From 859556d0e6b49417924f3edf7a37edabaf2c9ca0 Mon Sep 17 00:00:00 2001 From: foehammer127 Date: Mon, 3 Feb 2025 13:00:31 -0600 Subject: [PATCH] Lebesque Configuration. --- machines/lebesgue/.sops.yaml | 10 ++ machines/lebesgue/config/configuration.nix | 33 +++++ .../config/hardware-configuration.nix | 51 +++++++ machines/lebesgue/config/secrets.nix | 10 ++ machines/lebesgue/deploy | 5 + machines/lebesgue/flake.lock | 125 ++++++++++++++++++ machines/lebesgue/flake.nix | 34 +++++ machines/lebesgue/secrets/main.yaml | 33 +++++ nixos/common/caddy.nix | 1 + nixos/common/nixos.nix | 1 + nixos/common/services/vaultwarden.nix | 23 ++-- nixos/common/sudo.nix | 7 + nixos/common/users/admin.nix | 12 +- nixos/flake.nix | 4 +- nixos/lib/default.nix | 4 +- nixos/lib/keys.nix | 14 +- nixos/lib/nixos.nix | 44 +++--- nixos/lib/utils.nix | 25 +++- 18 files changed, 386 insertions(+), 50 deletions(-) create mode 100644 machines/lebesgue/.sops.yaml create mode 100644 machines/lebesgue/config/configuration.nix create mode 100644 machines/lebesgue/config/hardware-configuration.nix create mode 100644 machines/lebesgue/config/secrets.nix create mode 100755 machines/lebesgue/deploy create mode 100644 machines/lebesgue/flake.lock create mode 100644 machines/lebesgue/flake.nix create mode 100644 machines/lebesgue/secrets/main.yaml create mode 100644 nixos/common/sudo.nix diff --git a/machines/lebesgue/.sops.yaml b/machines/lebesgue/.sops.yaml new file mode 100644 index 0000000..9c631fa --- /dev/null +++ b/machines/lebesgue/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &admin_foehammer A972C2063F4F2554 + - &server age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9 +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_foehammer + age: + - *server diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix new file mode 100644 index 0000000..f973d1b --- /dev/null +++ b/machines/lebesgue/config/configuration.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ./hardware-configuration.nix + ]; + + foehammer = { + users.admin = { + enable = true; + hashedPasswordFile = config.sops.secrets.admin-password.path; + }; + }; + + services.tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tskey.path; + openFirewall = true; + }; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + i18n.defaultLocale = "en_US.UTF-8"; + + networking.firewall.allowedTCPPorts = [22]; + networking.firewall.trustedInterfaces = ["tailscale0"]; + + system.stateVersion = "24.11"; +} diff --git a/machines/lebesgue/config/hardware-configuration.nix b/machines/lebesgue/config/hardware-configuration.nix new file mode 100644 index 0000000..03724ba --- /dev/null +++ b/machines/lebesgue/config/hardware-configuration.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + services.qemuGuest.enable = true; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + boot.supportedFilesystems = ["btrfs"]; + + fileSystems."/" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + options = ["subvol=root" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + neededForBoot = true; + options = ["subvol=nix" "defaults" "noatime" "compress=zstd:3" "discard=async" "nodatacow"]; + }; + + fileSystems."/persist" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "btrfs"; + neededForBoot = true; + options = ["subvol=persist" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + options = ["fmask=0077" "dmask=0077"]; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix new file mode 100644 index 0000000..d76be8b --- /dev/null +++ b/machines/lebesgue/config/secrets.nix @@ -0,0 +1,10 @@ +{...}: { + sops = { + defaultSopsFile = ../secrets/main.yaml; + + secrets = { + admin-password.neededForUsers = true; + tskey = {}; + }; + }; +} diff --git a/machines/lebesgue/deploy b/machines/lebesgue/deploy new file mode 100755 index 0000000..36101bd --- /dev/null +++ b/machines/lebesgue/deploy @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +nix flake lock --update-input common + +nixos-rebuild switch --flake .