zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:kexec_luks2
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client
..
compare: zuckerberg:51a1281c13b32a54f36a90022da179253ca9efe8
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:rpi-hotspot zuckerberg:attic zuckerberg:kexec_luks2 zuckerberg:pia-client

4 Commits
kexec_luks ... 51a1281c13

Author SHA1 Message Date
Zuckerberg
51a1281c13 Rekey secrets 2023-04-19 18:04:39 -06:00
Zuckerberg
6add0cd5e5 add secrets 2023-04-19 18:04:32 -06:00
Zuckerberg
e5c1c99793 try systemd-boot 2023-04-19 17:46:27 -06:00
Zuckerberg
2687cd0462 phil 2023-04-18 23:28:03 -06:00
62 changed files with 498 additions and 1326 deletions
Expand all files Collapse all files

1
README.md
View File

@@ -6,6 +6,7 @@
- `/network` - config for tailscale, and NixOS container with automatic vpn tunneling via PIA
- `/pc` - config that a graphical desktop computer should have. Use `de.enable = true;` to enable everthing.
- `/server` - config that creates new nixos services or extends existing ones to meet my needs
- `/ssh.nix` - all ssh public host and user keys for all `/machines`
- `/machines` - all my NixOS machines along with their machine unique configuration for hardware and services
- `/kexec` - a special machine for generating minimal kexec images. Does not import `/common`
- `/secrets` - encrypted shared secrets unlocked through `/machines` ssh host keys

2
TODO.md
View File

@@ -73,8 +73,6 @@
- offsite backup yubikey, pw db, and ssh key with /secrets access
### Misc
- for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
- https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
- https://github.com/pop-os/system76-scheduler
- improve email a little bit https://helloinbox.email
- remap razer keys https://github.com/sezanzeb/input-remapper

24
common/auto-update.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, lib, ... }:
# Modify auto-update so that it pulls a flake
@@ -6,20 +6,10 @@ let
cfg = config.system.autoUpgrade;
in
{
config = lib.mkIf cfg.enable (lib.mkMerge [
{
system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
# dates = "03:40";
# kexecWindow = lib.mkDefault { lower = "01:00"; upper = "05:00"; };
# randomizedDelaySec = "45min";
};
system.autoUpgrade.allowKexec = lib.mkDefault true;
luks.enableKexec = cfg.allowKexec && builtins.length config.luks.devices > 0;
}
]);
config = lib.mkIf cfg.enable {
system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
};
};
}

2
common/boot/default.nix
View File

@@ -5,8 +5,6 @@
./firmware.nix
./efi.nix
./bios.nix
./kexec-luks.nix
./luks.nix
./remote-luks-unlock.nix
];
}

121
common/boot/kexec-luks.nix
View File

@@ -1,121 +0,0 @@
# Allows kexec'ing as an alternative to rebooting for machines that
# have luks encrypted partitions that need to be mounted at boot.
# These luks partitions will be automatically unlocked, no password,
# or any interaction needed whatsoever.
# This is accomplished by fetching the luks key(s) while the system is running,
# then building a temporary initrd that contains the luks key(s), and kexec'ing.
{ config, lib, pkgs, ... }:
{
options.luks = {
enableKexec = lib.mkEnableOption "Enable support for transparent passwordless kexec while using luks";
};
config = lib.mkIf config.luks.enableKexec {
luks.fallbackToPassword = true;
luks.disableKeyring = true;
boot.initrd.luks.devices = lib.listToAttrs
(builtins.map
(item:
{
name = item;
value = {
masterKeyFile = "/etc/${item}.key";
};
})
config.luks.deviceNames);
systemd.services.prepare-luks-kexec-image = {
description = "Prepare kexec automatic LUKS unlock on kexec reboot without a password";
wantedBy = [ "kexec.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
path = with pkgs; [ file kexec-tools coreutils-full cpio findutils gzip xz zstd lvm2 xxd gawk ];
# based on https://github.com/flowztul/keyexec
script = ''
system=/nix/var/nix/profiles/system
old_initrd=$(readlink -f "$system/initrd")
umask 0077
CRYPTROOT_TMPDIR="$(mktemp -d --tmpdir=/dev/shm)"
cleanup() {
shred -fu "$CRYPTROOT_TMPDIR/initrd_contents/etc/"*.key || true
shred -fu "$CRYPTROOT_TMPDIR/new_initrd" || true
shred -fu "$CRYPTROOT_TMPDIR/secret/"* || true
rm -rf "$CRYPTROOT_TMPDIR"
}
# trap cleanup INT TERM EXIT
mkdir -p "$CRYPTROOT_TMPDIR"
cd "$CRYPTROOT_TMPDIR"
# Determine the compression type of the initrd image
compression=$(file -b --mime-type "$old_initrd" | awk -F'/' '{print $2}')
# Decompress the initrd image based on its compression type
case "$compression" in
gzip)
gunzip -c "$old_initrd" > initrd.cpio
;;
xz)
unxz -c "$old_initrd" > initrd.cpio
;;
zstd)
zstd -d -c "$old_initrd" > initrd.cpio
;;
*)
echo "Unsupported compression type: $compression"
exit 1
;;
esac
# Extract the contents of the cpio archive
mkdir -p initrd_contents
cd initrd_contents
cpio -idv < ../initrd.cpio
# Generate keys and add them to the extracted initrd filesystem
luksDeviceNames=(${builtins.concatStringsSep " " config.luks.deviceNames})
for item in "''${luksDeviceNames[@]}"; do
dmsetup --showkeys table "$item" | cut -d ' ' -f5 | xxd -ps -g1 -r > "./etc/$item.key"
done
# Add normal initrd secrets too
${lib.concatStringsSep "\n" (lib.mapAttrsToList (dest: source:
let source' = if source == null then dest else builtins.toString source; in
''
mkdir -p $(dirname "./${dest}")
cp -a ${source'} "./${dest}"
''
) config.boot.initrd.secrets)
}
# Create a new cpio archive with the modified contents
find . | cpio -o -H newc -v > ../new_initrd.cpio
# Compress the new cpio archive using the original compression type
cd ..
case "$compression" in
gzip)
gunzip -c new_initrd.cpio > new_initrd
;;
xz)
unxz -c new_initrd.cpio > new_initrd
;;
zstd)
zstd -c new_initrd.cpio > new_initrd
;;
esac
kexec --load "$system/kernel" --append "init=$system/init ${builtins.concatStringsSep " " config.boot.kernelParams}" --initrd "$CRYPTROOT_TMPDIR/new_initrd"
'';
};
};
}

74
common/boot/luks.nix
View File

@@ -1,74 +0,0 @@
# Makes it a little easier to configure luks partitions for boot
# Additionally, this solves a circular dependency between kexec luks
# and NixOS's luks module.
{ config, lib, ... }:
let
cfg = config.luks;
deviceCount = builtins.length cfg.devices;
deviceMap = lib.imap
(i: item: {
device = item;
name =
if deviceCount == 1 then "enc-pv"
else "enc-pv${builtins.toString (i + 1)}";
})
cfg.devices;
in
{
options.luks = {
devices = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
allowDiscards = lib.mkOption {
type = lib.types.bool;
default = true;
};
fallbackToPassword = lib.mkEnableOption
"Fallback to interactive passphrase prompt if the cannot be found.";
disableKeyring = lib.mkEnableOption
"When opening LUKS2 devices, don't use the kernel keyring";
# set automatically, don't touch
deviceNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
};
config = lib.mkMerge [
{
assertions = [
{
assertion = deviceCount == builtins.length (builtins.attrNames config.boot.initrd.luks.devices);
message = ''
All luks devices must be specified using `luks.devices` not `boot.initrd.luks.devices`.
'';
}
];
}
(lib.mkIf (deviceCount != 0) {
luks.deviceNames = builtins.map (device: device.name) deviceMap;
boot.initrd.luks.devices = lib.listToAttrs (
builtins.map
(item:
{
name = item.name;
value = {
device = item.device;
allowDiscards = cfg.allowDiscards;
fallbackToPassword = cfg.fallbackToPassword;
disableKeyring = cfg.disableKeyring;
};
})
deviceMap);
})
];
}

5
common/boot/remote-luks-unlock.nix
View File

@@ -33,6 +33,11 @@ in
};
config = lib.mkIf cfg.enable {
# boot.initrd.luks.devices.${cfg.device.name} = {
# device = cfg.device.path;
# allowDiscards = cfg.device.allowDiscards;
# };
# Unlock LUKS disk over ssh
boot.initrd.network.enable = true;
boot.initrd.kernelModules = cfg.kernelModules;

