diff options
-rw-r--r-- | systems/.sops.yaml | 6 | ||||
-rw-r--r-- | systems/v-conoha1/default.nix | 91 | ||||
-rw-r--r-- | systems/v-conoha1/hardware-configuration.nix | 29 | ||||
-rw-r--r-- | systems/v-conoha1/secrets/secrets.yaml | 30 |
4 files changed, 156 insertions, 0 deletions
diff --git a/systems/.sops.yaml b/systems/.sops.yaml index c6319cf..673fb87 100644 --- a/systems/.sops.yaml +++ b/systems/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host_cobalt age14a2amn7memzvctf2nnrt6uj458x3g4jpcvs04tlkww2z02p05syqawxrwh - &host_v_coord1 age15d6jezemfjt9g7snmw6pgwyw99nld4jhlqfrnfhc8lym9qw7cu2s0av95t - &host_v_nanode1 age1qqkh0r2k4fztl29wmhfq6ayhy9fe3t508tf2qcllf29vdkm235xq7x6frr + - &host_v_conoha1 age1trapu56vpu4rq9eh87dqv4hs0hxnntevy3xr3qv8pfxujyzvj3csf6dfxg creation_rules: - path_regex: cobalt/secrets/[^/]+\.yaml$ key_groups: @@ -20,3 +21,8 @@ creation_rules: - age: - *sefidel - *host_v_nanode1 + - path_regex: v-conoha1/secrets/[^/]+\.yaml$ + key_groups: + - age: + - *sefidel + - *host_v_conoha1 diff --git a/systems/v-conoha1/default.nix b/systems/v-conoha1/default.nix new file mode 100644 index 0000000..c07da7a --- /dev/null +++ b/systems/v-conoha1/default.nix @@ -0,0 +1,91 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + ipv4 = { + address = "157.7.86.101"; + gateway = "157.7.86.1"; + netmask = "255.255.254.0"; + prefixLength = 23; # https://www.pawprint.net/designresources/netmask-converter.php + }; + ipv6 = { + address = "2400:8500:1302:3157:157:7:86:101"; + gateway = "2400:8500:1302:3157::1"; + prefixLength = 64; + }; + networkInterface = "ens3"; + hostName = "v-conoha1"; + hostId = "586eb5d0"; + hostAddr = "v-conoha1.sefidel.net"; + + sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ]; + maintainerKeys = [ ] ++ sefidelKeys; +in +{ + deployment = { + targetHost = hostAddr; + targetPort = 22; + targetUser = "root"; + }; + + imports = [ ./hardware-configuration.nix ]; + + networking.hostId = hostId; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + + boot.kernelParams = [ + # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation. + # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip> + # The server ip refers to the NFS server -- not needed in this case. + "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + networking.hostName = hostName; + + networking.useDHCP = false; + networking.interfaces.${networkInterface} = { + ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; + ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; + }; + networking.defaultGateway = ipv4.gateway; + networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; + networking.nameservers = [ "8.8.8.8" ]; + + networking.firewall.enable = true; + + time.timeZone = "UTC"; + + sops.secrets.root-password.neededForUsers = true; + + users.users.root.hashedPasswordFile = config.sops.secrets.root-password.path; + users.users.root.openssh.authorizedKeys.keys = maintainerKeys; + + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + + nix.flakes.enable = true; + + modules = { + security.enable = true; + persistence.enable = false; + cachix.enable = true; + + sops.enable = true; + + services.tailscale.enable = true; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} + diff --git a/systems/v-conoha1/hardware-configuration.nix b/systems/v-conoha1/hardware-configuration.nix new file mode 100644 index 0000000..260d354 --- /dev/null +++ b/systems/v-conoha1/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/vda2"; + fsType = "ext4"; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/systems/v-conoha1/secrets/secrets.yaml b/systems/v-conoha1/secrets/secrets.yaml new file mode 100644 index 0000000..3ed1445 --- /dev/null +++ b/systems/v-conoha1/secrets/secrets.yaml @@ -0,0 +1,30 @@ +root-password: ENC[AES256_GCM,data:ISLJfLoJPr+sf0VI6mwOGCSaojjGg5DldLIEvvpUXwZMpxQO7ihxqZQ30ldfCJAc/Uek7WgMd7BXrky+4lVr70DId/TUls37AQ==,iv:kkI6J9ZRtkqynz+mANjspXebvm9Wwdx6y9o0ndSnXGs=,tag:h2TV8UaHywzKUn5ki4CbqA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jt8xg0lvzj5q4f7fn7nw670qsszm3kv3caa654eh62azra4x44zss4fad8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybGh0VWgwRVNkdnptSHND + WUl0TmMxSTJNRXpoSHlOQUJKOVZhVE9KbFFZCllXeGZ2bXJ5WmMxejFmdE9xQkhx + WVBuZVRBSVhRQkxGd0JTVVZGcXJvdU0KLS0tIFN6SVRsMjIxY0RJVTloTzMzcVd1 + SGFUV3lMa1dGdEorWDh5S0NkNG5ZMDgK9+3DusNE/DirwSaneuHKeqbVy0zFl1XK + sUXtpeFw0uyJsNuPXYav97fOlTpwDPE5GtSzV4NQvWDUPquQ4e5BFQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1trapu56vpu4rq9eh87dqv4hs0hxnntevy3xr3qv8pfxujyzvj3csf6dfxg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVHVaWG5US1FTNnV2WTQz + Y0ZUMXhMcTBhckQ3bVRxcnRVWSs1cTdOYVdJClRnNmtQWVJ5M0lzbzh6T2U2TXMw + TjBpU3l0OEt2TjNzazYybHlFSExJaUEKLS0tIGF0K3Bkd05LWUxsb2NERU1QQldH + WU44b2JNbThKMkVNWWYvUHQxMVBPTUkKPmbcKu6acm9hA1SAqoDX8gx+2jYNrhUx + Ge+QeWTQPhVouIbO5tZmc5HLJXOW1rho2h6FdmPJQB2W4/2Y8AFerA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-11T15:13:23Z" + mac: ENC[AES256_GCM,data:JEyCm6qvybpX9q3UBxTsaI/YcPp8k1At+a1LVR0te8FDzTMVMHB3n31S1+RWiXqrX7lkTwrUK/1OV9ZMjcdt7ZJEIxI6ajKqRiUE9vPH7OSRDmioh5blrg3OGaeO0kXFflGkiUS0t/SJKJ+rhJhCJun6Q3l1xd42IwxfAGlVXmk=,iv:j8OYhbLkynbFp/C5Djc7/Ir9fy8nEQAqz6w1wUzWJ5U=,tag:itM6lm89IDhmKtqO5CA37Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 |