home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

cleanup

Browse source
This commit is contained in:
Pim Kunis 2024-04-13 15:43:01 +02:00
parent 145cf2e72f
commit 3b7c72f326
31 changed files with 77 additions and 319 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -20,7 +20,7 @@ Nix definitions to configure our servers at home.
### Bootstrapping ### Bootstrapping
We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
This reformats the hard disk of the server and installs a fresh NixOS. This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets. Additionally, it deploys an age identity, which is later used for decrypting secrets.

3
flake.nix
View file

@ -40,9 +40,8 @@
hostSystem = "x86_64-linux"; hostSystem = "x86_64-linux";
hostPkgs = import nixpkgs { system = hostSystem; }; hostPkgs = import nixpkgs { system = hostSystem; };
machines = (hostPkgs.lib.modules.evalModules { modules = [ (import ./nix/machines) ]; }).config.machines; machines = (hostPkgs.lib.modules.evalModules { modules = [ (import ./nix/machines) ]; }).config.machines;
physicalMachines = hostPkgs.lib.filterAttrs (n: v: v.isPhysical) machines;
in in
flake-utils.lib.meld (inputs // { inherit hostPkgs machines physicalMachines; }) [ flake-utils.lib.meld (inputs // { inherit hostPkgs machines; }) [
./nix/flake/scripts ./nix/flake/scripts
./nix/flake/checks.nix ./nix/flake/checks.nix
./nix/flake/deploy.nix ./nix/flake/deploy.nix

69
nix/default.nix
View file

@ -1,15 +1,16 @@
{ pkgs, lib, machine, disko, agenix, ... }: { { pkgs, config, lib, machine, disko, agenix, nixos-hardware, ... }: {
imports = [ imports = [
./modules ./modules
./globals.nix ./globals.nix
machine.nixosModule machine.nixosModule
disko.nixosModules.disko disko.nixosModules.disko
agenix.nixosModules.default agenix.nixosModules.default
./physical.nix ] ++ lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4;
];
config = { config = {
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
hardware.cpu.intel.updateMicrocode = lib.mkIf (! machine.isRaspberryPi) config.hardware.enableRedistributableFirmware;
age.identityPaths = [ "/etc/age_ed25519" ];
i18n = { i18n = {
defaultLocale = "en_US.UTF-8"; defaultLocale = "en_US.UTF-8";
@ -49,24 +50,11 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
]; ];
programs = { programs.neovim = {
ssh = {
knownHosts = {
dmz = {
hostNames = [ "*.dmz" ];
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
certAuthority = true;
};
};
};
neovim = {
enable = true; enable = true;
vimAlias = true; vimAlias = true;
viAlias = true; viAlias = true;
}; };
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
neofetch neofetch
@ -91,8 +79,51 @@
rsync rsync
]; ];
nixpkgs.overlays = [ nixpkgs = {
(final: prev: { lib = prev.lib // (import ./net.nix prev); }) config.allowUnfree = true;
overlays = [ (final: prev: { lib = prev.lib // (import ./net.nix prev); }) ];
};
boot = lib.mkIf (! machine.isRaspberryPi) {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd = {
kernelModules = [ ];
availableKernelModules = [
"ahci"
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
]; ];
}; };
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
system = {
stateVersion = "23.05";
activationScripts.diff = ''
if [[ -e /run/current-system ]]; then
${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
fi
'';
};
};
} }

4
nix/flake/deploy.nix
View file

@ -1,9 +1,9 @@
{ self, hostPkgs, physicalMachines, deploy-rs, ... }: { self, hostPkgs, machines, deploy-rs, ... }:
let let
mkDeployNodes = nodeDef: mkDeployNodes = nodeDef:
builtins.mapAttrs builtins.mapAttrs
(name: machine: nodeDef name machine) (name: machine: nodeDef name machine)
physicalMachines; machines;
in in
{ {
deploy = { deploy = {