11
common/default.nix
View File

@@ -1,5 +1,10 @@
{ config, pkgs, ... }:
let
ssh = import ./ssh.nix;
sshUserKeys = ssh.users;
sshHigherTrustKeys = ssh.higherTrustUserKeys;
in
{
imports = [
./backups.nix
@@ -10,8 +15,6 @@
./boot
./server
./pc
./machine-info
./ssh.nix
];
nix.flakes.enable = true;
@@ -65,12 +68,12 @@
"dialout" # serial
];
shell = pkgs.fish;
openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
openssh.authorizedKeys.keys = sshUserKeys;
hashedPassword = "$6$TuDO46rILr$gkPUuLKZe3psexhs8WFZMpzgEBGksE.c3Tjh1f8sD0KMC4oV89K2pqAABfl.Lpxu2jVdr5bgvR5cWnZRnji/r/";
uid = 1000;
};
users.users.root = {
openssh.authorizedKeys.keys = config.machines.ssh.deployKeys;
openssh.authorizedKeys.keys = sshHigherTrustKeys;
};
nix.settings = {
trusted-users = [ "root" "googlebot" ];

200
common/machine-info/default.nix
View File

@@ -1,200 +0,0 @@
# Gathers info about each machine to constuct overall configuration
# Ex: Each machine already trusts each others SSH fingerprint already
{ config, lib, pkgs, ... }:
let
machines = config.machines.hosts;
in
{
imports = [
./ssh.nix
./roles.nix
];
options.machines = {
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
};
};
config = {
assertions = (lib.concatLists (lib.mapAttrsToList
(
name: cfg: [
{
assertion = builtins.length cfg.hostNames > 0;
message = ''
Error with config for ${name}
There must be at least one hostname.
'';
}
{
assertion = builtins.length cfg.systemRoles > 0;
message = ''
Error with config for ${name}
There must be at least one system role.
'';
}
{
assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.hostKey != cfg.hostKey;
message = ''
Error with config for ${name}
Unlock hostkey and hostkey cannot be the same because unlock hostkey is in /boot, unencrypted.
'';
}
{
assertion = cfg.remoteUnlock == null || (cfg.remoteUnlock.clearnetHost != null || cfg.remoteUnlock.onionHost != null);
message = ''
Error with config for ${name}
At least one of clearnet host or onion host must be defined.
'';
}
{
assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.clearnetHost == null || builtins.elem cfg.remoteUnlock.clearnetHost cfg.hostNames == false;
message = ''
Error with config for ${name}
Clearnet unlock hostname cannot be in the list of hostnames for security reasons.
'';
}
{
assertion = cfg.remoteUnlock == null || cfg.remoteUnlock.onionHost == null || lib.strings.hasSuffix ".onion" cfg.remoteUnlock.onionHost;
message = ''
Error with config for ${name}
Tor unlock hostname must be an onion address.
'';
}
{
assertion = builtins.elem "personal" cfg.systemRoles || builtins.length cfg.userKeys == 0;
message = ''
Error with config for ${name}
There must be at least one userkey defined for personal machines.
'';
}
{
assertion = builtins.elem "deploy" cfg.systemRoles || builtins.length cfg.deployKeys == 0;
message = ''
Error with config for ${name}
Only deploy machines are allowed to have deploy keys for security reasons.
'';
}
]
)
machines));
# Set per machine properties automatically using each of their `properties.nix` files respectively
machines.hosts =
let
properties = dir: lib.concatMapAttrs
(name: path: {
${name} =
import path
//
{ configurationPath = builtins.dirOf path; };
})
(propertiesFiles dir);
propertiesFiles = dir:
lib.foldl (lib.mergeAttrs) { } (propertiesFiles' dir);
propertiesFiles' = dir:
let
propFiles = lib.filter (p: baseNameOf p == "properties.nix") (lib.filesystem.listFilesRecursive dir);
dirName = path: builtins.baseNameOf (builtins.dirOf path);
in
builtins.map (p: { "${dirName p}" = p; }) propFiles;
in
properties ../../machines;
};
}

15
common/machine-info/moduleless.nix
View File

@@ -1,15 +0,0 @@
# Allows getting machine-info outside the scope of nixos configuration
{ nixpkgs ? import <nixpkgs> { }
, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
}:
{
machines =
(nixpkgs.lib.evalModules {
modules = [
./default.nix
assertionsModule
];
}).config.machines;
}

19
common/machine-info/roles.nix
View File

@@ -1,19 +0,0 @@
{ config, lib, ... }:
# Maps roles to their hosts
{
options.machines.roles = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
};
config = {
machines.roles = lib.zipAttrs
(lib.mapAttrsToList
(host: cfg:
lib.foldl (lib.mergeAttrs) { }
(builtins.map (role: { ${role} = host; })
cfg.systemRoles))
config.machines.hosts);
};
}

44
common/machine-info/ssh.nix
View File

@@ -1,44 +0,0 @@
{ config, lib, ... }:
let
machines = config.machines;
sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
in
{
options.machines.ssh = {
userKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of user keys aggregated from all machines.
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
List of deploy keys aggregated from all machines.
'';
};
hostKeysByRole = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
description = ''
Machine host keys divided into their roles.
'';
};
};
config = {
machines.ssh.userKeys = sshkeys "userKeys";
machines.ssh.deployKeys = sshkeys "deployKeys";
machines.ssh.hostKeysByRole = lib.mapAttrs
(role: hosts:
builtins.map
(host: machines.hosts.${host}.hostKey)
hosts)
machines.roles;
};
}

1
common/network/default.nix
View File

@@ -7,6 +7,7 @@ let
in
{
imports = [
./hosts.nix
./pia-openvpn.nix
./pia-wireguard.nix
./ping.nix

66
common/network/hosts.nix Normal file
View File

@@ -0,0 +1,66 @@
{ config, lib, ... }:
let
system = (import ../ssh.nix).system;
# hostnames that resolve on clearnet for LUKS unlocking
unlock-clearnet-hosts = {
ponyo = "unlock.ponyo.neet.dev";
phil = "unlock.phil.neet.dev";
s0 = "s0";
};
# hostnames that resolve on tor for LUKS unlocking
unlock-onion-hosts = {
liza = "5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion";
router = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
in
{
programs.ssh.knownHosts = {
ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
publicKey = system.ponyo;
};
ponyo-unlock = {
hostNames = [ unlock-clearnet-hosts.ponyo unlock-onion-hosts.ponyo ];
publicKey = system.ponyo-unlock;
};
phil = {
hostNames = [ "phil" "phil.neet.dev" ];
publicKey = system.phil;
};
phil-unlock = {
hostNames = [ unlock-clearnet-hosts.phil ];
publicKey = system.phil-unlock;
};
router = {
hostNames = [ "router" "192.168.1.228" ];
publicKey = system.router;
};
router-unlock = {
hostNames = [ unlock-onion-hosts.router ];
publicKey = system.router-unlock;
};
ray = {
hostNames = [ "ray" ];
publicKey = system.ray;
};
s0 = {
hostNames = [ "s0" ];
publicKey = system.s0;
};
s0-unlock = {
hostNames = [ unlock-onion-hosts.s0 ];
publicKey = system.s0-unlock;
};
};
# prebuilt cmds for easy ssh LUKS unlock
environment.shellAliases =
lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
//
lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
}

2
common/network/pia-openvpn.nix
View File

@@ -108,6 +108,6 @@ in
};
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

2
common/network/pia-wireguard.nix
View File

@@ -352,6 +352,6 @@ in
};
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.age;
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}

39
common/pc/audio.nix
View File

@@ -17,6 +17,45 @@ in
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
config.pipewire = {
"context.objects" = [
{
# A default dummy driver. This handles nodes marked with the "node.always-driver"
# properyty when no other driver is currently active. JACK clients need this.
factory = "spa-node-factory";
args = {
"factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver";
"priority.driver" = 8000;
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy";
"node.description" = "Microphone";
"media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO";
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy";
"node.description" = "Main Output";
"media.class" = "Audio/Sink";
"audio.position" = "FL,FR";
};
}
];
};
};
users.users.googlebot.extraGroups = [ "audio" ];

1
common/server/default.nix
View File

@@ -10,7 +10,6 @@
./matrix.nix
./zerobin.nix
./gitea.nix
./gitea-runner.nix
./privatebin/privatebin.nix
./radio.nix
./samba.nix

