ in scrapeConfigs = lib.mkIf cfg.server.enable ( lib.attrsets.mapAttrsToList - (name: machine: - let - # TODO: should finally create my own lib... - domain = if machine.isPhysical then "hyp" else "dmz"; - in - { - job_name = name; - static_configs = [{ - targets = [ "${name}.${domain}:${toString config.services.prometheus.exporters.node.port}" ]; - }]; - }) + (name: machine: { + job_name = name; + static_configs = [{ + targets = [ "${name}.dmz:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + }) machines ); }; diff --git a/nix/modules/monitoring/gatus-endpoints.nix b/nix/modules/monitoring/gatus-endpoints.nix index 02ce74e..b5893cd 100644 --- a/nix/modules/monitoring/gatus-endpoints.nix +++ b/nix/modules/monitoring/gatus-endpoints.nix @@ -7,15 +7,11 @@ let maxResponseTime = ms: "[RESPONSE_TIME] < ${toString ms}"; machineEndpoints = lib.attrsets.mapAttrsToList - (name: machine: - let - domain = if machine.isPhysical then "hyp" else "dmz"; - in - { - name = "Host ${name}"; - url = "icmp://${name}.${domain}"; - conditions = [ "[RESPONSE_TIME] < 10" ]; - }) + (name: machine: { + name = "Host ${name}"; + url = "icmp://${name}.dmz"; + conditions = [ "[RESPONSE_TIME] < 10" ]; + }) machines; otherEndpoints = [ diff --git a/nix/modules/networking/default.nix b/nix/modules/networking/default.nix index ab07f12..bf8e0c8 100644 --- a/nix/modules/networking/default.nix +++ b/nix/modules/networking/default.nix @@ -60,7 +60,7 @@ in { enable = true; networks = lib.attrsets.mergeAttrsList [ - (lib.optionalAttrs machine.isHypervisor { + (lib.optionalAttrs (! machine.isRaspberryPi) { "30-main-nic" = { matchConfig.Name = "en*"; diff --git a/nix/modules/ssh-certificates.nix b/nix/modules/ssh-certificates.nix deleted file mode 100644 index a145f9d..0000000 --- a/nix/modules/ssh-certificates.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ lib, config, ... }: -let - cfg = config.lab.ssh; - hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert; - userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert; -in -{ - options.lab.ssh = { - useCertificates = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - Whether to use certificates at all. - ''; - }; - - hostCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH host certificate - ''; - }; - - userCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH user certificate - ''; - }; - - hostKey = lib.mkOption { - default = - ../secrets/${config.networking.hostName}_host_ed25519.age; - type = lib.types.path; - description = '' - SSH host key - ''; - }; - - userKey = lib.mkOption { - default = - ../secrets/${config.networking.hostName}_user_ed25519.age; - type = lib.types.path; - description = '' - SSH user key - ''; - }; - }; - - config = lib.mkIf cfg.useCertificates { - services.openssh = { - extraConfig = '' - HostCertificate ${hostCert} - HostKey ${config.age.secrets.host_ed25519.path} - ''; - }; - - programs.ssh = { - extraConfig = '' - CertificateFile ${userCert} - IdentityFile ${config.age.secrets.user_ed25519.path} - ''; - }; - - age.secrets = { - "host_ed25519".file = cfg.hostKey; - "user_ed25519".file = cfg.userKey; - }; - }; -} diff --git a/nix/modules/storage.nix b/nix/modules/storage.nix index 46018bf..0f12355 100644 --- a/nix/modules/storage.nix +++ b/nix/modules/storage.nix @@ -28,7 +28,7 @@ in { config = { fileSystems = lib.attrsets.mergeAttrsList [ - (lib.optionalAttrs machine.isHypervisor { + (lib.optionalAttrs (! machine.isRaspberryPi) { "${cfg.dataMountPoint}".device = cfg.dataPartition; }) (lib.optionalAttrs machine.isRaspberryPi { @@ -40,7 +40,7 @@ in { }) ]; - disko = lib.mkIf machine.isHypervisor { + disko = lib.mkIf (! machine.isRaspberryPi) { # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. devices.disk.vdb = { device = cfg.osDisk; diff --git a/nix/modules/terraform-database/postgresql_server.crt b/nix/modules/terraform-database/postgresql_server.crt deleted file mode 100644 index e6bb806..0000000 --- a/nix/modules/terraform-database/postgresql_server.crt +++ /dev/null @@ -1,67 +0,0 @@ -Certificate: - Data: - Version: 1 (0x0) - Serial Number: - ef:2f:4d:d4:26:7e:33:1b - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=jefke.hyp - Validity - Not Before: Nov 22 19:12:03 2023 GMT - Not After : Oct 29 19:12:03 2123 GMT - Subject: CN=jefke.hyp - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:c7:ab:eb:9c:d0:7f:4f:f1:ba:65:0a:8b:07:7b: - 2e:5b:f0:26:82:33:c9:73:e6:91:cc:11:94:05:1c: - 8d:67:29:cb:5e:67:35:02:80:54:af:99:4b:aa:ce: - e8:56:62:be:63:cb:b2:4a:b0:a9:28:12:e2:77:50: - 7d:d5:d2:3b:48:d8:32:59:25:26:ff:a6:5c:f6:eb: - ae:5b:3d:7a:14:10:ba:90:9c:6f:1f:b9:d8:99:0e: - b7:09:5e:62:69:c4:c0:c6:27:b0:d3:60:0d:47:4c: - a5:11:53:f2:f1:4a:f9:a6:bc:d6:a3:35:a2:e8:e5: - a9:d1:60:e8:e5:18:ce:d2:60:80:4e:dc:48:ae:7f: - b7:ea:76:51:28:39:a4:b0:95:82:95:93:98:b2:9f: - 23:c9:81:69:59:a3:e4:f7:5a:1c:01:31:96:c1:4b: - 59:21:f8:a2:e6:9e:21:78:0e:6b:c1:68:c7:5c:16: - 9a:06:54:df:b6:77:1d:2d:89:d0:c8:9e:db:b5:d4: - 8c:fb:b9:4f:b7:6e:39:5f:39:8e:48:73:76:7d:46: - 6e:1f:8d:14:cb:40:b5:ff:c6:f0:c0:44:3c:ed:52: - 3f:4f:7b:69:63:93:c6:41:e6:5e:ed:33:50:20:46: - db:93:bf:e8:52:51:95:f1:81:73:58:da:67:21:7b: - 12:bd - Exponent: 65537 (0x10001) - Signature Algorithm: sha256WithRSAEncryption - aa:5c:89:41:a6:b7:3d:65:87:ca:50:c4:f3:58:aa:d3:b4:55: - b1:a7:8d:18:26:17:e5:8a:21:24:a1:49:53:77:31:5b:55:63: - be:01:d8:fe:b7:06:7c:da:07:1f:94:6a:de:96:ad:ca:3b:20: - 2a:e1:35:90:19:83:6d:37:d1:15:12:de:3c:0e:46:be:66:a1: - 6a:1d:ec:72:dc:46:79:69:e4:af:77:c8:ff:cd:d6:7d:16:88: - ab:44:fd:70:fc:40:47:ff:43:95:11:5a:9a:56:0c:d2:dd:7c: - 3b:87:aa:10:26:fa:25:a3:a0:43:8a:1b:ec:54:11:7e:65:67: - d2:06:e1:3e:3b:e1:0e:b0:80:ef:4b:35:3f:fc:34:1d:95:2e: - ee:c1:67:38:da:b3:74:86:4b:95:8c:0c:1d:51:28:c1:42:e9: - 77:68:d7:ec:3b:66:30:c6:e5:2a:62:ea:15:fb:24:56:cf:02: - d0:25:54:a7:58:15:b5:2a:71:93:56:c0:69:7a:36:18:6c:31: - b1:8e:3c:77:d7:77:ac:fc:e1:94:c5:08:bb:35:ac:48:5f:6b: - 8b:c8:c8:78:f4:a9:ca:4f:9d:51:54:89:97:c9:af:a1:fa:71: - df:58:f6:ff:04:7c:c8:1c:95:6b:1a:e3:a7:f6:43:1c:27:94: - 10:03:ce:ec ------BEGIN CERTIFICATE----- -MIICpjCCAY4CCQDvL03UJn4zGzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlq -ZWZrZS5oeXAwIBcNMjMxMTIyMTkxMjAzWhgPMjEyMzEwMjkxOTEyMDNaMBQxEjAQ -BgNVBAMMCWplZmtlLmh5cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AMer65zQf0/xumUKiwd7LlvwJoIzyXPmkcwRlAUcjWcpy15nNQKAVK+ZS6rO6FZi -vmPLskqwqSgS4ndQfdXSO0jYMlklJv+mXPbrrls9ehQQupCcbx+52JkOtwleYmnE -wMYnsNNgDUdMpRFT8vFK+aa81qM1oujlqdFg6OUYztJggE7cSK5/t+p2USg5pLCV -gpWTmLKfI8mBaVmj5PdaHAExlsFLWSH4ouaeIXgOa8Fox1wWmgZU37Z3HS2J0Mie -27XUjPu5T7duOV85jkhzdn1Gbh+NFMtAtf/G8MBEPO1SP097aWOTxkHmXu0zUCBG -25O/6FJRlfGBc1jaZyF7Er0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqlyJQaa3 -PWWHylDE81iq07RVsaeNGCYX5YohJKFJU3cxW1VjvgHY/rcGfNoHH5Rq3patyjsg -KuE1kBmDbTfRFRLePA5Gvmahah3sctxGeWnkr3fI/83WfRaIq0T9cPxAR/9DlRFa -mlYM0t18O4eqECb6JaOgQ4ob7FQRfmVn0gbhPjvhDrCA70s1P/w0HZUu7sFnONqz -dIZLlYwMHVEowULpd2jX7DtmMMblKmLqFfskVs8C0CVUp1gVtSpxk1bAaXo2GGwx -sY48d9d3rPzhlMUIuzWsSF9ri8jIePSpyk+dUVSJl8mvofpx31j2/wR8yByVaxrj -p/ZDHCeUEAPO7A== ------END CERTIFICATE----- diff --git a/nix/physical.nix b/nix/physical.nix deleted file mode 100644 index 85a9b11..0000000 --- a/nix/physical.