#default --target-host admin@lebesgue --use-remote-sudo --build-host localhost --verbose diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock new file mode 100644 index 0000000..c96f0de --- /dev/null +++ b/machines/lebesgue/flake.lock @@ -0,0 +1,125 @@ +{ + "nodes": { + "common": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1, + "narHash": "sha256-WEokvgGDzO4WVp5gHu9rZVPyNzMdLuX8dMV/Zhf9OwQ=", + "path": "../../nixos", + "type": "path" + }, + "original": { + "path": "../../nixos", + "type": "path" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1737672001, + "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1738435198, + "narHash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f6687779bf4c396250831aa5a32cbfeb85bb07a3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "common": "common", + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1738291974, + "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/machines/lebesgue/flake.nix b/machines/lebesgue/flake.nix new file mode 100644 index 0000000..1586c78 --- /dev/null +++ b/machines/lebesgue/flake.nix @@ -0,0 +1,34 @@ +{ + inputs = { + common.url = "path:../../nixos"; + + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + + sops-nix = { + url = "github:Mic92/sops-nix"; + }; + }; + outputs = inputs @ {common, ...}: let + supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; + forAllSystems = inputs.nixpkgs.lib.genAttrs supportedSystems; + buildNixpkgs = system: + import inputs.nixpkgs { + inherit system; + overlays = []; + }; + in { + nixosConfigurations.default = let + config = common.lib.utils.findNixFiles ./config; + modules = [inputs.sops-nix.nixosModules.sops inputs.common.nixosModules.default]; + in + common.lib.mkSystem "lebesgue" "x86_64-linux" (config ++ modules); + + devShells = forAllSystems (system: let + pkgs = buildNixpkgs system; + in { + default = pkgs.mkShell { + buildInputs = with pkgs; [sops]; + }; + }); + }; +} diff --git a/machines/lebesgue/secrets/main.yaml b/machines/lebesgue/secrets/main.yaml new file mode 100644 index 0000000..d124e34 --- /dev/null +++ b/machines/lebesgue/secrets/main.yaml @@ -0,0 +1,33 @@ +admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str] +tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc3BBZy82TWZHVENPclF3 + ZTQ3SGlSWUVmMEYyU29EZFR2QVJIcWFraXhrCjhqWTdzM2N0OHlYeWlpKzg4bks4 + NFV6S0hPeXF2bS95TGcwZUloajA0NDQKLS0tIHdXSjRIbVdEYzk5RCt1SkZ3aEpz + L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7 + 8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-03T20:29:36Z" + mac: ENC[AES256_GCM,data:mdK+B9R2THvjrKGlghcVVzCSSOnsJe9AqjMkj8H80l+Ij2SLPw/tS+/EgVwD6f87QGdV0o4U482CZc4GzbvrwdZgwYcjd2v2z7qUurDuga4SD/ex3czV43dmfzgePPnhVV60bVVfRebsuUdf48wwnZ8WA5aNtUxcFhoJ9zUaMjs=,iv:sMU3YgIVfynURvN6Jv8ixB7q4IuRYSGxvyRw4KhQwjg=,tag:4sRYLtAwkBBERdPS9qY/+w==,type:str] + pgp: + - created_at: "2025-02-03T18:58:54Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAV8/dSUlY3Jr6yJhlenXAT92i+tJFSm+ONcz6XZfwO1Mw + KfRNkkoGMf8vE+Z4ErTnCwhF5Pl91/MKVrCQS6GRf6MHbkdsYdMjQspwr9nINrks + 0lwBdtwQh9b0knhD/oL6MHm6NCHgq9E+Si7DuRXvF0X0g4AWlg1sobGmzITTXThd + +Y4fQySm4PYCe4fMtrGeTVoL7glhovdxk/DwRKkujhmB57WsGiEPL+Suc/fXYQ== + =b0W0 + -----END PGP MESSAGE----- + fp: A972C2063F4F2554 + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/nixos/common/caddy.nix b/nixos/common/caddy.nix index 1e7130b..bbb0ccc 100644 --- a/nixos/common/caddy.nix +++ b/nixos/common/caddy.nix @@ -1,6 +1,7 @@ { config, lib, + ... }: let inherit (lib) mkIf mkEnableOption; cfg = config.foehammer.caddy; diff --git a/nixos/common/nixos.nix b/nixos/common/nixos.nix index 6ee5147..4efd20e 100644 --- a/nixos/common/nixos.nix +++ b/nixos/common/nixos.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + ... }: let inherit (lib) mkIf; in { diff --git a/nixos/common/services/vaultwarden.nix b/nixos/common/services/vaultwarden.nix index 6d4a092..b945ce2 100644 --- a/nixos/common/services/vaultwarden.nix +++ b/nixos/common/services/vaultwarden.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + ... }: let inherit (lib) mkEnableOption mkIf mkOption; @@ -32,21 +33,23 @@ in { }; }; - config.services.vaultwarden = mkIf cfg.enable { - enable = true; + config = mkIf cfg.enable { + services.vaultwarden = { + enable = true; - config = { - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = cfg.port; - DOMAIN = cfg.domain; - ROCKET_LOG = "critical"; - SIGNUPS_ALLOWED = cfg.signups; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = cfg.port; + DOMAIN = cfg.domain; + ROCKET_LOG = "critical"; + SIGNUPS_ALLOWED = cfg.signups; + }; + + environmentFile = cfg.envPath; }; foehammer.backups.paths = [ "/var/lib/bitwarden_rs" ]; - - environmentFile = cfg.envPath; }; } diff --git a/nixos/common/sudo.nix b/nixos/common/sudo.nix new file mode 100644 index 0000000..fe3c1da --- /dev/null +++ b/nixos/common/sudo.nix @@ -0,0 +1,7 @@ +{...