98
common/server/gitea-runner.nix
View File

@@ -1,98 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea-runner;
in
{
options.services.gitea-runner = {
enable = lib.mkEnableOption "Enables gitea runner";
dataDir = lib.mkOption {
default = "/var/lib/gitea-runner";
type = lib.types.str;
description = lib.mdDoc "gitea runner data directory.";
};
instanceUrl = lib.mkOption {
type = lib.types.str;
};
registrationTokenFile = lib.mkOption {
type = lib.types.path;
};
};
config = lib.mkIf cfg.enable {
virtualisation.docker.enable = true;
users.users.gitea-runner = {
description = "Gitea Runner Service";
home = cfg.dataDir;
useDefaultShell = true;
group = "gitea-runner";
isSystemUser = true;
createHome = true;
extraGroups = [
"docker" # allow creating docker containers
];
};
users.groups.gitea-runner = { };
# registration token
services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
age.secrets.gitea-runner-registration-token = {
file = ../../secrets/gitea-runner-registration-token.age;
owner = "gitea-runner";
};
systemd.services.gitea-runner = {
description = "Gitea Runner";
serviceConfig = {
WorkingDirectory = cfg.dataDir;
User = "gitea-runner";
Group = "gitea-runner";
};
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ gitea-actions-runner ];
# based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
script = ''
. ${cfg.registrationTokenFile}
if [[ ! -s .runner ]]; then
try=$((try + 1))
success=0
LOGFILE="$(mktemp)"
# The point of this loop is to make it simple, when running both act_runner and gitea in docker,
# for the act_runner to wait a moment for gitea to become available before erroring out. Within
# the context of a single docker-compose, something similar could be done via healthchecks, but
# this is more flexible.
while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
act_runner register \
--instance "${cfg.instanceUrl}" \
--token "$GITEA_RUNNER_REGISTRATION_TOKEN" \
--name "${config.networking.hostName}" \
--no-interactive > $LOGFILE 2>&1
cat $LOGFILE
cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
if [[ $? -eq 0 ]]; then
echo "SUCCESS"
success=1
else
echo "Waiting to retry ..."
sleep 5
fi
done
fi
exec act_runner daemon
'';
};
};
}

3
common/server/gitea.nix
View File

@@ -39,9 +39,6 @@ in
USER = "robot@runyan.org";
FROM = "no-reply@neet.dev";
};
actions = {
ENABLED = true;
};
};
mailerPasswordFile = "/run/agenix/robots-email-pw";
};

4
common/server/mailserver.nix
View File

@@ -33,7 +33,7 @@ in
inherit domains;
loginAccounts = {
"jeremy@runyan.org" = {
hashedPasswordFile = "/run/agenix/hashed-email-pw";
hashedPasswordFile = "/run/agenix/email-pw";
# catchall for all domains
aliases = map (domain: "@${domain}") domains;
};
@@ -54,7 +54,7 @@ in
];
certificateScheme = 3; # use let's encrypt for certs
};
age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
age.secrets.email-pw.file = ../../secrets/email-pw.age;
age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
# sendmail to use xxx@domain instead of xxx@mail.domain

72
common/ssh.nix
View File

@@ -1,38 +1,44 @@
{ config, lib, pkgs, ... }:
{
programs.ssh.knownHosts = lib.filterAttrs (n: v: v != null) (lib.concatMapAttrs
(host: cfg: {
${host} = {
hostNames = cfg.hostNames;
publicKey = cfg.hostKey;
};
"${host}-remote-unlock" =
if cfg.remoteUnlock != null then {
hostNames = builtins.filter (h: h != null) [ cfg.remoteUnlock.clearnetHost cfg.remoteUnlock.onionHost ];
publicKey = cfg.remoteUnlock.hostKey;
} else null;
})
config.machines.hosts);
# prebuilt cmds for easy ssh LUKS unlock
environment.shellAliases =
let
unlockHosts = unlockType: lib.concatMapAttrs
(host: cfg:
if cfg.remoteUnlock != null && cfg.remoteUnlock.${unlockType} != null then {
${host} = cfg.remoteUnlock.${unlockType};
} else { })
config.machines.hosts;
in
lib.concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) (unlockHosts "onionHost")
//
lib.concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) (unlockHosts "clearnetHost");
# TODO: Old ssh keys I will remove some day...
machines.ssh.userKeys = [
rec {
users = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVR/R3ZOsv7TZbICGBCHdjh1NDT8SnswUyINeJOC7QG"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dcqL/FhHmv+a1iz3f9LJ48xubO7MZHy35rW9SZOYM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSkKiRUUmnErOKGx81nyge/9KqjkPh8BfDk0D3oP586" # nat
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP" # ray
];
system = {
ponyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
ponyo-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
ray = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
phil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
phil-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
router-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
s0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
s0-unlock = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
};
higherTrustUserKeys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo=" # ray fido
];
# groups
systems = with system; [
ponyo
phil
ray
router
s0
];
personal = with system; [
ray
];
servers = with system; [
ponyo
phil
router
s0
];
storage = with system; [
s0
];
}

48
flake.lock generated
View File

@@ -8,11 +8,11 @@
]
},
"locked": {
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"lastModified": 1675176355,
"narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
"type": "github"
},
"original": {
@@ -117,11 +117,11 @@
]
},
"locked": {
"lastModified": 1682063650,
"narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
"lastModified": 1674127017,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77",
"type": "github"
},
"original": {
@@ -147,15 +147,12 @@
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@@ -171,11 +168,11 @@
]
},
"locked": {
"lastModified": 1681591833,
"narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
"lastModified": 1677382901,
"narHash": "sha256-2idFWlTVG+qUZkU2/W50amGSIxmN56igIkMAXKbv4S4=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
"rev": "4306fa7c12e098360439faac1a2e6b8e509ec97c",
"type": "github"
},
"original": {
@@ -186,11 +183,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1682133240,
"narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
"lastModified": 1677823547,
"narHash": "sha256-xD2qco8Pw8HAXgjf9OSi2H2N20WaTrtvgcl21525kVE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
"rev": "78c4d33c16092e535bc4ba1284ba49e3e138483a",
"type": "github"
},
"original": {
@@ -307,21 +304,6 @@
"type": "gitlab"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,

174
flake.nix
View File

@@ -44,103 +44,97 @@
nixpkgs-hostapd-pr.flake = false;
};
outputs = { self, nixpkgs, ... }@inputs:
let
machines = (import ./common/machine-info/moduleless.nix
{
inherit nixpkgs;
assertionsModule = "${nixpkgs}/nixos/modules/misc/assertions.nix";
}).machines.hosts;
in
{
nixosConfigurations =
let
modules = system: hostname: with inputs; [
./common
simple-nixos-mailserver.nixosModule
agenix.nixosModules.default
dailybuild_modules.nixosModule
archivebox.nixosModule
nix-index-database.nixosModules.nix-index
({ lib, ... }: {
config = {
environment.systemPackages = [
agenix.packages.${system}.agenix
];
outputs = { self, nixpkgs, ... }@inputs: {
networking.hostName = hostname;
};
nixosConfigurations =
let
modules = system: with inputs; [
./common
simple-nixos-mailserver.nixosModule
agenix.nixosModules.default
dailybuild_modules.nixosModule
archivebox.nixosModule
nix-index-database.nixosModules.nix-index
({ lib, ... }: {
config.environment.systemPackages = [
agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; };
})
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; };
})
];
mkSystem = system: nixpkgs: path: hostname:
let
allModules = modules system hostname;
mkSystem = system: nixpkgs: path:
let
allModules = modules system;
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
inputs.nixpkgs-hostapd-pr
./patches/kexec-luks.patch
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
in
patchedNixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [ path ];
specialArgs = {
inherit allModules;
};
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
inputs.nixpkgs-hostapd-pr
];
};
in
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
machines;
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
packages =
let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in
{
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
in
patchedNixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [ path ];
specialArgs = {
inherit allModules;
};
};
in
{
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
# "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"phil" = mkSystem "aarch64-linux" nixpkgs ./machines/phil/configuration.nix;
"router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
"s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
};
packages =
let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in
{
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
deploy.nodes =
let
mkDeploy = configName: hostname: {
inherit hostname;
magicRollback = false;
sshUser = "root";
profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
};
deploy.nodes =
let
mkDeploy = configName: arch: hostname: {
inherit hostname;
magicRollback = false;
sshUser = "root";
profiles.system.path = inputs.deploy-rs.lib.${arch}.activate.nixos self.nixosConfigurations.${configName};
};
in
nixpkgs.lib.mapAttrs
(hostname: cfg:
mkDeploy hostname cfg.arch (builtins.head cfg.hostNames))
machines;
in
{
s0 = mkDeploy "s0" "s0";
router = mkDeploy "router" "router";
ponyo = mkDeploy "ponyo" "ponyo.neet.dev";
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
};
}