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ pkgs, config, lib, machine, nixos-hardware, ... }: { - imports = lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4; - - config = { - boot = lib.mkIf (machine.isHypervisor) { - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - - initrd = { - availableKernelModules = [ - "ahci" - "xhci_pci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ ]; - }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - nixpkgs = { - config.allowUnfree = true; - # TODO: do we need this? - # hostPlatform = machine.arch; - }; - - hardware.cpu.intel.updateMicrocode = lib.mkIf (machine.isHypervisor) config.hardware.enableRedistributableFirmware; - - age.identityPaths = [ "/etc/age_ed25519" ]; - - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - ''; - }; - - system = { - stateVersion = "23.05"; - - activationScripts.diff = '' - if [[ -e /run/current-system ]]; then - ${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig" - fi - ''; - }; - }; -} diff --git a/nix/secrets/atlas_host_ed25519.age b/nix/secrets/atlas_host_ed25519.age deleted file mode 100644 index e2681144550d155e721fae7f9f80890229ef08ca..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1161 zcmZ9_`-{^C007{Lpfd>S+;DO-<9RYhcBbhgNqx6X-$|1+ucqFZy|zjEO4BBNx?^)F zQ%`Uz2;11H2yzp=b2?GP8#-{4ZF+MK@j1D}`Plh5VS?@f`~ALu;7h65?yR1!whSv* z)|Z#7DqKf^?lqukYTen4-Q_~upwNhMaTa7?9l;3_3R^e{rB z0s5VyABqPmoIp{YRxRL(CK1hNnsnY$GI>{#4_3@3#!9?|196F$p}K|>P!V;Ty_{iG zV$DJ_VEL&WnW)4_NN0U=-Yyk{saxHf%)3;OG8`(5#`77(G@4_osSugt#Abu<6(wDW<3M+JH|Q~0mBm0=ISEbvmiXeymRUDXzqn7`4MF>8F?9L-@Y9h?KW)E# z`q{(+-rD%a#Q5w5%7JxP@8u-xb-8cp*(>hx$pg@m>ExmYCd^zjJQfLePF@_nc6|Hp zM|-}0GAO#fH-Wc~-cfoUR{T3a+1S?eaNESphPh<=^lOc<8#W zYPq6p=*x|Q1eRfo?QN@RW^AHhcRFFOHC_obG1@8;B<@38zI-X*^*hQbm1=EG=1eZ( zMz}&zH*@ujZEcwn*JHjgEke^Dl z=6D#8lUnsD779zAPSaj8i+Vgnt8oG`XKH1vBkPo`pel=4dmycKFu`iTDcSWvN<`ES zzejb#hAzirEIS-mNs6{`h6jIFWJSc>9f1xAqt*nwa; zryHDR1_MG6PemZg^5DZ)^T&P~d^C2=qD?