4
nix/flake/nixos.nix
View file

@ -1,11 +1,11 @@
{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, agenix, nixos-hardware, kubenix, disko, ... }: { nixpkgs, nixpkgs-unstable, machines, dns, agenix, nixos-hardware, kubenix, disko, ... }:
let let
mkNixosSystems = systemDef: mkNixosSystems = systemDef:
builtins.mapAttrs builtins.mapAttrs
(name: machine: (name: machine:
nixpkgs.lib.nixosSystem (systemDef name machine) nixpkgs.lib.nixosSystem (systemDef name machine)
) )
physicalMachines; machines;
in in
{ {
nixosConfigurations = mkNixosSystems (name: machine: { nixosConfigurations = mkNixosSystems (name: machine: {

9
nix/machines/atlas.nix
View file

@ -1,21 +1,12 @@
{ {
machines.atlas = { machines.atlas = {
kind = "physical";
arch = "x86_64-linux"; arch = "x86_64-linux";
isHypervisor = true;
nixosModule.lab = { nixosModule.lab = {
storage = { storage = {
osDisk = "/dev/sda"; osDisk = "/dev/sda";
dataPartition = "/dev/nvme0n1p1"; dataPartition = "/dev/nvme0n1p1";
}; };
ssh = {
useCertificates = true;
hostCert = builtins.readFile ./certificates/atlas/host_ed25519.crt;
userCert = builtins.readFile ./certificates/atlas/user_ed25519.crt;
}; };
}; };
};
} }

1
nix/machines/certificates/atlas/host_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIH4CQGHwWytKnkn7lYjT6G1NyPzINvfroZgwCLoOLO74AAAAIOMoSSEqM4VUBWUeFweJbqK9z7Ygp7fkX22hyWmgCNg8AAAAAAAAAAAAAAACAAAACWF0bGFzLmh5cAAAAA0AAAAJYXRsYXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQAYModSEVNG06xvAcRn8XFeCp/iXFeqVcbtfT1NmmMkyIgybkXhJyHjp89BPg0zeAaoScFx8Xpsdd8CsxTeP+QU= root@atlas

1
nix/machines/certificates/atlas/user_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIItpNkjaH8o51VKydwHYbbLxXMtf4euzojFKPxz+XqdwAAAAIG1vJNH1p8l8HlmYMT/vHGTjEnIul7ORQhutNnKiXlgqAAAAAAAAAAAAAAABAAAACWF0bGFzLmh5cAAAABsAAAAJYXRsYXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQIW4tC+FJA6bKFUfRVcHLWz1u3ZL/GRTWD2WCW4ApHq7no6ODeMwE10noNt/42mwYjFmjwR+cd9EuMyUErXmaw8= root@atlas

1
nix/machines/certificates/jefke/host_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHzQMMRr2vNtTW3joxPzQYjFFu3iI/WyIRVD18YKY61CAAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9uAAAAAAAAAAAAAAACAAAACWplZmtlLmh5cAAAAA0AAAAJamVma2UuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQPNDgNAOmp5Gl//mjEHF2H5Yi8GIFfyiRm8nJ2UkGXzpNr3+bQvQhPigziuXO0+8910yY9QzXTfvc4mgAT1gpgU= root@jefke

1
nix/machines/certificates/jefke/user_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIKdTRygvLfapNY6umK+TdoqWDIq4ZzXLZlUJ/lVvkuqtAAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69AAAAAAAAAAAAAAABAAAACWplZmtlLmh5cAAAABsAAAAJamVma2UuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQI36zBw4Epr1ijXBk7T5JENgisn4SbVTLkhYBWCquHcAv3nFFJOEZ1kdC/SfYaDwmXb/rNybpr3942wF0xD3/ws= root@jefke

1
nix/machines/certificates/lewis/host_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAP9Xu3G75HcVIVhrgiCKSM+YTkaCbTqI18NBdWikIlHAAAAIKfbZauF+7q3s7VxhvxdPT7XDapch0P3tD//U4/70D6cAAAAAAAAAAAAAAACAAAACWxld2lzLmh5cAAAAA0AAAAJbGV3aXMuaHlwAAAAAAAAAAD//////////wAAAAAAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgXNGQfd38pUlCi6zBj8Myl6dZsMVU6cjdW63TFHR7W1sAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGHtz4FNkj0LuplU+12A/sx0bE4QeHLYhctXag9DSMGJz9yOpyMpK3PPKkm6leLdGYs7RUjxwXvcj+f4k16VXA0= root@atlas