14
machines/ephemeral/minimal.nix
View File

@@ -1,10 +1,8 @@
{ config, pkgs, modulesPath, ... }:
{ pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/channel.nix")
../../common/machine-info
../../common/ssh.nix
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
@@ -18,8 +16,6 @@
boot.kernelPackages = pkgs.linuxPackages_latest;
system.stateVersion = "21.11";
# hardware.enableAllFirmware = true;
# nixpkgs.config.allowUnfree = true;
@@ -42,12 +38,10 @@
services.openssh = {
enable = true;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
};
challengeResponseAuthentication = false;
passwordAuthentication = false;
};
services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = config.machines.ssh.userKeys;
users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
}

9
machines/phil/configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
networking.hostName = "phil";
}

14
machines/phil/default.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
];
services.gitea-runner = {
enable = true;
instanceUrl = "https://git.neet.dev";
};
system.autoUpgrade.enable = true;
}

12
machines/phil/hardware-configuration.nix
View File

@@ -9,7 +9,6 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
# because grub just doesn't work for some reason
boot.loader.systemd-boot.enable = true;
remoteLuksUnlock.enable = true;
@@ -20,22 +19,25 @@
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
luks.devices = [ "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194" ];
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
device = "/dev/mapper/vg-root";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/F185-C4E5";
device = "/dev/disk/by-uuid/EC6B-53AA";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
[{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }];
networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;

20
machines/phil/properties.nix
View File

@@ -1,20 +0,0 @@
{
hostNames = [
"phil"
"phil.neet.dev"
];
arch = "aarch64-linux";
systemRoles = [
"server"
"gitea-runner"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
clearnetHost = "unlock.phil.neet.dev";
};
}

5
machines/ponyo/default.nix → machines/ponyo/configuration.nix
View File

@@ -5,10 +5,9 @@
./hardware-configuration.nix
];
networking.hostName = "ponyo";
system.autoUpgrade.enable = true;
# I want to manually trigger kexec updates for now on ponyo
system.autoUpgrade.allowKexec = false;
luks.enableKexec = true;
# p2p mesh network
services.tailscale.exitNode = true;

9
machines/ponyo/hardware-configuration.nix
View File

@@ -19,15 +19,12 @@
};
remoteLuksUnlock.enable = true;
luks.devices = [
"/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2"
"/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"
];
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/4cc36be4-dbff-4afe-927d-69bf4637bae2";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
fileSystems."/" =
{
device = "/dev/mapper/enc-pv1";
device = "/dev/mapper/enc-pv";
fsType = "btrfs";
};

28
machines/ponyo/properties.nix
View File

@@ -1,28 +0,0 @@
{
hostNames = [
"ponyo"
"ponyo.neet.dev"
"git.neet.dev"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"email-server"
"iodine"
"pia"
"nextcloud"
"dailybot"
"gitea"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
clearnetHost = "unlock.ponyo.neet.dev";
onionHost = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
};
}

2
machines/ray/default.nix → machines/ray/configuration.nix
View File

@@ -5,6 +5,8 @@
./hardware-configuration.nix
];
networking.hostName = "ray";
# for luks onlock over tor
services.tor.enable = true;
services.tor.client.enable = true;

8
machines/ray/hardware-configuration.nix
View File

@@ -36,7 +36,10 @@
# disks
remoteLuksUnlock.enable = true;
luks.devices = [ "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce" ];
boot.initrd.luks.devices."enc-pv" = {
device = "/dev/disk/by-uuid/c1822e5f-4137-44e1-885f-954e926583ce";
allowDiscards = true;
};
fileSystems."/" =
{
device = "/dev/vg/root";
@@ -56,4 +59,7 @@
};
swapDevices =
[{ device = "/dev/vg/swap"; }];
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

22
machines/ray/properties.nix
View File

@@ -1,22 +0,0 @@
{
hostNames = [
"ray"
];
arch = "x86_64-linux";
systemRoles = [
"personal"
"deploy"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQM8hwKRgl8cZj7UVYATSLYu4LhG7I0WFJ9m2iWowiB";
userKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeTK1iARlNIKP/DS8/ObBm9yUM/3L1Ub4XI5A2r9OzP"
];
deployKeys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaGIwLiUa6wQLlEF+keQOIYy/tCmJvV6eENzUQjSqW2AAAABHNzaDo="
];
}

2
machines/router/default.nix → machines/router/configuration.nix
View File

@@ -11,6 +11,8 @@
# https://github.com/skogsbrus/os/blob/master/sys/router.nix
# http://trac.gateworks.com/wiki/wireless/wifi
networking.hostName = "router";
system.autoUpgrade.enable = true;
services.tailscale.exitNode = true;

2
machines/router/hardware-configuration.nix
View File

@@ -32,7 +32,7 @@
# disks
remoteLuksUnlock.enable = true;
luks.devices = [ "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c" ];
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" =
{
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";

21
machines/router/properties.nix
View File

@@ -1,21 +0,0 @@
{
hostNames = [
"router"
"192.168.1.228"
];
arch = "x86_64-linux";
systemRoles = [
"server"
"wireless"
"router"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFr2IHmWFlaLaLp5dGoSmFEYKA/eg2SwGXAogaOmLsHL";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOw5dTPmtKqiPBH6VKyz5MYBubn8leAh5Eaw7s/O85c";
onionHost = "jxx2exuihlls2t6ncs7rvrjh2dssubjmjtclwr2ysvxtr4t7jv55xmqd.onion";
};
}

2
machines/storage/s0/default.nix → machines/storage/s0/configuration.nix
View File

@@ -5,6 +5,8 @@
./hardware-configuration.nix
];
networking.hostName = "s0";
system.autoUpgrade.enable = true;
services.iperf3.enable = true;

12
machines/storage/s0/hardware-configuration.nix
View File

@@ -7,7 +7,7 @@
];
# boot
boot.loader.systemd-boot.enable = true;
efi.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
@@ -25,12 +25,10 @@
# luks
remoteLuksUnlock.enable = true;
luks.devices = [
"/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86"
"/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3"
"/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38"
"/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc"
];
boot.initrd.luks.devices."enc-pv1".device = "/dev/disk/by-uuid/d52e99a9-8825-4d0a-afc1-8edbef7e0a86";
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/f7275585-7760-4230-97de-36704b9a2aa3";
boot.initrd.luks.devices."enc-pv3".device = "/dev/disk/by-uuid/5d1002b8-a0ed-4a1c-99f5-24b8816d9e38";
boot.initrd.luks.devices."enc-pv4".device = "/dev/disk/by-uuid/e2c7402a-e72c-4c4a-998f-82e4c10187bc";
# mounts
fileSystems."/" =

20
machines/storage/s0/properties.nix
View File

@@ -1,20 +0,0 @@
{
hostNames = [
"s0"
];
arch = "x86_64-linux";
systemRoles = [
"storage"
"server"
"pia"
];
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
remoteUnlock = {
hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNiceeFMos5ZXcYem4yFxh8PiZNNnuvhlyLbQLrgIZH";
onionHost = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
}

44
new_machine.md → new_machine.txt
View File

@@ -1,34 +1,27 @@
# New Machine Setup
### Prepare Shell If Needed
```sh
nix-shell -p nixFlakes git
```
### Disk Setup
```sh
cfdisk
mkfs.ext3 boot
cryptsetup luksFormat /dev/vda2
cryptsetup luksOpen /dev/vda2 enc-pv
pvcreate /dev/mapper/enc-pv
vgcreate vg /dev/mapper/enc-pv
lvcreate -L 4G -n swap vg
lvcreate -l '100%FREE' -n root vg
mkswap -L swap /dev/vg/swap
swapon /dev/vg/swap
mkfs.btrfs /dev/vg/root
mount /dev/vg/root /mnt
mkfs.ext3 boot
cd /mnt
btrfs subvolume create root
btrfs subvolume create home
cd
mount -o subvol=root /dev/vg/root /mnt
mkdir /mnt/home
mount -o subvol=home /dev/vg/root /mnt/home
mkdir /mnt/boot
mount /dev/vda1 /mnt/boot
```
### Generate Secrets
```sh
mkdir /mnt/secret
```
In `/tmp/tor.rc`
/tmp/tor.rc
```
DataDirectory /tmp/my-dummy.tor/
SOCKSPort 127.0.0.1:10050 IsolateDestAddr
@@ -37,23 +30,8 @@ HiddenServiceDir /mnt/secret/onion
HiddenServicePort 1234 127.0.0.1:1234
```
```sh
nix-shell -p tor --run "tor -f /tmp/tor.rc"
ssh-keygen -q -N "" -t rsa -b 4096 -f /mnt/secret/ssh_host_rsa_key
ssh-keygen -q -N "" -t ed25519 -f /mnt/secret/ssh_host_ed25519_key
```
### Generate Hardware Config
```sh
nixos-generate-config --root /mnt
```
### Install
```sh
nixos-generate-config --root /mnt # copy hardware config
nixos-install --flake "git+https://git.neet.dev/zuckerberg/nix-config.git#MACHINE_NAME"
```
### Post Install Tasks
- Add to DNS
- Add ssh host keys (unlock key + host key)
- Add to tailnet