-oetlzT_eU8EaD2RL;>Fq%0s6D$*@$C% z|B{;*uKu|9W-akEzk6=W$F7T)cb?kw`EQf^;bHyn>Aj8LZnf>{UgIyQmxo7Qi3WkY zT^q-I>sl5kcTDW2d%R!HUb((`^3cK8v5r$)SHF-QdgI{^gSo2WOyA_=^Q!aieOlGL(JT@F;R`Zs%0r+NQvw zEh`@18NK~iKU!pNDBJt`7HYqzr*0=WIkjPQ(Upe7jZIB=29_-Il_#%cS0<>NufgLR zU*6fh51ShF?pSWc)m_5)zVw?Hlodek;H_=w$gbAdJKpB=tIof)3cs|>e`Z3ZyXx1)tXM?TPIfc-{0`ZMSShR=DnMcZ|3$k z&gpsZUZMe=JkS^%&TT=7vzLyj59W~#3yq1E?C&rQ$z rMLcXBS+nTsy(2dAxnrA;-tupM{0#klFM9XrKMm8z7kJ+N^Z@oBlVidA diff --git a/nix/secrets/jefke_host_ed25519.age b/nix/secrets/jefke_host_ed25519.age deleted file mode 100644 index 562718dd9bece88d853f46b68daba95956e7293b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1161 zcmZ9_`)?Bk003aXL9}E-G!O?&D;9cb7PG#5=Fg0V#4ctD7AVI!B0CP^HPqfS}Y@Fl*IFFA0=8Hk4? zeq;0+WVDX?&qPy_Vr zEnq{UvaGd>RGi@|QjsOi1}9DMSUQuC8hMyi38yKIKpDJIgjsJkn$YCfD6a>6xguGT z5QAb-U6@(K)l4>?;6YHz~HoR9;d`?lKV6RQU&Wm(T4vroaAfc7FS!TML^v+-oadJhjX7{?enjvv-U2 z52r>N+Ru)ZA3wis+aX~u5OImHa?L4xcB92Upo6f7cMVf`vyDH zw<+JZoMZbtx|fCy;~OTMh7WH2G1NZQp+9}(ujImwE1uN1JmTglSA~&3XSSamz1UuV zU9;1D{QTpIt+$W$Tsyf}=uV@yUw5yWuCZU*e!lbmP5Hw`8`sNiU-gdM@tjUR{mv89 zN3PBt^shQut-E!=zHI$Rj})n^@@8$z?<*gUgCg@=&eitWduLAlabjwJ&$fo|jQXAW zXXX_*Ej&0ix@yk+`>kCALq89$E@Auig;k5@j%gP(RTmd?NdlPY*!jcQnW%AkdCTq< zwbt4z_M0OEyXsrieXSGE4eJlB<_^_0$4CGEhnw@_C*Q-H$6hit_jkW=D}Io;so=&~j230?aIDE;q_%lMKV zhktpU9)4v=nLbd{U)jvG^^f0t>cMNr_t#AKwxW5@_=RtW4!&)gnR{i;mgfHfupi28 diff --git a/nix/secrets/jefke_user_ed25519.age b/nix/secrets/jefke_user_ed25519.age deleted file mode 100644 index 177a74ade228ea69f58c141cb581150dda516bd2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1161 zcmZY2>u(bU003}7gRv4~G-KJq*g=fAUAFexyK5_k(Ccg0$MxE+?OHXi*K6;tz4qF> z-lNUj*nB`h2p|z7iA)$zhjA>^gzy0d=!9sZL=d(aBN53K$ee?WJ$!tgzklGDU{Xz~ zd{QhIN}P~y7DPs`K)R+afF!X^DcXo2kQE54L~AGr2tqq#4VYn$FT%X$q&;}B9g~e* z)?I<@Y)q|yegV_x%XA3WrH!RbvaJM40S07bj73qz30hz(t9Q~)KA5raNID=V6*MeUfLYwKAr?}L9xPY(AvSgSmMBUpX#>KHp^}ufsAiE`LDma9bN>Hw z7!QC77pf?P+7e5I9K6AcIdw%@h?`M!+ANBiJ)hDlnPkqYT1_?qOqEGF>Y{TzQxQ>t z@-N?fHZrWLK!WsoJrRzfD3FLLglKgL2BB;dV=%3!;T9Oow?kTsFF-|9of*SYf;s9) zwUpX4xu~cl6wSwTS*NRw(9#5x^;+!-J?EPkpadksMq zRG=_bHn#c9C{!@SQejaa&e=6pr+{`B-$t=|!DJKNw3_FH2}o4nV$;h*2v|M2&hm+(3DiN~uhT&b!hdKUysGsJwsEcN4gqFi4$9KQmRgYhLde4kt%G9w7<9N+yj~+G>si%r-KdtQ>Xjp4qJU_ZK%Uv?%Gn&#N3&E7)PLvlnyVudo3_b4_r6X~L>rq|E>!zYb>2N|?%02Q z-|UgwTY(h=uaFIghQ7ME%QWs7y11(9O??