Lebesque Configuration.

2025-02-03 13:00:31 -06:00 · 2025-02-03 13:00:31 -06:00 · 859556d0e6
commit 859556d0e6
parent b2595f1936
18 changed files with 386 additions and 50 deletions
--- a/machines/lebesgue/.sops.yaml
+++ b/machines/lebesgue/.sops.yaml
@ -0,0 +1,10 @@
+keys:
+  - &admin_foehammer A972C2063F4F2554
+  - &server age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *admin_foehammer
+      age:
+      - *server
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  foehammer = {
+    users.admin = {
+      enable = true;
+      hashedPasswordFile = config.sops.secrets.admin-password.path;
+    };
+  };
+
+  services.tailscale = {
+    enable = true;
+    authKeyFile = config.sops.secrets.tskey.path;
+    openFirewall = true;
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  networking.firewall.allowedTCPPorts = [22];
+  networking.firewall.trustedInterfaces = ["tailscale0"];
+
+  system.stateVersion = "24.11";
+}
--- a/machines/lebesgue/config/hardware-configuration.nix
+++ b/machines/lebesgue/config/hardware-configuration.nix
@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  services.qemuGuest.enable = true;
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+  boot.supportedFilesystems = ["btrfs"];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    options = ["subvol=root" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = ["subvol=nix" "defaults" "noatime" "compress=zstd:3" "discard=async" "nodatacow"];
+  };
+
+  fileSystems."/persist" = {
+    device = "/dev/disk/by-label/NIXROOT";
+    fsType = "btrfs";
+    neededForBoot = true;
+    options = ["subvol=persist" "defaults" "noatime" "compress=zstd:1" "discard=async" "nodatacow"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/NIXBOOT";
+    fsType = "vfat";
+    options = ["fmask=0077" "dmask=0077"];
+  };
+
+  swapDevices = [];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@ -0,0 +1,10 @@
+{...}: {
+  sops = {
+    defaultSopsFile = ../secrets/main.yaml;
+
+    secrets = {
+      admin-password.neededForUsers = true;
+      tskey = {};
+    };
+  };
+}
--- a/machines/lebesgue/deploy
+++ b/machines/lebesgue/deploy
@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+nix flake lock --update-input common
+
+nixos-rebuild switch --flake .#default --target-host admin@lebesgue --use-remote-sudo --build-host localhost --verbose
--- a/machines/lebesgue/flake.lock
+++ b/machines/lebesgue/flake.lock
@ -0,0 +1,125 @@
+{
+  "nodes": {
+    "common": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1,
+        "narHash": "sha256-WEokvgGDzO4WVp5gHu9rZVPyNzMdLuX8dMV/Zhf9OwQ=",
+        "path": "../../nixos",
+        "type": "path"
+      },
+      "original": {
+        "path": "../../nixos",
+        "type": "path"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1736143030,
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1737672001,
+        "narHash": "sha256-YnHJJ19wqmibLQdUeq9xzE6CjrMA568KN/lFPuSVs4I=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "035f8c0853c2977b24ffc4d0a42c74f00b182cd8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1735774519,
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1738435198,
+        "narHash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f6687779bf4c396250831aa5a32cbfeb85bb07a3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "common": "common",
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/machines/lebesgue/flake.nix
+++ b/machines/lebesgue/flake.nix
@ -0,0 +1,34 @@
+{
+  inputs = {
+    common.url = "path:../../nixos";
+
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+    };
+  };
+  outputs = inputs @ {common, ...}: let
+    supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
+    forAllSystems = inputs.nixpkgs.lib.genAttrs supportedSystems;
+    buildNixpkgs = system:
+      import inputs.nixpkgs {
+        inherit system;
+        overlays = [];
+      };
+  in {
+    nixosConfigurations.default = let
+      config = common.lib.utils.findNixFiles ./config;
+      modules = [inputs.sops-nix.nixosModules.sops inputs.common.nixosModules.default];
+    in
+      common.lib.mkSystem "lebesgue" "x86_64-linux" (config ++ modules);
+
+    devShells = forAllSystems (system: let
+      pkgs = buildNixpkgs system;
+    in {
+      default = pkgs.mkShell {
+        buildInputs = with pkgs; [sops];
+      };
+    });
+  };
+}
--- a/machines/lebesgue/secrets/main.yaml
+++ b/machines/lebesgue/secrets/main.yaml
@ -0,0 +1,33 @@
+admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str]
+tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kjy9wym6cmz6wqmewws4ledsne47c0e4sr0ksmm66rff3u2f6u3qxvnyg9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoc3BBZy82TWZHVENPclF3
+            ZTQ3SGlSWUVmMEYyU29EZFR2QVJIcWFraXhrCjhqWTdzM2N0OHlYeWlpKzg4bks4
+            NFV6S0hPeXF2bS95TGcwZUloajA0NDQKLS0tIHdXSjRIbVdEYzk5RCt1SkZ3aEpz
+            L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
+            8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-03T20:29:36Z"
+    mac: ENC[AES256_GCM,data:mdK+B9R2THvjrKGlghcVVzCSSOnsJe9AqjMkj8H80l+Ij2SLPw/tS+/EgVwD6f87QGdV0o4U482CZc4GzbvrwdZgwYcjd2v2z7qUurDuga4SD/ex3czV43dmfzgePPnhVV60bVVfRebsuUdf48wwnZ8WA5aNtUxcFhoJ9zUaMjs=,iv:sMU3YgIVfynURvN6Jv8ixB7q4IuRYSGxvyRw4KhQwjg=,tag:4sRYLtAwkBBERdPS9qY/+w==,type:str]
+    pgp:
+        - created_at: "2025-02-03T18:58:54Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DAAAAAAAAAAASAQdAV8/dSUlY3Jr6yJhlenXAT92i+tJFSm+ONcz6XZfwO1Mw
+            KfRNkkoGMf8vE+Z4ErTnCwhF5Pl91/MKVrCQS6GRf6MHbkdsYdMjQspwr9nINrks
+            0lwBdtwQh9b0knhD/oL6MHm6NCHgq9E+Si7DuRXvF0X0g4AWlg1sobGmzITTXThd
+            +Y4fQySm4PYCe4fMtrGeTVoL7glhovdxk/DwRKkujhmB57WsGiEPL+Suc/fXYQ==
+            =b0W0
+            -----END PGP MESSAGE-----
+          fp: A972C2063F4F2554
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/nixos/common/caddy.nix
+++ b/nixos/common/caddy.nix
@ -1,6 +1,7 @@
 {
  config,
  lib,
+  ...
 }: let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.foehammer.caddy;
--- a/nixos/common/nixos.nix
+++ b/nixos/common/nixos.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  ...
 }: let
  inherit (lib) mkIf;
 in {
--- a/nixos/common/services/vaultwarden.nix
+++ b/nixos/common/services/vaultwarden.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  ...
 }: let
  inherit (lib) mkEnableOption mkIf mkOption;