264
patches/kexec-luks.patch
View File

@@ -1,264 +0,0 @@
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index b8f36538e70..cc320a04c70 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -146,6 +146,7 @@ let
csopen = "cryptsetup luksOpen ${dev.device} ${dev.name}"
+ optionalString dev.allowDiscards " --allow-discards"
+ optionalString dev.bypassWorkqueues " --perf-no_read_workqueue --perf-no_write_workqueue"
+ + optionalString dev.disableKeyring " --disable-keyring"
+ optionalString (dev.header != null) " --header=${dev.header}";
cschange = "cryptsetup luksChangeKey ${dev.device} ${optionalString (dev.header != null) "--header=${dev.header}"}";
fido2luksCredentials = dev.fido2.credentials ++ optional (dev.fido2.credential != null) dev.fido2.credential;
@@ -243,6 +244,26 @@ let
do_open_passphrase
fi
fi
+ '' else if (dev.masterKeyFile != null) then ''
+ if wait_target "key file" ${dev.masterKeyFile}; then
+ ${csopen} --master-key-file=${dev.masterKeyFile}
+ cs_status=$?
+ if [ $cs_status -ne 0 ]; then
+ echo "Key File ${dev.masterKeyFile} failed!"
+ if ! try_empty_passphrase; then
+ ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+ echo " - failing back to interactive password prompt"
+ do_open_passphrase
+ fi
+ fi
+ else
+ # If the key file never shows up we should also try the empty passphrase
+ if ! try_empty_passphrase; then
+ ${if dev.fallbackToPassword then "echo" else "die"} "${dev.masterKeyFile} is unavailable"
+ echo " - failing back to interactive password prompt"
+ do_open_passphrase
+ fi
+ fi
'' else ''
if ! try_empty_passphrase; then
do_open_passphrase
@@ -625,6 +646,15 @@ in
'';
};
+ masterKeyFile = mkOption {
+ default = null;
+ type = types.nullOr types.str;
+ description = lib.mdDoc ''
+ The name of the file (can be a raw device or a partition) that
+ should be used as the master decryption key for the encrypted device.
+ '';
+ };
+
tryEmptyPassphrase = mkOption {
default = false;
type = types.bool;
@@ -700,6 +730,15 @@ in
'';
};
+ disableKeyring = mkOption {
+ default = false;
+ type = types.bool;
+ description = lib.mdDoc ''
+ Disables using the kernel keyring for LUKS2 disks.
+ This is already the default behavior for LUKS1
+ '';
+ };
+
fallbackToPassword = mkOption {
default = false;
type = types.bool;
diff --git a/nixos/modules/tasks/auto-upgrade.nix b/nixos/modules/tasks/auto-upgrade.nix
index 29e3e313336..050bf09c208 100644
--- a/nixos/modules/tasks/auto-upgrade.nix
+++ b/nixos/modules/tasks/auto-upgrade.nix
@@ -4,7 +4,8 @@ with lib;
let cfg = config.system.autoUpgrade;
-in {
+in
+{
options = {
@@ -22,7 +23,7 @@ in {
};
operation = mkOption {
- type = types.enum ["switch" "boot"];
+ type = types.enum [ "switch" "boot" ];
default = "switch";
example = "boot";
description = lib.mdDoc ''
@@ -86,14 +87,14 @@ in {
'';
};
- allowReboot = mkOption {
+ allowKexec = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
- Reboot the system into the new generation instead of a switch
+ kexec the system into the new generation instead of a switch
if the new generation uses a different kernel, kernel modules
or initrd than the booted system.
- See {option}`rebootWindow` for configuring the times at which a reboot is allowed.
+ See {option}`kexecWindow` for configuring the times at which a kexec is allowed.
'';
};
@@ -109,25 +110,25 @@ in {
'';
};
- rebootWindow = mkOption {
+ kexecWindow = mkOption {
description = lib.mdDoc ''
Define a lower and upper time value (in HH:MM format) which
- constitute a time window during which reboots are allowed after an upgrade.
- This option only has an effect when {option}`allowReboot` is enabled.
- The default value of `null` means that reboots are allowed at any time.
+ constitute a time window during which kexecs are allowed after an upgrade.
+ This option only has an effect when {option}`allowKexec` is enabled.
+ The default value of `null` means that kexecs are allowed at any time.
'';
default = null;
example = { lower = "01:00"; upper = "05:00"; };
type = with types; nullOr (submodule {
options = {
lower = mkOption {
- description = lib.mdDoc "Lower limit of the reboot window";
+ description = lib.mdDoc "Lower limit of the kexec window";
type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
example = "01:00";
};
upper = mkOption {
- description = lib.mdDoc "Upper limit of the reboot window";
+ description = lib.mdDoc "Upper limit of the kexec window";
type = types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}";
example = "05:00";
};
@@ -165,12 +166,12 @@ in {
}];
system.autoUpgrade.flags = (if cfg.flake == null then
- [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
- "-I"
- "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
- ]
- else
- [ "--flake ${cfg.flake}" ]);
+ [ "--no-build-output" ] ++ optionals (cfg.channel != null) [
+ "-I"
+ "nixpkgs=${cfg.channel}/nixexprs.tar.xz"
+ ]
+ else
+ [ "--flake ${cfg.flake}" ]);
systemd.services.nixos-upgrade = {
description = "NixOS Upgrade";
@@ -195,54 +196,56 @@ in {
config.programs.ssh.package
];
- script = let
- nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
- date = "${pkgs.coreutils}/bin/date";
- readlink = "${pkgs.coreutils}/bin/readlink";
- shutdown = "${config.systemd.package}/bin/shutdown";
- upgradeFlag = optional (cfg.channel == null) "--upgrade";
- in if cfg.allowReboot then ''
- ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
- booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
- built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
-
- ${optionalString (cfg.rebootWindow != null) ''
- current_time="$(${date} +%H:%M)"
-
- lower="${cfg.rebootWindow.lower}"
- upper="${cfg.rebootWindow.upper}"
-
- if [[ "''${lower}" < "''${upper}" ]]; then
- if [[ "''${current_time}" > "''${lower}" ]] && \
- [[ "''${current_time}" < "''${upper}" ]]; then
- do_reboot="true"
+ script =
+ let
+ nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
+ date = "${pkgs.coreutils}/bin/date";
+ readlink = "${pkgs.coreutils}/bin/readlink";
+ systemctl_kexec = "${config.systemd.package}/bin/systemctl kexec";
+ upgradeFlag = optional (cfg.channel == null) "--upgrade";
+ in
+ if cfg.allowKexec then ''
+ ${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
+ booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})"
+ built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+
+ ${optionalString (cfg.kexecWindow != null) ''
+ current_time="$(${date} +%H:%M)"
+
+ lower="${cfg.kexecWindow.lower}"
+ upper="${cfg.kexecWindow.upper}"
+
+ if [[ "''${lower}" < "''${upper}" ]]; then
+ if [[ "''${current_time}" > "''${lower}" ]] && \
+ [[ "''${current_time}" < "''${upper}" ]]; then
+ do_kexec="true"
+ else
+ do_kexec="false"
+ fi
else
- do_reboot="false"
+ # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
+ # we want to reboot if cur > 23h or cur < 6h
+ if [[ "''${current_time}" < "''${upper}" ]] || \
+ [[ "''${current_time}" > "''${lower}" ]]; then
+ do_kexec="true"
+ else
+ do_kexec="false"
+ fi
fi
+ ''}
+
+ if [ "''${booted}" = "''${built}" ]; then
+ ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
+ ${optionalString (cfg.kexecWindow != null) ''
+ elif [ "''${do_kexec}" != true ]; then
+ echo "Outside of configured kexec window, skipping."
+ ''}
else
- # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h)
- # we want to reboot if cur > 23h or cur < 6h
- if [[ "''${current_time}" < "''${upper}" ]] || \
- [[ "''${current_time}" > "''${lower}" ]]; then
- do_reboot="true"
- else
- do_reboot="false"
- fi
+ ${systemctl_kexec}
fi
- ''}
-
- if [ "''${booted}" = "''${built}" ]; then
- ${nixos-rebuild} ${cfg.operation} ${toString cfg.flags}
- ${optionalString (cfg.rebootWindow != null) ''
- elif [ "''${do_reboot}" != true ]; then
- echo "Outside of configured reboot window, skipping."
- ''}
- else
- ${shutdown} -r +1
- fi
- '' else ''
- ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
- '';
+ '' else ''
+ ${nixos-rebuild} ${cfg.operation} ${toString (cfg.flags ++ upgradeFlag)}
+ '';
startAt = cfg.dates;

BIN
secrets/backblaze-s3-backups.age
View File

Binary file not shown.