1
nix/machines/certificates/lewis/user_ed25519.crt
View file

@ -1 +0,0 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGqYC+tRPZ24WMroezrFgxtm8YObweMCTpz/y+dbGrzKAAAAIEuhHYB6zdSsfvLm4zXfuUbUCkUgPRu6rdt1rninA7PwAAAAAAAAAAAAAAABAAAACWxld2lzLmh5cAAAABsAAAAJbGV3aXMuaHlwAAAACmh5cGVydmlzb3IAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgdmt4SFL+swd8kHsh6cQR+TfzMKObJx75fYBbHNT83zUAAABTAAAAC3NzaC1lZDI1NTE5AAAAQGV0nCPl4HDo1Q24NnFcPc1/FPYxwkWg864eUp5hdbttL4f8h7YLtZw6k8hHIn50wVdHEJkUwYrXgR1dwYhfEwA= root@atlas

32
nix/machines/default.nix
View file

@ -2,21 +2,6 @@
let let
machineOpts = { config, ... }: { machineOpts = { config, ... }: {
options = { options = {
kind = lib.mkOption {
type = lib.types.enum [ "physical" "virtual" ];
description = ''
Whether this machine is physical or virtual.
'';
};
hypervisorName = lib.mkOption {
default = null;
type = with lib.types; nullOr str;
description = ''
The host name of the hypervisor hosting this virtual machine.
'';
};
arch = lib.mkOption { arch = lib.mkOption {
default = null; default = null;
type = with lib.types; nullOr str; type = with lib.types; nullOr str;
@ -30,23 +15,6 @@ let
type = lib.types.bool; type = lib.types.bool;
}; };
isHypervisor = lib.mkOption {
default = false;
type = lib.types.bool;
};
# Derived value
isPhysical = lib.mkOption {
default = config.kind == "physical";
type = lib.types.bool;
};
# Derived value
isVirtual = lib.mkOption {
default = config.kind == "virtual";
type = lib.types.bool;
};
nixosModule = lib.mkOption { nixosModule = lib.mkOption {
default = { ... }: { }; default = { ... }: { };
type = lib.types.anything; type = lib.types.anything;

8
nix/machines/jefke.nix
View file

@ -1,8 +1,6 @@
{ {
machines.jefke = { machines.jefke = {
kind = "physical";
arch = "x86_64-linux"; arch = "x86_64-linux";
isHypervisor = true;
nixosModule.lab = { nixosModule.lab = {
storage = { storage = {
@ -10,12 +8,6 @@
dataPartition = "/dev/nvme0n1p1"; dataPartition = "/dev/nvme0n1p1";
}; };
ssh = {
useCertificates = true;
hostCert = builtins.readFile ./certificates/jefke/host_ed25519.crt;
userCert = builtins.readFile ./certificates/jefke/user_ed25519.crt;
};
k3s.enable = true; k3s.enable = true;
}; };
}; };

8
nix/machines/lewis.nix
View file

@ -1,8 +1,6 @@
{ {
machines.lewis = { machines.lewis = {
kind = "physical";
arch = "x86_64-linux"; arch = "x86_64-linux";
isHypervisor = true;
nixosModule.lab = { nixosModule.lab = {
backups.enable = true; backups.enable = true;
@ -13,12 +11,6 @@
osDisk = "/dev/sda"; osDisk = "/dev/sda";
dataPartition = "/dev/nvme0n1p1"; dataPartition = "/dev/nvme0n1p1";
}; };
ssh = {
useCertificates = true;
hostCert = builtins.readFile ./certificates/lewis/host_ed25519.crt;
userCert = builtins.readFile ./certificates/lewis/user_ed25519.crt;
};
}; };
}; };
} }

1
nix/machines/warwick.nix
View file

@ -1,6 +1,5 @@
{ {
machines.warwick = { machines.warwick = {
kind = "physical";
arch = "aarch64-linux"; arch = "aarch64-linux";
isRaspberryPi = true; isRaspberryPi = true;

1
nix/modules/default.nix
View file

@ -1,7 +1,6 @@
{ {
imports = [ imports = [
./storage.nix ./storage.nix
./ssh-certificates.nix
./backups.nix ./backups.nix
./networking ./networking
./data-sharing.nix ./data-sharing.nix

