From 50d1e4ad9942294825c4c43e55c03993676d7be0 Mon Sep 17 00:00:00 2001 From: surtur Date: Sun, 5 Nov 2023 00:17:44 +0100 Subject: [PATCH] nix: add nixpi system configuration --- nix/.sops.yaml | 9 +- nix/flake.nix | 19 +++- nix/hosts/nixpi/configuration.nix | 138 ++++++++++++++++++++++++++++++ nix/hosts/nixpi/secrets.yaml | 39 +++++++++ nix/modules/dnscrypt.nix | 29 ++++++- nix/secrets/dnscrypt-proxy.yaml | 57 ++++++++++++ 6 files changed, 286 insertions(+), 5 deletions(-) create mode 100644 nix/hosts/nixpi/configuration.nix create mode 100644 nix/hosts/nixpi/secrets.yaml create mode 100644 nix/secrets/dnscrypt-proxy.yaml diff --git a/nix/.sops.yaml b/nix/.sops.yaml index 862e5c9..0f50faf 100644 --- a/nix/.sops.yaml +++ b/nix/.sops.yaml @@ -2,6 +2,7 @@ keys: - &it age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk - &loki age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l + - &nixpi age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v - &backup age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y - &surtur age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6 creation_rules: @@ -10,10 +11,16 @@ creation_rules: - age: - *backup - *loki - - path_regex: ./secrets/* + - path_regex: hosts/nixpi/*.* + key_groups: + - age: + - *backup + - *nixpi + - path_regex: secrets/*.* key_groups: - age: - *backup - *surtur - *loki + - *nixpi ... diff --git a/nix/flake.nix b/nix/flake.nix index fb8658c..ff92504 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -21,6 +21,7 @@ ... }: let projname = "nix-infra"; + # nix.registry.nixpkgs.flake = nixpkgs; system = "x86_64-linux"; supportedSystems = ["x86_64-linux" "aarch64-linux"]; # Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'. @@ -33,8 +34,10 @@ # no overlay imports atm ]; }); - pkgs = nixpkgs.legacyPackages.${system}; - # pkgs = nixpkgsFor.${system}; + # pkgs = nixpkgs.legacyPackages.${system}; + pkgs = nixpkgsFor.${system}; + + inherit (nixpkgs.lib) nixosSystem; in { formatter = forAllSystems ( system: @@ -43,7 +46,7 @@ # formatter.${system} = pkgs.alejandra; nixosConfigurations.loki = nixpkgs.lib.nixosSystem { - inherit pkgs system; + # inherit pkgs system; modules = [ disko.nixosModules.disko agenix.nixosModules.default @@ -55,6 +58,16 @@ ]; }; + nixosConfigurations.nixpi = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + # pkgs = nixpkgs.legacyPackages.${system}; + # pkgs = nixpkgsFor.