}: { + security.sudo = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; +} diff --git a/nixos/common/users/admin.nix b/nixos/common/users/admin.nix index 93580a4..31a3094 100644 --- a/nixos/common/users/admin.nix +++ b/nixos/common/users/admin.nix @@ -4,10 +4,16 @@ foelib, ... }: let - inherit (lib) mkIf mkEnableOption optionals; + inherit (lib) mkIf mkOption mkEnableOption optionals types; cfg = config.foehammer.users.admin; in { - options.foehammer.users.admin.enable = mkEnableOption "Enable a wheel admin user."; + options.foehammer.users.admin = { + enable = mkEnableOption "Enable a wheel admin user."; + hashedPasswordFile = mkOption { + type = with types; nullOr str; + default = null; + }; + }; config = mkIf cfg.enable { users.users.admin = { createHome = true; @@ -19,6 +25,8 @@ in { uid = 9999; openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer"; + + hashedPasswordFile = cfg.hashedPasswordFile; }; users.groups.admin.gid = config.users.users.admin.uid; diff --git a/nixos/flake.nix b/nixos/flake.nix index a8c6397..76a52e6 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -30,11 +30,11 @@ }; flake = { - lib = import ./lib; + lib = import ./lib inputs.nixpkgs withSystem; overlays.default = final: prev: (import ./lib/packages.nix prev); nixosModules.default = {...}: { - imports = self.lib.utils.findNixFiles ./nixos; + imports = self.lib.utils.findNixFiles ./common; }; }; }); diff --git a/nixos/lib/default.nix b/nixos/lib/default.nix index ec2504b..341df42 100644 --- a/nixos/lib/default.nix +++ b/nixos/lib/default.nix @@ -1,5 +1,5 @@ -{ +nixpkgs: withSystem: { utils = import ./utils.nix; getSSHKeys = (import ./keys.nix).getSSHKeys; - mkSystem = (import ./nixos.nix).mkSystem; + mkSystem = (import ./nixos.nix nixpkgs withSystem).mkSystem; } diff --git a/nixos/lib/keys.nix b/nixos/lib/keys.nix index 35df1f1..18c993a 100644 --- a/nixos/lib/keys.nix +++ b/nixos/lib/keys.nix @@ -1,4 +1,6 @@ -rec { +let + utils = import ./utils.nix; +in rec { getSSHKeys = name: (getKeySets ../keys)."${name}"; getKeySets = dir: let @@ -10,19 +12,11 @@ rec { if type == "regular" then [ { - name = getName name; + name = utils.getName name; value = builtins.attrValues (import path); } ] else []; in builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries))); - - getName = filename: let - parts = builtins.split "\\." filename; - base = builtins.head (builtins.split "\\." filename); - in - if builtins.length parts == 1 - then filename - else base; } diff --git a/nixos/lib/nixos.nix b/nixos/lib/nixos.nix index a361424..b919731 100644 --- a/nixos/lib/nixos.nix +++ b/nixos/lib/nixos.nix @@ -1,25 +1,25 @@ -let - foelib = import ./default.nix; +nixpkgs: withSystem: let + foelib = import ./default.nix nixpkgs withSystem; in { - mkSystem = nixpkgs: pkgs: hostname: modules: - nixpkgs.lib.nixosSystem { - modules = - [ - { - nix.registry = { - nixpkgs.flake = nixpkgs; - p.flake = nixpkgs; - }; - nixpkgs.pkgs = pkgs; + mkSystem = hostname: host-platform: modules: + withSystem host-platform + ({pkgs, ...}: + nixpkgs.lib.nixosSystem { + modules = + [ + { + nix.registry = { + nixpkgs.flake = nixpkgs; + p.flake = nixpkgs; + }; + nixpkgs.pkgs = pkgs; - networking.hostname = hostname; - } - ] - ++ modules - ++ foelib.utils.findNixFiles ../nixos; - - specialArgs = { - inherit hostname foelib; - }; - }; + networking.hostName = hostname; + } + ] + ++ modules; + specialArgs = { + inherit hostname foelib; + }; + }); } diff --git a/nixos/lib/utils.nix b/nixos/lib/utils.nix index 100701e..aa06bc0 100644 --- a/nixos/lib/utils.nix +++ b/nixos/lib/utils.nix @@ -1,6 +1,6 @@ rec { findNixFiles = dir: let - inherit (builtins) attrNames readDir pathExists concatMap hasSuffix; + inherit (builtins) attrNames readDir pathExists concatMap; # Helper function to build full paths fullPath = name: dir + "/${name}"; @@ -16,11 +16,32 @@ rec { path = fullPath name; type = contents.${name}; in - if type == "regular" && hasSuffix ".nix" name + if type == "regular" && hasSuffix "nix" name then [path] else if type == "directory" && pathExists path then findNixFiles path else []; in concatMap processItem names; + + getName = filename: let + parts = builtins.split "\\." filename; + base = builtins.head (builtins.split "\\." filename); + in + if builtins.length parts == 1 + then filename + else base; + + getSuffix = filename: let + parts = builtins.split "\\." filename; + end = builtins.tail (builtins.split "\\." filename); + in + if builtins.length parts == 1 + then filename + else builtins.elemAt end (builtins.length end - 1); + + hasSuffix = suffix: filename: + if (getSuffix filename) == suffix + then true + else false; }