@ -32,21 +33,23 @@ in {
    };
  };

-  config.services.vaultwarden = mkIf cfg.enable {
-    enable = true;
+  config = mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;

-    config = {
-      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = cfg.port;
-      DOMAIN = cfg.domain;
-      ROCKET_LOG = "critical";
-      SIGNUPS_ALLOWED = cfg.signups;
+      config = {
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = cfg.port;
+        DOMAIN = cfg.domain;
+        ROCKET_LOG = "critical";
+        SIGNUPS_ALLOWED = cfg.signups;
+      };
+
+      environmentFile = cfg.envPath;
    };

    foehammer.backups.paths = [
      "/var/lib/bitwarden_rs"
    ];
-
-    environmentFile = cfg.envPath;
  };
 }
--- a/nixos/common/sudo.nix
+++ b/nixos/common/sudo.nix
@ -0,0 +1,7 @@
+{...}: {
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    wheelNeedsPassword = false;
+  };
+}
--- a/nixos/common/users/admin.nix
+++ b/nixos/common/users/admin.nix
@ -4,10 +4,16 @@
  foelib,
  ...
 }: let
-  inherit (lib) mkIf mkEnableOption optionals;
+  inherit (lib) mkIf mkOption mkEnableOption optionals types;
  cfg = config.foehammer.users.admin;
 in {
-  options.foehammer.users.admin.enable = mkEnableOption "Enable a wheel admin user.";
+  options.foehammer.users.admin = {
+    enable = mkEnableOption "Enable a wheel admin user.";
+    hashedPasswordFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+    };
+  };
  config = mkIf cfg.enable {
    users.users.admin = {
      createHome = true;
@ -19,6 +25,8 @@ in {
      uid = 9999;

      openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer";
+
+      hashedPasswordFile = cfg.hashedPasswordFile;
    };

    users.groups.admin.gid = config.users.users.admin.uid;
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -30,11 +30,11 @@
      };

      flake = {
-        lib = import ./lib;
+        lib = import ./lib inputs.nixpkgs withSystem;
        overlays.default = final: prev: (import ./lib/packages.nix prev);

        nixosModules.default = {...}: {
-          imports = self.lib.utils.findNixFiles ./nixos;
+          imports = self.lib.utils.findNixFiles ./common;
        };
      };
    });
--- a/nixos/lib/default.nix
+++ b/nixos/lib/default.nix
@ -1,5 +1,5 @@
-{
+nixpkgs: withSystem: {
  utils = import ./utils.nix;
  getSSHKeys = (import ./keys.nix).getSSHKeys;
-  mkSystem = (import ./nixos.nix).mkSystem;
+  mkSystem = (import ./nixos.nix nixpkgs withSystem).mkSystem;
 }
--- a/nixos/lib/keys.nix
+++ b/nixos/lib/keys.nix
@ -1,4 +1,6 @@
-rec {
+let
+  utils = import ./utils.nix;
+in rec {
  getSSHKeys = name: (getKeySets ../keys)."${name}";

  getKeySets = dir: let
@ -10,19 +12,11 @@ rec {
      if type == "regular"
      then [
        {
-          name = getName name;
+          name = utils.getName name;
          value = builtins.attrValues (import path);
        }
      ]
      else [];
  in
    builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries)));
-
-  getName = filename: let
-    parts = builtins.split "\\." filename;
-    base = builtins.head (builtins.split "\\." filename);
-  in
-    if builtins.length parts == 1
-    then filename
-    else base;
 }
--- a/nixos/lib/nixos.nix
+++ b/nixos/lib/nixos.nix
@ -1,25 +1,25 @@
-let
-  foelib = import ./default.nix;
+nixpkgs: withSystem: let
+  foelib = import ./default.nix nixpkgs withSystem;
 in {
-  mkSystem = nixpkgs: pkgs: hostname: modules:
-    nixpkgs.lib.nixosSystem {
-      modules =
-        [
-          {
-            nix.registry = {
-              nixpkgs.flake = nixpkgs;
-              p.flake = nixpkgs;
-            };
-            nixpkgs.pkgs = pkgs;
+  mkSystem = hostname: host-platform: modules:
+    withSystem host-platform
+    ({pkgs, ...}:
+      nixpkgs.lib.nixosSystem {
+        modules =
+          [
+            {
+              nix.registry = {
+                nixpkgs.flake = nixpkgs;
+                p.flake = nixpkgs;
+              };
+              nixpkgs.pkgs = pkgs;

-            networking.hostname = hostname;
-          }
-        ]
-        ++ modules
-        ++ foelib.utils.findNixFiles ../nixos;
-
-      specialArgs = {
-        inherit hostname foelib;
-      };
-    };
+              networking.hostName = hostname;
+            }
+          ]
+          ++ modules;
+        specialArgs = {
+          inherit hostname foelib;
+        };
+      });
 }
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@ -1,6 +1,6 @@
 rec {
  findNixFiles = dir: let
-    inherit (builtins) attrNames readDir pathExists concatMap hasSuffix;
+    inherit (builtins) attrNames readDir pathExists concatMap;

    # Helper function to build full paths
    fullPath = name: dir + "/${name}";
@ -16,11 +16,32 @@ rec {
      path = fullPath name;
      type = contents.${name};
    in
-      if type == "regular" && hasSuffix ".nix" name
+      if type == "regular" && hasSuffix "nix" name
      then [path]
      else if type == "directory" && pathExists path
      then findNixFiles path
      else [];
  in
    concatMap processItem names;
+
+  getName = filename: let
+    parts = builtins.split "\\." filename;
+    base = builtins.head (builtins.split "\\." filename);
+  in
+    if builtins.length parts == 1
+    then filename
+    else base;
+
+  getSuffix = filename: let
+    parts = builtins.split "\\." filename;
+    end = builtins.tail (builtins.split "\\." filename);
+  in
+    if builtins.length parts == 1
+    then filename
+    else builtins.elemAt end (builtins.length end - 1);
+
+  hasSuffix = suffix: filename:
+    if (getSuffix filename) == suffix
+    then true
+    else false;
 }