9
nix/modules/monitoring/default.nix
View file

@ -38,15 +38,10 @@ in
scrapeConfigs = lib.mkIf cfg.server.enable ( scrapeConfigs = lib.mkIf cfg.server.enable (
lib.attrsets.mapAttrsToList lib.attrsets.mapAttrsToList
(name: machine: (name: machine: {
let
# TODO: should finally create my own lib...
domain = if machine.isPhysical then "hyp" else "dmz";
in
{
job_name = name; job_name = name;
static_configs = [{ static_configs = [{
targets = [ "${name}.${domain}:${toString config.services.prometheus.exporters.node.port}" ]; targets = [ "${name}.dmz:${toString config.services.prometheus.exporters.node.port}" ];
}]; }];
}) })
machines machines

8
nix/modules/monitoring/gatus-endpoints.nix
View file

@ -7,13 +7,9 @@ let
maxResponseTime = ms: "[RESPONSE_TIME] < ${toString ms}"; maxResponseTime = ms: "[RESPONSE_TIME] < ${toString ms}";
machineEndpoints = lib.attrsets.mapAttrsToList machineEndpoints = lib.attrsets.mapAttrsToList
(name: machine: (name: machine: {
let
domain = if machine.isPhysical then "hyp" else "dmz";
in
{
name = "Host ${name}"; name = "Host ${name}";
url = "icmp://${name}.${domain}"; url = "icmp://${name}.dmz";
conditions = [ "[RESPONSE_TIME] < 10" ]; conditions = [ "[RESPONSE_TIME] < 10" ];
}) })
machines; machines;

2
nix/modules/networking/default.nix
View file

@ -60,7 +60,7 @@ in {
enable = true; enable = true;
networks = lib.attrsets.mergeAttrsList [ networks = lib.attrsets.mergeAttrsList [
(lib.optionalAttrs machine.isHypervisor { (lib.optionalAttrs (! machine.isRaspberryPi) {
"30-main-nic" = { "30-main-nic" = {
matchConfig.Name = "en*"; matchConfig.Name = "en*";

70
nix/modules/ssh-certificates.nix
View file

@ -1,70 +0,0 @@
{ lib, config, ... }:
let
cfg = config.lab.ssh;
hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert;
userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert;
in
{
options.lab.ssh = {
useCertificates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to use certificates at all.
'';
};
hostCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH host certificate
'';
};
userCert = lib.mkOption {
type = lib.types.str;
description = ''
SSH user certificate
'';
};
hostKey = lib.mkOption {
default =
../secrets/${config.networking.hostName}_host_ed25519.age;
type = lib.types.path;
description = ''
SSH host key
'';
};
userKey = lib.mkOption {
default =
../secrets/${config.networking.hostName}_user_ed25519.age;
type = lib.types.path;
description = ''
SSH user key
'';
};
};
config = lib.mkIf cfg.useCertificates {
services.openssh = {
extraConfig = ''
HostCertificate ${hostCert}
HostKey ${config.age.secrets.host_ed25519.path}
'';
};
programs.ssh = {
extraConfig = ''
CertificateFile ${userCert}
IdentityFile ${config.age.secrets.user_ed25519.path}
'';
};
age.secrets = {
"host_ed25519".file = cfg.hostKey;
"user_ed25519".file = cfg.userKey;
};
};
}

4
nix/modules/storage.nix
View file

@ -28,7 +28,7 @@ in {
config = { config = {
fileSystems = lib.attrsets.mergeAttrsList [ fileSystems = lib.attrsets.mergeAttrsList [
(lib.optionalAttrs machine.isHypervisor { (lib.optionalAttrs (! machine.isRaspberryPi) {
"${cfg.dataMountPoint}".device = cfg.dataPartition; "${cfg.dataMountPoint}".device = cfg.dataPartition;
}) })
(lib.optionalAttrs machine.isRaspberryPi { (lib.optionalAttrs machine.isRaspberryPi {
@ -40,7 +40,7 @@ in {
}) })
]; ];
disko = lib.mkIf machine.isHypervisor { disko = lib.mkIf (! machine.isRaspberryPi) {
# TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then. # TODO: Rename this to 'osDisk'. Unfortunately, we would need to run nixos-anywhere again then.
devices.disk.vdb = { devices.disk.vdb = {
device = cfg.osDisk; device = cfg.osDisk;