23
secrets/email-pw.age Normal file
View File

@@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 xoAm7w uMSr0mNTntr9oRqEtrJ+LJKBxI+s+cTbXYAag6kb/hM
JIylg1Xg08Ar/AuaE5e9O3qgsNAGG48Mw/Zvs8fdGdQ
-> ssh-ed25519 mbw8xA ngrNg4m5aiqUyudZ4Y4Y37ApFDXxq2UBOrbEajIdBAg
1Z9hKOwNYe+o64b98WTXR30s8tv5geRCRIKe6Y6F35Y
-> ssh-ed25519 2a2Yhw U89mACfmGm2hOOHZfvVfxkWX2G54D5aw1shiyqC6T04
2TVJ4/do2jbEJZHegTDO8Q/CiLNNT0f3GpSpEWoIHnM
-> ssh-ed25519 dMQYog BjQXtlw+fWSg2mzdbvpZdgU/UpQnByvj8QY2vf3f/Qg
S/OFhJGyj3YhmPNiOcmAAAnxkzMwt7PnVvUxSxNWYp0
-> ssh-ed25519 6AT2/g sgzaa1V1+i3ADN/Lgn8LSCL1Mp7tCmNbG6HTo25qzVs
q7Xfxu40RzjQORhZbGfq7U9FolNtWo3eDswxVUJ9uRw
-> ssh-ed25519 fwBF+g s3FQ1pwQYfGyQcQAtlpXFNA61BsJrEV+cDnBGot20ic
M74z4r8nz6JvaougCsnyRVyNvLWBtwqhwGC6Oqe1YzI
-> ssh-ed25519 yHDAQw XXxh2eQf9tCEQyZKAppYu9M/EAYbsriGR/xK/ca1hE4
GoNmSmuzuaD6DrhFD4vv+N/K6ySorZQXHqkEy59fFa4
-> ssh-ed25519 VyYH/Q X83OJlxNPRG+kRylIceDDE3hzs5BjbLRYTa4A9t76UE
fdZcV7RRzKxeWQrniKT53UlunCWAuWIP4CAxeIHHbX4
-> ssh-ed25519 hPp1nw eIE4zQqBKr8SIW9Uqxn/HqA/wc4GIrck44k2iYbwSic
wjemabf9WrL7dU0H5T32xKCW9FYogTuA7cTCZlVW9yU
-> r|n4m-grease AXlh $ozYI bvs$"
AKr3E49skiQ2WLy320wi3qlafLyGnLTjCvLHz2eK3A
--- qtFNqGCcR6VAQnbPg7n52u1aJYJUDo9lV6Qnz/Y1bq4
’¿Ëì¶+\Ù× m´®UYBa…³2·$´š7ÅQ¿xƒåôˆ+<1E>ÁUyiMoËæ,Vº 1W<E28098>ò´R(å<>´e5qq8ª¦  ²A^“¼}C7œïDÂ$3˜÷

BIN
secrets/gitea-runner-registration-token.age
View File

Binary file not shown.

10
secrets/hashed-email-pw.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g 93Az2iuqeWL6H/S3XDPXFoEPcrY/n/z9mlSNb5wABkU
LpMPjpDtBrY2aHpqHwT5AY7vtsYHNcOjpz+LFY4TGCg
-> ssh-ed25519 dMQYog 4qT0aF1IHsTtN1avMPWYG5Az2xmEZhVUhqcwyNFdfU4
+wD0hE035JqYdDgJmkvNXwJyMzXrquA+RsD8QdK3xP8
-> !vfM7-grease
7nQGFFUWY9UIjfrb+/VfaG0zJ21zmDnDh5khs/0tioJevrrrlhub9Bz8iM/Jsfxy
KUhwV8O8tL/5+30RFSlFRaAB6xPCGg24Yq6E
--- jVsDtz2xpvK/XCHcdN5JVZx5zSxyEAM6D/xJIgN4YfY
Ñì°ßév.rK,Æ$

BIN
secrets/hashed-robots-email-pw.age
View File

Binary file not shown.

23
secrets/hostapd-pw-CXNK00BF9176.age
View File

@@ -1,9 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 VyYH/Q X+fXLJz227KkBLu45rb9mUkkIpENSMtZeEJjl6qj5Xw
AFAFnvsiogoMMwsAJO0DDoaizL9lmCLsF4QHDjmubr0
-> ssh-ed25519 dMQYog P84+7TBcMFSALTn6FR/aXyqFE9DfOzp38ImkdWj7nE0
PqOn1OL9Zt0x1pBIYOSKkkS//mbk1OX5pnDGp+OLYeI
-> @?-grease
3JvpmcTxdTgvv6vPL8dXEwjR+g
--- aMYF1SbC+p01YWmg24+Ih78VPQcwzGU/P1cEfgRvXV8
Ÿ @$™sžQ¼z<15><>®xkÊNfÛuÕ;§¿ ÎvI0•ªÇÎ^4.?, 8…çî
-> ssh-ed25519 VyYH/Q 3383IYDpr6jhePY89sI7RO5KY6i5Wr/Miy4Tx1IeZEI
Z4nN390wcZiDQCEJvTBD+v5LetZpjdcVhF8uYIUSkNA
-> ssh-ed25519 xoAm7w vO5L5G+aDSXJvD5MLKHtdfo3Ypd//vl7uO644j0S+ig
LRIiQOSb4M9FItfqci10ELYgzkCXhOBaWv8iz2He6zA
-> ssh-ed25519 mbw8xA RxxUEOVUfKZyUM7KkUjMm9Z+Ts/et15dMxJm4XVKbzg
hKS82nZ2v88jqxGW1xprsPk67Czn+PLTxIuOrlgXkpw
-> ssh-ed25519 2a2Yhw FRSIexkNO39x9h4wLVKscOmBIE5I/rOlNGfX+MdUfGo
1OcV1pJ+/M3wtPnRMDxgcpnsyeFYBqBe5Gbj55dJiCY
-> ssh-ed25519 dMQYog lqtpfP3zAArnAF2M9MtUBhFymnG2S15X88YcW949PTI
2po8qHUuVbMIzrZ+q746cb9BQ06emGowJJcIGHdHeH8
-> aH,?XIq9-grease ]Y I]hNq dZyR2f@@ Xl"1A`
U/BZHrNalVSmBUEekZbQ1w95VrFtkskMOuI5lm9thRe2bvTe7Rue382uf0fcfvSE
Jq7+f/b257KiFaUg8Is1WNNMY55Rw0wrnv9yIBMESxCWmgo
--- rUwKbA9SH9XIRdEXLhDIRj+mEu7BV4w7EwkAd4wZPGI
ř@±ľ·¦ţµÉćS*ÚŘŔi(˙jW˛(WĆŇ-–€yFůů™ Î<7F><C38E>9 

BIN
secrets/hostapd-pw-experimental-tower.age
View File

Binary file not shown.