~JQ}&X&#A(N?9d$4KZTLlPMBlpBwfXpJSM2RSx7R&rsDcj&%E8ud z*N#VvJwG1VwDjFrXXp5&W&Y=dhqbp>_sfCb+MOMR_UU2dH4+UOfL`F8fm2KF`ReCN z;buG#?B9I;uWv6*p6NTmk2N^Pos+YJp0ic8cQaR@+jGXt5&U|6&91{GX5y1?h!=aO sci)UwmU{LcT(R+|*^TF3|6nHSf3SY)CD+ut&povZYeFZbj^>;H0uK|vzW@LL diff --git a/nix/secrets/lewis_host_ed25519.age b/nix/secrets/lewis_host_ed25519.age deleted file mode 100644 index 437d298727e36e192e7a53472eae1c2b97eff442..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1161 zcmZ9{>u(bU003|wfTTR!RDudhg@gdJ^mUIO%Nsuo+lzQ8p1Kh-Qv4A|jGa=N4swKxQQJd4It#KUNeBg2FXd za)ne@S)XkdjU}_ruvxFFl0o1tAZSMPA~V$Rpc+&BCKK%OX0m2!lF{bO9sTa zHGr9YS+tt17_CqQ6N*w!$cSMzN%1@pnys;URio_sro2ZDq#{+D1!=I9XjA}84lY_u z(onuk6%@&3p`qpw;)XDbU~Vka1e<1SB{ZG}MZG;nIlUZb7c`il3X)X9plDjn zWBy`5a5@-Egwc!|%m$nlSyx7Z9K|*(erJ;A*^)_C{PBo4i2`J$=mvv86D8+}1jk@m zdbUPWCQ7vHlPPzzXe;9?Zm)}&K^iGI0ut@w8{}dxhy+|93E)g3ZRK6GE|nC#MlMRI znA3r441`CGU=AkGCeDw084yd8F0`a|-T?xp`W5@Aeywx#z|%K7L}ooIWu9%Ib6ex8*+u#tn}Cyt{7(6z)FzW!r=K9Y^#d zCl~Lk-8j*{?S98m^_d&TSL{9&fAt0OQdix|*9_~nPQck^cUpjuv)@Qzh3det z^}92>r=LPbYCqY_jIUkr@wO%YpSQ0$c5Bg@>-(-5+P?|apFMQk^84cNt?J4DkPUx& z8x4lV}w>&`{Xe0xV#T9p^bMACzXU%W_%xr>c2HWr6 zyghvQ=_76ZEeFkXs`JJmdvnhIc|DU)29EXqz2V}@AFdLE{c{@*DCG6yOIoZG-S3{B vd=NRjLhfGiMR2XHkEtDbWJj&=ITP+W+xI-Vbnp8}=a$j>)&-sS_tpFlSme2U diff --git a/nix/secrets/lewis_user_ed25519.age b/nix/secrets/lewis_user_ed25519.age deleted file mode 100644 index 1af0f9caee1efd943cdb0f88d0ec74245422dc9c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1161 zcmZY6`)?Bk0Kjn&6f7|2G(KXK24j?za=o_K_Si%2)?TmI>-BnV*R^D2yY_m$w!3zB z*WR@QfrJPI;-Z@mHiIbR9UmApk>P_^!X5;H3`hVmCR0JD3mP$OWBT*_2fm*lzHK~b z1mpLq zfkD@;TN+LIuT=_h*~Kx}b-##PC!&n2J!*kjCN|!kPmtiwDG<4NsWcD^^$( zqG?a&f8PSMiRKYK*I41A5?*k7Rcka#DX~}{G*uF8$W%fKW>C{8f-rHEY!<@00`BzN znWCxew~}}`q)1L1o02&fnLq&+_OeKaIp@ndN)a`xGa8Nh0!c7V91Eo)teSKQm7r8e zhGK${$skzRC)iPeA`$`FP5WHBzOL4Vk%{W@(I;v$%QC^{Gne+AXnS(Up#jTlXBBwx zv91H5-nS?3*Bwa%*IxW$?YHio+%wRME7$H7zIiD=b+Bi0WdG>>p84~Bomir7y7T4q zM91#V_|WCv{oQ@bQ(JGTe~rBH)ro~$2kQrx9YmOiU0w6uwS4qhZSm`V!2S2y8uaY3 zs;!sL#s9F@>sx0QEm^skzdM%8yP^+m82_|ttq3V6Mss(@Upz2#jpF{5wn}@0{Zu0`aFZg8= zzqxC0dgtnw&pFQ!dmmZ9eO=2DP0h>yyncFvb^ZA*ub%wyhwt~^yEx~kzU5e4SVSFL zHGQEr);X2Q&pCRpUyiQmpL@KC-!sOC>sxO&fcX<~Te*r~)-b@Ht@ z=UN8#0?yxd6>Ew;W$eJ_kv&uD{E>mnwejxnHe++wFm==L#PFe&7X}~X)@U^|&@D3F z&)x2Pe0e{#;kMMf