67
nix/modules/terraform-database/postgresql_server.crt
View file

@ -1,67 +0,0 @@
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ef:2f:4d:d4:26:7e:33:1b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=jefke.hyp
Validity
Not Before: Nov 22 19:12:03 2023 GMT
Not After : Oct 29 19:12:03 2123 GMT
Subject: CN=jefke.hyp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:ab:eb:9c:d0:7f:4f:f1:ba:65:0a:8b:07:7b:
2e:5b:f0:26:82:33:c9:73:e6:91:cc:11:94:05:1c:
8d:67:29:cb:5e:67:35:02:80:54:af:99:4b:aa:ce:
e8:56:62:be:63:cb:b2:4a:b0:a9:28:12:e2:77:50:
7d:d5:d2:3b:48:d8:32:59:25:26:ff:a6:5c:f6:eb:
ae:5b:3d:7a:14:10:ba:90:9c:6f:1f:b9:d8:99:0e:
b7:09:5e:62:69:c4:c0:c6:27:b0:d3:60:0d:47:4c:
a5:11:53:f2:f1:4a:f9:a6:bc:d6:a3:35:a2:e8:e5:
a9:d1:60:e8:e5:18:ce:d2:60:80:4e:dc:48:ae:7f:
b7:ea:76:51:28:39:a4:b0:95:82:95:93:98:b2:9f:
23:c9:81:69:59:a3:e4:f7:5a:1c:01:31:96:c1:4b:
59:21:f8:a2:e6:9e:21:78:0e:6b:c1:68:c7:5c:16:
9a:06:54:df:b6:77:1d:2d:89:d0:c8:9e:db:b5:d4:
8c:fb:b9:4f:b7:6e:39:5f:39:8e:48:73:76:7d:46:
6e:1f:8d:14:cb:40:b5:ff:c6:f0:c0:44:3c:ed:52:
3f:4f:7b:69:63:93:c6:41:e6:5e:ed:33:50:20:46:
db:93:bf:e8:52:51:95:f1:81:73:58:da:67:21:7b:
12:bd
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
aa:5c:89:41:a6:b7:3d:65:87:ca:50:c4:f3:58:aa:d3:b4:55:
b1:a7:8d:18:26:17:e5:8a:21:24:a1:49:53:77:31:5b:55:63:
be:01:d8:fe:b7:06:7c:da:07:1f:94:6a:de:96:ad:ca:3b:20:
2a:e1:35:90:19:83:6d:37:d1:15:12:de:3c:0e:46:be:66:a1:
6a:1d:ec:72:dc:46:79:69:e4:af:77:c8:ff:cd:d6:7d:16:88:
ab:44:fd:70:fc:40:47:ff:43:95:11:5a:9a:56:0c:d2:dd:7c:
3b:87:aa:10:26:fa:25:a3:a0:43:8a:1b:ec:54:11:7e:65:67:
d2:06:e1:3e:3b:e1:0e:b0:80:ef:4b:35:3f:fc:34:1d:95:2e:
ee:c1:67:38:da:b3:74:86:4b:95:8c:0c:1d:51:28:c1:42:e9:
77:68:d7:ec:3b:66:30:c6:e5:2a:62:ea:15:fb:24:56:cf:02:
d0:25:54:a7:58:15:b5:2a:71:93:56:c0:69:7a:36:18:6c:31:
b1:8e:3c:77:d7:77:ac:fc:e1:94:c5:08:bb:35:ac:48:5f:6b:
8b:c8:c8:78:f4:a9:ca:4f:9d:51:54:89:97:c9:af:a1:fa:71:
df:58:f6:ff:04:7c:c8:1c:95:6b:1a:e3:a7:f6:43:1c:27:94:
10:03:ce:ec
-----BEGIN CERTIFICATE-----
MIICpjCCAY4CCQDvL03UJn4zGzANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlq
ZWZrZS5oeXAwIBcNMjMxMTIyMTkxMjAzWhgPMjEyMzEwMjkxOTEyMDNaMBQxEjAQ
BgNVBAMMCWplZmtlLmh5cDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMer65zQf0/xumUKiwd7LlvwJoIzyXPmkcwRlAUcjWcpy15nNQKAVK+ZS6rO6FZi
vmPLskqwqSgS4ndQfdXSO0jYMlklJv+mXPbrrls9ehQQupCcbx+52JkOtwleYmnE
wMYnsNNgDUdMpRFT8vFK+aa81qM1oujlqdFg6OUYztJggE7cSK5/t+p2USg5pLCV
gpWTmLKfI8mBaVmj5PdaHAExlsFLWSH4ouaeIXgOa8Fox1wWmgZU37Z3HS2J0Mie
27XUjPu5T7duOV85jkhzdn1Gbh+NFMtAtf/G8MBEPO1SP097aWOTxkHmXu0zUCBG
25O/6FJRlfGBc1jaZyF7Er0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAqlyJQaa3
PWWHylDE81iq07RVsaeNGCYX5YohJKFJU3cxW1VjvgHY/rcGfNoHH5Rq3patyjsg
KuE1kBmDbTfRFRLePA5Gvmahah3sctxGeWnkr3fI/83WfRaIq0T9cPxAR/9DlRFa
mlYM0t18O4eqECb6JaOgQ4ob7FQRfmVn0gbhPjvhDrCA70s1P/w0HZUu7sFnONqz
dIZLlYwMHVEowULpd2jX7DtmMMblKmLqFfskVs8C0CVUp1gVtSpxk1bAaXo2GGwx
sY48d9d3rPzhlMUIuzWsSF9ri8jIePSpyk+dUVSJl8mvofpx31j2/wR8yByVaxrj
p/ZDHCeUEAPO7A==
-----END CERTIFICATE-----