31
secrets/iodine.age
View File

@@ -1,10 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g yTW46JmDIftcOqogIDjheXJf2sw/dG2WEJxfCXU/LDk
0Co5/Rn22kmdcPr61ZOrmZJbPFHx2wJ8/YkbDjcjqKo
-> ssh-ed25519 dMQYog RtZT0PwVL4kxUHilOhH2GBp8Z9WfyBkaxB62pjKpHA4
muMlIt8VYQftMYacfdnQFeejfWpKTEG5gxbFNy97GTc
-> 4|)`7yq-grease P#\5k8 +f
jMegn6ATsj2Ai9B5Xmy+tay1nppwxvF1IGJH+hLNanYMsTIDZypM6UsNdzYQ/3mw
VZ9ooy8TKUgAJ7jsd6IrKw
--- tLaPQWJA0Hh5MrxfhaySURgY02K16IlzvsxKpOWGva0
5?lヌ'シ!ケコ<EFBDB9><EFBDBA>キ匪Nxス+<2B>A9゚ムリl/グ諟ホ|旙<>Sオ&コサ、<>Q;_<>K
-> ssh-ed25519 xoAm7w CP4pzePo50HW4IbP92NiCEhe4fz6q69c04nZzY97uls
q0ZLpztMhRToqsr0yWpXJG2+7ExjDW2xQuW840gFG74
-> ssh-ed25519 mbw8xA L39AxT7TEaPo94c3SPwqsLk6fgvasrU+RPKQgXZXXnY
6AvJRJ4dtkgCWd+f2y1hJ0nfNz2u8mydmZ9Ymq7ZLZw
-> ssh-ed25519 2a2Yhw tJFWqpzbukVDKXmaQvUA6dbdUzguxphaDiZq0+2jFDs
DHT27/cLh2cBcQHOXuV9CyYV6+OEUIuJ5nBB0RYslXg
-> ssh-ed25519 dMQYog Fba2ll/kUWO+4KnFP/H7UUikcxU+KpBYvJ1YYbsrom8
sew8S9ajmoB4uJkxRkLVJPvayYh0bz3IxK2gE8znfl0
-> ssh-ed25519 6AT2/g xsTbT+roSioaX4C7i2/PtmC3sXeIv41y62X+vBhmJ2A
Ju57nxnIXuZTflJ8Aknc61vhiKPOiT34pDaeoGJsYgo
-> ssh-ed25519 fwBF+g V0DzCK8NAs2hSeILNos3Wafh2OfkzphGc/+UHxtqFBk
dbExOeSn87sZD5dapKB0qoZjVK36SE0A3ww1S08qeio
-> ssh-ed25519 yHDAQw O3FaVzF4vvoRoUoF05Mr0yTIcDbJ2gdAVsIHKz4tFCk
l1rYVVZyNlRfYXPri2jOwS9IUwIEI02lRSw8L4jjjeE
-> ssh-ed25519 VyYH/Q CHERKccp9OVM0zMn4EomXJkW2D65wvPOz9V5dshBGD8
dyxEW+Yzrq+gn2dQEbdNejX6RKTCz0ENe1bWLBb/wEk
-> ssh-ed25519 hPp1nw wND54MJv1efUe5HkN4qRlnuX0+BQPYn69YYxPQExBF0
zZB7mIDsgKmpTz2HtU8+p2UeG98a1cYD72gjoPraFIE
-> X6XuI-grease DM 71
/87RWErV1DecX+zr2HLnmri/cQVoXYcdcg7oPeCmIcY/3g
--- KyKWk2cIfo7bc9RVzjYYfQ66omtJUJI4ite2z9eXa0k
;<3B>±1ù¾^DxÃ<ËF<C38B>ü‡ÿ³Z¶cP@<13>ZPÈ-^ˆ´b_ÙZû*ø*ŽEUFtÐØ&Mby˜¡z

32
secrets/nextcloud-pw.age
View File

@@ -1,10 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g hXS7zxzYhlu5GrUAEAnaO+CizpbifjDxIwoAK55cjV0
xU7Z52cjARU8tmd1AJ9v8+QTQzfL/mNxP/f/bJAzYvo
-> ssh-ed25519 dMQYog 8PEp5TmEOumhWUZvko42sOKpkqOCW9/zCrMqn+fJ2ws
wJo8x6+hyU8iJkTqGVecZ88hG661F3ZvEvVqpJzox5w
-> x-grease tdW'\ +(>9 da%@^H6
q04xwjRaNOBfNhAvik762vJHio/qTfR6qQW4QsD+wzEidRYRggNdQwTl+G4jkWAu
fx0xZeiI5qVm6WG8lg
--- pHx5BdqI3HubR9wAtPyfMaYbr8uqRwOS1qFJhtC4wuM
Èv°ºg9sÉÉ¡§6:`Nlëªø`.•ÓÍPebÅSNn<>å­Ä8C<<3C>¥a=-¨Gò.ªfHm<48>»æUëçPGpS}µxýùã#ÎT
-> ssh-ed25519 xoAm7w nxbI6qoO7i4zsLRqt/7P1+sxrWy+iqI/+wpG2gAe6TA
Wt6xkwHMhfwsJ7rtH9PGjVhR45K0SF27S9uR/SJeIzw
-> ssh-ed25519 mbw8xA cRw8P7vAvbBzAT35551y4NodC4dgzRhSzXRmckfKCjg
aVVupspcV0jG8ycsXuoW+9lTN16MN7a5jTcLh12qBg4
-> ssh-ed25519 2a2Yhw E+kUd+Y6saJx52Eyy6MkIuH54h4zUMWRe2OwvIYsqC8
xogfXlNu17ttnxElUI2Ya3Rc8kH3Ajk4AVnBnQ/slfg
-> ssh-ed25519 dMQYog GsLYEBZmG9W+1bUPZjGyo1I55x7Xjp18z6D6EZEYZl4
7VE5glX6in2Wna5sBwP2B2gPewyQ56/yAdMkSsXthaU
-> ssh-ed25519 6AT2/g 2pHPOxQSwa7XNhPLpCo3b5VkD7ytu0qsfDE4PN3KQ0E
vEj6igHfl5sQtVUsHXmdNtK2VQin2dDb9XOrUFhyahY
-> ssh-ed25519 fwBF+g 6xUfafFpXs1v6PzSBR2q0KATyx1QB20oyZUghh2lOlY
Pzc+lgRzzG2nK59ofhsudsIZyfI2JCHxLjyZYGYcCFo
-> ssh-ed25519 yHDAQw bzxN6gY98TJjX0tUzT9fkp8FohD1PR17JQ4HsGSEEkU
Ws5f1wVhJgd7LhWW1TrUXrHiggX1J77It57EqTTBqWw
-> ssh-ed25519 VyYH/Q qLxrHDC+Hen/oSivOuRONDZbF/wwIdEYD2Ci3cn5XV0
qgqRuHSTb0gETpsZj5oJ3RmNEIlgRolmfVIO7hZ34IQ
-> ssh-ed25519 hPp1nw rXaGNPqhVQfwR7ZxX2yPI+LXmiJvhoIouFRwPAfUnR8
RRZCtJSlBGaK54l4tvJm2LT7UL/4yiEBE10adx0j3kU
-> qvCWm(-grease /[nA+Vkr d_!rw< 6 sgv)(
UZ9Y+nrSjym+veC9SbnQjkRZmDt3UTkSbtx90slbmrdGIAJ2zLZzRckhriF5z2Jr
9FPuX356sGdy0XGWoUzWCqvmzByL9KIftPY
--- huMR4jZ8uXzj3YnT9sG5EeUTsZyeTnfBWHs8U2CAWMU
ˆÑµJA ÎØ1ªÝÃð +S¸Åƒ¯ŒHaq<61>ÞT9"~Ûí•ÚºV`IðÅĘüKA}h[<5B>²Iu/QÚ¨ìÚ(*¥^HÃ3:H@ÎJJ

11
secrets/pia-login.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g J3H9xUUwUMB7VkHHGtsZaCm/GiyqTFUrEmsuwcrgrhE
tn+zbj5cISZzkUzJcu7JlaqhE4Dr4fhczSJU2kV91AU
-> ssh-ed25519 hPp1nw 370YNPQn4mqeHjOvnIXkm+BzbrRNHkFICJaJhHCSHDQ
WLhDRA8jp50aKkY8t9GvyAHoLxYQD2Bhw3y01hwhoOA
-> ssh-ed25519 dMQYog 1dwQN8hmbLY54OnRTXtcwAXHoYLLNV0IK/rQQ9ZgV2A
gP2HQinVYW72oJRFW69qAeF/iNEEtJqya1iRMOugNKk
-> ~-grease 2%p4s G:$f41y " vZ87PA*|
+hI029392lrjxlsXUI8opFVcUK+JOjgBYGMH
--- juX+tgNpNr8it5QnbcBkR9u88vZkC47L5fIlZQNxPYg
,J}¸œ}Y§˜B%ˆo~3M×½HÊ—]ºˆû©ðÔ¤žËn0cVs(´;axc#o™Üüv'kˆù#]o<>N`ÆœøÁ´Ì¿<C38C>˜¼û p<>ÒšKàøk†0(

BIN
secrets/pia-login.conf Normal file
View File

Binary file not shown.