${system}; + modules = [ + sops-nix.nixosModules.sops + + ./hosts/nixpi/configuration.nix + ]; + }; devShells = forAllSystems ( system: let pkgs = import nixpkgs { diff --git a/nix/hosts/nixpi/configuration.nix b/nix/hosts/nixpi/configuration.nix new file mode 100644 index 0000000..bdc2659 --- /dev/null +++ b/nix/hosts/nixpi/configuration.nix @@ -0,0 +1,138 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../modules/base.nix + ../../modules/dnscrypt.nix + # ../loki/modules/coredns.nix + ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + age = { + keyFile = "/root/.age/nixpi-key"; + sshKeyPaths = ["/root/.ssh/nixpiage" "/etc/ssh/ssh_host_ed25519_key"]; + generateKey = false; + }; + + secrets.rootPassphrase.owner = "root"; + # secrets.domainName.restartUnits = ["caddy.service" "coredns.service"]; + # secrets.domainName.restartUnits = ["coredns.service"]; + }; + + nixpkgs = { + buildPlatform.system = "x86_64-linux"; + hostPlatform.system = "aarch64-linux"; + }; + boot = { + # kernelPackages = pkgs.linuxKernel.packages.linux_rpi3; + + kernelPackages = pkgs.linuxPackages_latest; + + # initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"]; + initrd.availableKernelModules = ["usbhid"]; + + loader = { + grub.enable = false; + # systemd-boot = { + # enable = true; + # configurationLimit = 12; # maximum number of latest NixOS generations to show + # }; + generic-extlinux-compatible.enable = true; + + # raspberryPi.firmwareConfig = lib.mkForce '' + # gpu_mem=256 + # ''; + # kernelParams = ["cma=256M"]; + }; + }; + powerManagement.cpuFreqGovernor = "ondemand"; + + hardware.bluetooth.enable = true; + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = ["noatime"]; + }; + }; + + networking = { + hostName = "nixpi"; + wireless = { + enable = true; + # networks."${SSID}".psk = SSIDpassword; + + # interfaces = [ interface ]; + }; + }; + + documentation.nixos.enable = false; + + environment.systemPackages = with pkgs; [ + vim + zsh + raspberrypifw + neofetch + ]; + + services.openssh.enable = true; + + programs.zsh.enable = true; + users.users.root = { + shell = pkgs.zsh; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key" + ]; + hashedPasswordFile = config.sops.secrets.rootPassphrase.path; + + subUidRanges = [ + { + count = 65536; + startUid = 65536 * 28; # 1835008, docker + } + ]; + }; + + services = { + #prometheus = { + # # WIP. + # enable = true; + # # openFirewall = true; + # port = 9090; + # exporters = { + # node = { + # enable = true; + # enabledCollectors = [ + # "logind" + # "systemd" + # ]; + # port = 9100; + # }; + # }; + + # scrapeConfigs = [ + # { + # job_name = "node"; + # static_configs = [ + # { + # targets = [ + # "nixpi.local:${toString config.services.prometheus.exporters.node.port}" + # ]; + # } + # ]; + # } + # ]; + #}; + }; + + hardware.enableRedistributableFirmware = true; + + # system.stateVersion = "23.11"; +} diff --git a/nix/hosts/nixpi/secrets.yaml b/nix/hosts/nixpi/secrets.yaml new file mode 100644 index 0000000..68b3b45 --- /dev/null +++ b/nix/hosts/nixpi/secrets.yaml @@ -0,0 +1,39 @@ +rootPassphrase: ENC[AES256_GCM,data:+E/xNNHlZdcEEH5cWto8kd1oIAFSkaRsnzANhFL0wF8iaRETEBaKRI8WPZ3mVQGzSiwq7E4EMemoDFAXRkW1OlbD2WqFjCYsAa4=,iv:1yWnn98bspMJm8pbeTOyEo6KQOhBOum1gf9RSKXSopE=,tag:48H3MuDFKWzX+df3qfBx9w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQjk4RlF0WGJyKzZwRmpi + YytSVGgvanJLcHdVaUpTUFJQU09NakJSS2d3CkhiVGdTNUxtcEtKUzQxczVUdG9N + a3lnWktBNWU1WXhXRXI5TXdacnNSeEEKLS0tIFIvZ2tJaUVzbjRDZ0xOU3RoaXVX + UCsvUzZaR0YwUUwvUWZWYzQ5ZndiR1EKUA56vCyXmwASIRMya7k852KHo/MzsZZq + Bn8sN52UGZvj4UThhusvSRhwCRzfXu6dvXFotqJkqf1pZchk6vjoDw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVVpPSmd4c2ZFTzRKWExW + ZnZKNmNRdXNMS0dkUGo1STkwdXM5eS8wY24wCmplWUEyblE0T2F5R1BWM3R0REkw + NDJwWjZGa0gzUSs1NjkyY0pESGQ4L3cKLS0tIDdoRmhyS0dDeHE5WmRDZFNUcFZm + UUUzMVQwek9RUFhJb21hdzJnWHZqbjgKpGleP+KPxB3pINWSHeJXYxNUx5IMK9Oq + hrwpeOD6PWsy8YQYm5u5NbJ6HWdmeMu1X3VRLozM8iVfrg9A00JwAA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaU8weWl4WTlndlZscHZa + bVBSZHpMdCszb3ZqV2hTUWVoQ2Y1dUhZc0gwCkJCWEJCL0duNnVQVTN0dlp4QkRU + Nll4ZXpkS3FqOW5temhDbG5zdER1VGsKLS0tIHRkaC9YaDlGaWhVMXBRT3hGTTVQ + SGJNZHZ4MEtrZnRSRkNvUUk5ODM5cXcKxOeOs0rhypjzZlMH9F/rqzIOFOCIJ9cU + Yg8/j/7f6BxA+weY+FIi+Zjh7ijq9s3BiObim/8xynyR7RJHl8CmBA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-08T22:04:14Z" + mac: ENC[AES256_GCM,data:yeyABVTHctQAwkisfl2RzaDdBVzV9EaSM/2LuJzoFORI3ykIEc7u1LZkaJRIood7qGM56CkXtibR7XdbaimPEXW//7W3jEvxbL9pX+L//9dMWpASsAPcRVGUKrqfsNSNS+pRoFKUowSGfkcEJdc5rZxTOuZPGPCvGtRf4wk5djE=,iv:1oiRC+Fajch4id3k/mKFTSJ0QV8o3WRgN19Hwdo7OMg=,tag:2IT52eazgR82yyx9GGKeiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/modules/dnscrypt.nix b/nix/modules/dnscrypt.nix index 77bf7b5..f0e25eb 100644 --- a/nix/modules/dnscrypt.nix +++ b/nix/modules/dnscrypt.nix @@ -1,4 +1,18 @@ -{lib, ...}: { +{ + config, + lib, + ... +}: let + usr = "dnscrypt-proxy"; +in { + sops.secrets = { + dnscrypt-proxy-forwardingRules = { + sopsFile = ../secrets/dnscrypt-proxy.yaml; + owner = usr; + group = usr; + }; + }; + services.dnscrypt-proxy2 = { enable = true; # don't go from scratch. @@ -80,6 +94,8 @@ cache_neg_min_ttl = 60; cache_neg_max_ttl = 600; + forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path; + sources.opennic = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/opennic.md" @@ -114,5 +130,16 @@ StartLimitBurst = 10; Restart = "always"; RestartSec = 7; + User = usr; + Group = usr; }; + + users.users.dnscrypt-proxy = { + group = usr; + home = "/etc/" + usr; + createHome = false; + isSystemUser = true; + extraGroups = ["users"]; + }; + users.groups.dnscrypt-proxy = {}; } diff --git a/nix/secrets/dnscrypt-proxy.yaml b/nix/secrets/dnscrypt-proxy.yaml new file mode 100644 index 0000000..95f9fb3 --- /dev/null +++ b/nix/secrets/dnscrypt-proxy.yaml @@ -0,0 +1,57 @@ +dnscrypt-proxy-forwardingRules: ENC[AES256_GCM,data:WpW6b333rUPBTjPbSp+RvSvPovgk9DUxD7EfpPuTBrBlzBULh2Z61mML7vbtqnJ0nL6jRH3AEhxQDhJ9IEMc0RvZcH/j3y/f5/dmioVEZG210us5/DWt1i+/U0BLfsUoN6w31F/7mvB13hTEeQ2wZICQjQB5AneiRnNxrCXtgk2axnVae/3jEDLrw+dI5ryC+8uUQQ4GVT7NQjWfQxhM6sSjjN/JxtBlrCsDtZd5YylfvzoCbHZ4F9vAIEUZh3Ac8W6l0B9WKeIgGn3phXkdcLlKQwzMUlF7j9e1tpTTtm2mXc92JW21yVUrr7KyuynriYi+wUPMxXZGUAsALFRZk1G+Lwj7syU4s479S2gLgXWt,iv:BnuBe4xA07hZ7GE/3Lt24I6dMhKnSYfFHvftFBtbI8k=,tag:1TKeJ4KEqaah3QrGDnCYEg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VVNDcEs0RDNuSlJ2OFFy + NkNvdzBoUytWd2pRVEFMYnJ2Z3NHTEJRRG1JCkZYTTdnTGUrdnBFUjFpUDh4UldN + Y0RvRVN0OVFVZGNxaEQ1TjFGWG0rNTgKLS0tIE5EUTRsMUQwR2xHOFF4K2lncW1r + cWU5NFZSUFNrM3dzNENSOW1tOHdzVTQKMfH1pB0gLvvwYlB8GRONPEr5kpoxV0rB + fA/5kTdb1tWBvH1wNpAUomig5bGM4ncHzQjB1Qcqt1Zop5tEvfjlHw== + -----END AGE ENCRYPTED FILE----- + - recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MlljRU1Td2tFSCs5VmFF + dllGaDJKU2dFYUxJdWhEbmwxaUJRM3NadjNjCkxFZTBXb2M4ZjBtVlpTblNjRjhZ + K3NkZWc4bnVwSVNldHZuL3ZDb2FXWVEKLS0tIGRvV1N5cVFrL1hzZ2pQQ3JLNmtM + S01VMm14VUdPY3lqc0pha2pKTGkrTjQKCLW3LwUOFfP1VWK8MgwoHe8Py1HrvVGE + gWeLHFD1pR2NdSn0nDan7CcKL3+P2F1cFyqv8+Ff06ehXWB3gbm3Jw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ3pZNVhMZVBXeGcxeFUx + dElJV2hwM2RuZXVGVUVWMmhDVjNsdlAvb0RvCnFmSk1zRGJ2Ulh3NnJlSFZETUNT + TGJiS1dhOEFPSXZwVzNrNTV0UUpoamsKLS0tIHFLVk5Va2NTK2VlcjM5bnlYajhx + cEE4YjJOaVJ4bDFObXpXU093amhXM3MKHgm8DCwqqj+6yLFoNHFWGA1K45AWXzkp + XonJ+vWAQGIM4sVYvzCYSx6QaZk5PVnWq8NcPlzeWSelYtOTPkRiQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMFQ3ZTZtZjFCMnpCUk9R + bHdsZUwrcWZEczVBbFplWnJPVktOdjNJU0Y0CjJPZDlWcGFIQVVMUjJIcTMwSzl5 + V0hESWtZcmZ2S1FmVUNnVnhTKzZaYW8KLS0tIDBnU2VkSHdGZGJlSEhNNE82a3NJ + WFZzSjZqRzFVcjU3SzBLOEQyWFJqcnMKEtXIPnCYJe2+d9MWLWLAxKWQF8uPMoM3 + pPJlfzKarVfYJ+PxmTcH4+xbberEZDdrjikvZL6CluZBQuTHoOrdOA== + -----END AGE ENCRYPTED FILE----- + - recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eFRuOGZPS2tDTElITDRm + UzFDbFVuUXVxbnhjWC9BNXZsNEtPblVXNW5nClNUTGRVVDljNzRjTEUzVUFvRW9a + Q1VOeTNYV2VrY2tLR1NaVG9CbjVrSXcKLS0tIEQ3MjhEQnNwV2RUYUJGL1UzKzln + aXNhWE9iWmdPZlJaWmd5MHVqYUlITkkK+mudBNg2DwXjFNP3RP5Xqw2bksK10B4P + MVDpC9Du2hOljpJlJ0R2AQL0oxixu/ts9eDG5ZtSdtGIJv7JJWJctg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-11T20:43:18Z" + mac: ENC[AES256_GCM,data:lrcjh3u7yUl8tvmMQS8S0SM/OQ8DAv/ctGx9NYWj0UoIHyMpsWDu2qFEO6S7oeK0f8k9mxYEmopDcMUSWprYpeJ4fR8IFFjJXsHqD0QVktVCjivmURPiu24dkGge2yVGSySnL126OwdKd/8LAagd5wj1Tj7VhbgsDS4R6DMB9uo=,iv:bUCt4xLaas0zEYkQGh6MPhnZAx7Zp/0r+xhYyy0YGXs=,tag:CWmGA5smxj4QFqaQRJ+ivQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3