55
nix/physical.nix
View file

@ -1,55 +0,0 @@
{ pkgs, config, lib, machine, nixos-hardware, ... }: {
imports = lib.lists.optional (machine.isRaspberryPi) nixos-hardware.nixosModules.raspberry-pi-4;
config = {
boot = lib.mkIf (machine.isHypervisor) {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [
"ahci"
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ ];
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
nixpkgs = {
config.allowUnfree = true;
# TODO: do we need this?
# hostPlatform = machine.arch;
};
hardware.cpu.intel.updateMicrocode = lib.mkIf (machine.isHypervisor) config.hardware.enableRedistributableFirmware;
age.identityPaths = [ "/etc/age_ed25519" ];
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
system = {
stateVersion = "23.05";
activationScripts.diff = ''
if [[ -e /run/current-system ]]; then
${pkgs.nix}/bin/nix store diff-closures /run/current-system "$systemConfig"
fi
'';
};
};
}

BIN
nix/secrets/atlas_host_ed25519.age
View file

Binary file not shown.

BIN
nix/secrets/atlas_user_ed25519.age
View file

Binary file not shown.

BIN
nix/secrets/jefke_host_ed25519.age
View file

Binary file not shown.

BIN
nix/secrets/jefke_user_ed25519.age
View file

Binary file not shown.

BIN
nix/secrets/lewis_host_ed25519.age
View file

Binary file not shown.

BIN
nix/secrets/lewis_user_ed25519.age
View file

Binary file not shown.

12
nix/secrets/secrets.nix
View file

@ -8,21 +8,15 @@ let
]; ];
encryptedFileNames = [ encryptedFileNames = [
"jefke_host_ed25519.age"
"jefke_user_ed25519.age"
"atlas_host_ed25519.age"
"atlas_user_ed25519.age"
"lewis_host_ed25519.age"
"lewis_user_ed25519.age"
"database_passwords.env.age" "database_passwords.env.age"
"borg_passphrase.age" "borg_passphrase.age"
"ec2_borg_server.pem.age" "ec2_borg_server.pem.age"
]; ];
machinePublicKeys = [ machinePublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a root@jefke.hyp" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 root@atlas.hyp" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a root@lewis.hyp" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
]; ];
fetchPublicKeys = url: fetchPublicKeys = url: