wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

nix: add nixpi system configuration

Browse Source
This commit is contained in:
surtur 2023-11-05 00:17:44 +01:00
parent 04b877ddb1
commit 50d1e4ad99
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
6 changed files with 286 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nix/.sops.yaml
View File

@ -2,6 +2,7 @@
keys:
- &it age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
- &loki age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
- &nixpi age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
- &backup age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
- &surtur age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
creation_rules:
@ -10,10 +11,16 @@ creation_rules:
- age:
- *backup
- *loki
- path_regex: ./secrets/*
- path_regex: hosts/nixpi/*.*
key_groups:
- age:
- *backup
- *nixpi
- path_regex: secrets/*.*
key_groups:
- age:
- *backup
- *surtur
- *loki
- *nixpi
...

19
nix/flake.nix
View File

@ -21,6 +21,7 @@
...
}: let
projname = "nix-infra";
# nix.registry.nixpkgs.flake = nixpkgs;
system = "x86_64-linux";
supportedSystems = ["x86_64-linux" "aarch64-linux"];
# Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
@ -33,8 +34,10 @@
# no overlay imports atm
];
});
pkgs = nixpkgs.legacyPackages.${system};
# pkgs = nixpkgsFor.${system};
# pkgs = nixpkgs.legacyPackages.${system};
pkgs = nixpkgsFor.${system};
inherit (nixpkgs.lib) nixosSystem;
in {
formatter = forAllSystems (
system:
@ -43,7 +46,7 @@
# formatter.${system} = pkgs.alejandra;
nixosConfigurations.loki = nixpkgs.lib.nixosSystem {
inherit pkgs system;
# inherit pkgs system;
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
@ -55,6 +58,16 @@
];
};
nixosConfigurations.nixpi = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
# pkgs = nixpkgs.legacyPackages.${system};
# pkgs = nixpkgsFor.${system};
modules = [
sops-nix.nixosModules.sops
./hosts/nixpi/configuration.nix
];
};
devShells = forAllSystems (
system: let
pkgs = import nixpkgs {

138
nix/hosts/nixpi/configuration.nix Normal file
View File

@ -0,0 +1,138 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
../../modules/base.nix
../../modules/dnscrypt.nix
# ../loki/modules/coredns.nix
];
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
keyFile = "/root/.age/nixpi-key";
sshKeyPaths = ["/root/.ssh/nixpiage" "/etc/ssh/ssh_host_ed25519_key"];
generateKey = false;
};
secrets.rootPassphrase.owner = "root";
# secrets.domainName.restartUnits = ["caddy.service" "coredns.service"];
# secrets.domainName.restartUnits = ["coredns.service"];
};
nixpkgs = {
buildPlatform.system = "x86_64-linux";
hostPlatform.system = "aarch64-linux";
};
boot = {
# kernelPackages = pkgs.linuxKernel.packages.linux_rpi3;
kernelPackages = pkgs.linuxPackages_latest;
# initrd.availableKernelModules = ["xhci_pci" "usbhid" "usb_storage"];
initrd.availableKernelModules = ["usbhid"];
loader = {
grub.enable = false;
# systemd-boot = {
# enable = true;
# configurationLimit = 12; # maximum number of latest NixOS generations to show
# };
generic-extlinux-compatible.enable = true;
# raspberryPi.firmwareConfig = lib.mkForce ''
# gpu_mem=256
# '';
# kernelParams = ["cma=256M"];
};
};
powerManagement.cpuFreqGovernor = "ondemand";
hardware.bluetooth.enable = true;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = ["noatime"];
};
};
networking = {
hostName = "nixpi";
wireless = {
enable = true;
# networks."${SSID}".psk = SSIDpassword;
# interfaces = [ interface ];
};
};
documentation.nixos.enable = false;
environment.systemPackages = with pkgs; [
vim
zsh
raspberrypifw
neofetch
];
services.openssh.enable = true;
programs.zsh.enable = true;
users.users.root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
];
hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
subUidRanges = [
{
count = 65536;
startUid = 65536 * 28; # 1835008, docker
}
];
};
services = {
#prometheus = {
# # WIP.
# enable = true;
# # openFirewall = true;
# port = 9090;
# exporters = {
# node = {
# enable = true;
# enabledCollectors = [
# "logind"
# "systemd"
# ];
# port = 9100;
# };
# };
# scrapeConfigs = [
# {
# job_name = "node";
# static_configs = [
# {
# targets = [
# "nixpi.local:${toString config.services.prometheus.exporters.node.port}"
# ];
# }
# ];
# }
# ];
#};
};
hardware.enableRedistributableFirmware = true;
# system.stateVersion = "23.11";
}

39
nix/hosts/nixpi/secrets.yaml Normal file
View File

@ -0,0 +1,39 @@
rootPassphrase: ENC[AES256_GCM,data:+E/xNNHlZdcEEH5cWto8kd1oIAFSkaRsnzANhFL0wF8iaRETEBaKRI8WPZ3mVQGzSiwq7E4EMemoDFAXRkW1OlbD2WqFjCYsAa4=,iv:1yWnn98bspMJm8pbeTOyEo6KQOhBOum1gf9RSKXSopE=,tag:48H3MuDFKWzX+df3qfBx9w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQjk4RlF0WGJyKzZwRmpi
YytSVGgvanJLcHdVaUpTUFJQU09NakJSS2d3CkhiVGdTNUxtcEtKUzQxczVUdG9N
a3lnWktBNWU1WXhXRXI5TXdacnNSeEEKLS0tIFIvZ2tJaUVzbjRDZ0xOU3RoaXVX
UCsvUzZaR0YwUUwvUWZWYzQ5ZndiR1EKUA56vCyXmwASIRMya7k852KHo/MzsZZq
Bn8sN52UGZvj4UThhusvSRhwCRzfXu6dvXFotqJkqf1pZchk6vjoDw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVVpPSmd4c2ZFTzRKWExW
ZnZKNmNRdXNMS0dkUGo1STkwdXM5eS8wY24wCmplWUEyblE0T2F5R1BWM3R0REkw
NDJwWjZGa0gzUSs1NjkyY0pESGQ4L3cKLS0tIDdoRmhyS0dDeHE5WmRDZFNUcFZm
UUUzMVQwek9RUFhJb21hdzJnWHZqbjgKpGleP+KPxB3pINWSHeJXYxNUx5IMK9Oq
hrwpeOD6PWsy8YQYm5u5NbJ6HWdmeMu1X3VRLozM8iVfrg9A00JwAA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaU8weWl4WTlndlZscHZa
bVBSZHpMdCszb3ZqV2hTUWVoQ2Y1dUhZc0gwCkJCWEJCL0duNnVQVTN0dlp4QkRU
Nll4ZXpkS3FqOW5temhDbG5zdER1VGsKLS0tIHRkaC9YaDlGaWhVMXBRT3hGTTVQ
SGJNZHZ4MEtrZnRSRkNvUUk5ODM5cXcKxOeOs0rhypjzZlMH9F/rqzIOFOCIJ9cU
Yg8/j/7f6BxA+weY+FIi+Zjh7ijq9s3BiObim/8xynyR7RJHl8CmBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T22:04:14Z"
mac: ENC[AES256_GCM,data:yeyABVTHctQAwkisfl2RzaDdBVzV9EaSM/2LuJzoFORI3ykIEc7u1LZkaJRIood7qGM56CkXtibR7XdbaimPEXW//7W3jEvxbL9pX+L//9dMWpASsAPcRVGUKrqfsNSNS+pRoFKUowSGfkcEJdc5rZxTOuZPGPCvGtRf4wk5djE=,iv:1oiRC+Fajch4id3k/mKFTSJ0QV8o3WRgN19Hwdo7OMg=,tag:2IT52eazgR82yyx9GGKeiA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

29
nix/modules/dnscrypt.nix
View File

@ -1,4 +1,18 @@
{lib, ...}: {
{
config,
lib,
...
}: let
usr = "dnscrypt-proxy";
in {
sops.secrets = {
dnscrypt-proxy-forwardingRules = {
sopsFile = ../secrets/dnscrypt-proxy.yaml;
owner = usr;
group = usr;
};
};
services.dnscrypt-proxy2 = {
enable = true;
# don't go from scratch.
@ -80,6 +94,8 @@
cache_neg_min_ttl = 60;
cache_neg_max_ttl = 600;
forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path;
sources.opennic = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/opennic.md"
@ -114,5 +130,16 @@
StartLimitBurst = 10;
Restart = "always";
RestartSec = 7;
User = usr;
Group = usr;
};
users.users.dnscrypt-proxy = {
group = usr;
home = "/etc/" + usr;
createHome = false;
isSystemUser = true;
extraGroups = ["users"];
};
users.groups.dnscrypt-proxy = {};
}

57
nix/secrets/dnscrypt-proxy.yaml Normal file
View File

@ -0,0 +1,57 @@
dnscrypt-proxy-forwardingRules: ENC[AES256_GCM,data:WpW6b333rUPBTjPbSp+RvSvPovgk9DUxD7EfpPuTBrBlzBULh2Z61mML7vbtqnJ0nL6jRH3AEhxQDhJ9IEMc0RvZcH/j3y/f5/dmioVEZG210us5/DWt1i+/U0BLfsUoN6w31F/7mvB13hTEeQ2wZICQjQB5AneiRnNxrCXtgk2axnVae/3jEDLrw+dI5ryC+8uUQQ4GVT7NQjWfQxhM6sSjjN/JxtBlrCsDtZd5YylfvzoCbHZ4F9vAIEUZh3Ac8W6l0B9WKeIgGn3phXkdcLlKQwzMUlF7j9e1tpTTtm2mXc92JW21yVUrr7KyuynriYi+wUPMxXZGUAsALFRZk1G+Lwj7syU4s479S2gLgXWt,iv:BnuBe4xA07hZ7GE/3Lt24I6dMhKnSYfFHvftFBtbI8k=,tag:1TKeJ4KEqaah3QrGDnCYEg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nt7a9nsgwsf7c9x8yx3qu8w24svz02hpfuwtmk8dazw6j6lh33hsgv8erk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VVNDcEs0RDNuSlJ2OFFy
NkNvdzBoUytWd2pRVEFMYnJ2Z3NHTEJRRG1JCkZYTTdnTGUrdnBFUjFpUDh4UldN
Y0RvRVN0OVFVZGNxaEQ1TjFGWG0rNTgKLS0tIE5EUTRsMUQwR2xHOFF4K2lncW1r
cWU5NFZSUFNrM3dzNENSOW1tOHdzVTQKMfH1pB0gLvvwYlB8GRONPEr5kpoxV0rB
fA/5kTdb1tWBvH1wNpAUomig5bGM4ncHzQjB1Qcqt1Zop5tEvfjlHw==
-----END AGE ENCRYPTED FILE-----
- recipient: age15959gprm59azjflvpj97yt0lj6dj4d2yv0nd6u9jp32lzwp3de7qzhf85y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MlljRU1Td2tFSCs5VmFF
dllGaDJKU2dFYUxJdWhEbmwxaUJRM3NadjNjCkxFZTBXb2M4ZjBtVlpTblNjRjhZ
K3NkZWc4bnVwSVNldHZuL3ZDb2FXWVEKLS0tIGRvV1N5cVFrL1hzZ2pQQ3JLNmtM
S01VMm14VUdPY3lqc0pha2pKTGkrTjQKCLW3LwUOFfP1VWK8MgwoHe8Py1HrvVGE
gWeLHFD1pR2NdSn0nDan7CcKL3+P2F1cFyqv8+Ff06ehXWB3gbm3Jw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1drh8uq93mhzhj3rz9s2gcnht04wc5hukzutlu4l5qc55hxaznd5s9xs2f6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQ3pZNVhMZVBXeGcxeFUx
dElJV2hwM2RuZXVGVUVWMmhDVjNsdlAvb0RvCnFmSk1zRGJ2Ulh3NnJlSFZETUNT
TGJiS1dhOEFPSXZwVzNrNTV0UUpoamsKLS0tIHFLVk5Va2NTK2VlcjM5bnlYajhx
cEE4YjJOaVJ4bDFObXpXU093amhXM3MKHgm8DCwqqj+6yLFoNHFWGA1K45AWXzkp
XonJ+vWAQGIM4sVYvzCYSx6QaZk5PVnWq8NcPlzeWSelYtOTPkRiQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age136558pknq6glx2xftavt7mm3p4jcpu54kej2kxryeu78m5r59e0qvawl5l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMFQ3ZTZtZjFCMnpCUk9R
bHdsZUwrcWZEczVBbFplWnJPVktOdjNJU0Y0CjJPZDlWcGFIQVVMUjJIcTMwSzl5
V0hESWtZcmZ2S1FmVUNnVnhTKzZaYW8KLS0tIDBnU2VkSHdGZGJlSEhNNE82a3NJ
WFZzSjZqRzFVcjU3SzBLOEQyWFJqcnMKEtXIPnCYJe2+d9MWLWLAxKWQF8uPMoM3
pPJlfzKarVfYJ+PxmTcH4+xbberEZDdrjikvZL6CluZBQuTHoOrdOA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17qvnfr98kxn0yuw6zjsmrl5nqlganzakn77pchnf5cr3an4gdp5s8dn26v
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eFRuOGZPS2tDTElITDRm
UzFDbFVuUXVxbnhjWC9BNXZsNEtPblVXNW5nClNUTGRVVDljNzRjTEUzVUFvRW9a
Q1VOeTNYV2VrY2tLR1NaVG9CbjVrSXcKLS0tIEQ3MjhEQnNwV2RUYUJGL1UzKzln
aXNhWE9iWmdPZlJaWmd5MHVqYUlITkkK+mudBNg2DwXjFNP3RP5Xqw2bksK10B4P
MVDpC9Du2hOljpJlJ0R2AQL0oxixu/ts9eDG5ZtSdtGIJv7JJWJctg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T20:43:18Z"
mac: ENC[AES256_GCM,data:lrcjh3u7yUl8tvmMQS8S0SM/OQ8DAv/ctGx9NYWj0UoIHyMpsWDu2qFEO6S7oeK0f8k9mxYEmopDcMUSWprYpeJ4fR8IFFjJXsHqD0QVktVCjivmURPiu24dkGge2yVGSySnL126OwdKd/8LAagd5wj1Tj7VhbgsDS4R6DMB9uo=,iv:bUCt4xLaas0zEYkQGh6MPhnZAx7Zp/0r+xhYyy0YGXs=,tag:CWmGA5smxj4QFqaQRJ+ivQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3