41
secrets/restic-password.age
View File

@@ -1,20 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 yHDAQw LyoiocIPWoX81W5lD5OBD5P48QC3CtVHmpATJTfz70Y
fnRfSV68RLkMc+W6WX5aqxMQxDz7UviTNQqB5KAtKYs
-> ssh-ed25519 dMQYog nQ49ARJDvvVmZEQu1YlYKGba5Dh5U4bGKsLAZfPDqUg
9Rs0zISa1FDT3ngBBwp5vXi8aR+a/Z+BrGIEKVUJWkQ
-> ssh-ed25519 fwBF+g Zap6yPIuauggXP00/It4kYJV2G539vUblQsfwgVzVHg
83K5JgUeHjf6lYv8H3YvsbBzrFOgsQyqLVm4h5Be5gE
-> ssh-ed25519 6AT2/g 7QlvTxNNubo2dRwVwfjxr+9MOge9XIsrJVLeAtpkewg
lxzXO7PIKNzrKwj0KhyHetavLM3zqjbXu4h/S7tDJns
-> ssh-ed25519 VyYH/Q tfgTbXGhdOru7FyVWPVf9tBLcuLZJQWnWZkL8yOjQyg
HIKUKzWhEM0PD+EKpI5asIwQF3Lx8CYeURVce2QAMZU
-> ssh-ed25519 hPp1nw xHd4/TCZAi/zwSL0fj7FVGHkykKAmvh29tJReIAUDFg
/TrZ77mu8vGmudrrPkDgQPiLr2o84lDrsVgY31xMHUQ
-> ssh-ed25519 dMQYog 20tuoqjWl4dQBpEKiiSrbEmwW9ZLml3F8MS7riyu1GI
I/jrnGVCw37hxoKnf/yGPlvGlXPXy+c1sz1ouY44KF8
-> 0UxZ/o4-grease V+d
VgDtDiYRn+VzFbhXGHjOTbdN/V/vSW7STbKquW96A68DRzKH6yDn/4Ia4tX469eA
y6swdFIvbsPFnldalFKxKhHqjKRSJPLAKeWECe/I
--- ZEnygego6ke0cW4acYxInaRQXXOaKoSNklgTn7KPOfg
ZÔPÊ|>ªîÃÆÍË<C38D>+:NdÌñ*Pû¢i+¾¡ä§²çÙ3ôGÛ J´”Ž÷bkc<>ìF<‡Ö0zá€Í½÷<C2BD>`W/2 ƒ<>4¯{O"áüF°jS^f_¸£€
-> ssh-ed25519 xoAm7w YfFXfkiV/OEhL9zmHK3bioQUUzlu9DHyhbzxenTVWWY
PY6ykXYKNxfT4IMIvsdyEg+CMzMllPcacboJ3mj2CXU
-> ssh-ed25519 mbw8xA dMVsqzPuMGCSxsjwo0HTq4O4ayY8S0C5UGJ5STaiO3g
YwY4col/fbt5gQF4GBfGTJuaCYEDQG/yPLuS6TDTYAw
-> ssh-ed25519 2a2Yhw LOwqoLJtGV4e/vd9h7ks+h2Cu2AcfPs5fObQBjY1qlU
p4vpGEBh1ucCvwwfY+jio1eqZLaz+3UNc+k8qHwvkIc
-> ssh-ed25519 dMQYog spGr30/0nW6I8gnlDXB2fNiNm6mW3jVdV0HxbAYOtCI
GEA6ggfl7yv6XYj1/e4wF/xHOTgfC29vXwz3N4wQnNA
-> ssh-ed25519 6AT2/g ZA1c7ZNBdi/H02k+LhBol39RoX6uXqvtlAbePJ6/rQk
cgJTVWDBYdfT/4tpjeQLkQlmCh0h42BKtxC80a8RGqE
-> ssh-ed25519 fwBF+g 7yzxxo42BMU7z9LWd2Dzo9rq6utpmLgNIy3mUuvIAXI
dazG882otsFAb4Qo9xeG5zM1Xp7LLS6d7eAiQ/ucMsk
-> ssh-ed25519 yHDAQw eKxZ3ubH/St4ADh9/V6K04TqJWxvp9Oc+1C4MSFlkgk
p3yCmtEsEieyBHuggp9DbBsSm7xKbevnJLiIbmJafEY
-> ssh-ed25519 VyYH/Q sqoBr8012iw3O72fw6fTcBrq6o5vfyAltfO+tqBU21Q
ELlo9KI0y+ixRylkWnDR50eISvGsX3xzwP77+OBhrhw
-> ssh-ed25519 hPp1nw 8LfZncfhKV7QKrglch3Sx+/4zErTmdiVSL+a3ZLyzUQ
DlU7/EZaTYLrlUu+Q4A6qDL+v/YKD3JEbCfZkUJ/bwA
-> V{dl'-grease `i* Eww uPgzl* f5zjP;
PMMK0yN9kZ9R0+ZyibiQqtJ4kXMCQEqY9Se/80nCkY7zvg2lVHq6UJUD
--- IIg4b0+vVeyISKd7zkVovNeCsUkkX/DhZMDc214vwa8
È€£ISÞùÕjSp^`5S-sËíFžmLÃÙåïeê qÛÀ]9ü€¡…Jf?¯TÆ7¹Ð»ÃíçäA0õKæÞöz¾Z\Yƒ1Ã@htÔné-ˆí

BIN
secrets/robots-email-pw.age
View File

Binary file not shown.

BIN
secrets/sasl_relay_passwd.age
View File

Binary file not shown.

BIN
secrets/searx.age
View File

Binary file not shown.

49
secrets/secrets.nix
View File

@@ -1,44 +1,41 @@
let
lib = (import <nixpkgs> { }).lib;
sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh;
keys = import ../common/ssh.nix;
system = keys.system;
systemsList = keys.systems;
usersList = keys.users;
all = usersList ++ systemsList;
# add userkeys to all roles so that I can r/w the secrets from my personal computers
roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;
# nobody is using this secret but I still need to be able to r/w it
nobody = sshKeys.userKeys;
wireless = [
system.router
] ++ usersList;
in
with roles;
{
# email
"hashed-email-pw.age".publicKeys = email-server;
"sasl_relay_passwd.age".publicKeys = email-server;
"hashed-robots-email-pw.age".publicKeys = email-server;
"robots-email-pw.age".publicKeys = gitea;
# TODO: Minimum necessary access to keys
# gitea
"gitea-runner-registration-token.age".publicKeys = gitea-runner;
# email
"email-pw.age".publicKeys = all;
"sasl_relay_passwd.age".publicKeys = all;
"hashed-robots-email-pw.age".publicKeys = all;
"robots-email-pw.age".publicKeys = all;
# vpn
"iodine.age".publicKeys = iodine;
"pia-login.age".publicKeys = pia;
"iodine.age".publicKeys = all;
"pia-login.conf".publicKeys = all;
# cloud
"nextcloud-pw.age".publicKeys = nextcloud;
"smb-secrets.age".publicKeys = personal;
"nextcloud-pw.age".publicKeys = all;
"smb-secrets.age".publicKeys = all;
# services
"searx.age".publicKeys = nobody;
"spotifyd.age".publicKeys = personal;
"wolframalpha.age".publicKeys = dailybot;
"searx.age".publicKeys = all;
"spotifyd.age".publicKeys = all;
"wolframalpha.age".publicKeys = all;
# hostapd
"hostapd-pw-experimental-tower.age".publicKeys = wireless;
"hostapd-pw-CXNK00BF9176.age".publicKeys = wireless;
# backups
"backblaze-s3-backups.age".publicKeys = personal ++ server;
"restic-password.age".publicKeys = personal ++ server;
"backblaze-s3-backups.age".publicKeys = all;
"restic-password.age".publicKeys = all;
}

BIN
secrets/smb-secrets.age
View File

Binary file not shown.

32
secrets/spotifyd.age
View File

@@ -1,10 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 yHDAQw R1weIMur0s9HsBBwNn+XyBNfAB8CrQf6QEzIJFklcG8
DTK0seypjzSX1B2ce2IWyYwygBeeKlbFpYgzH7i1DHA
-> ssh-ed25519 dMQYog DU9sxA0/cG/O9EG3JYFjL1d2OiqOSZvFjZ1S2zTTWDw
nGlUCvjpUp50ykTIUzSQ19uj2tiVMPo1Ois8xFSWB58
-> z%z.3-grease lF#S
H+5548VgikG9upeHi2GIQ3U71TC0ds+dn8yWOoixHnRhiYZRIhODffjI3D8T18gk
1mjtW+c34E+ALRkSIf5iWwChJxsomS6LiMS3sqtJg4c
--- o2hgAcfMDZyGIehN07CO7OjSCrmwUDRTrwxAKmGcfAY
<<3C>¹ GàÝ<C3A0>Ï0<C38F>
-> ssh-ed25519 xoAm7w nK+/qKKiipFhaF8SlrPA+1MXBmL0g3X+VX0o2eDurXk
vyeRKIBbBpNQ6fg2GnUe/rSzwZEg9pajaTygFCTEd84
-> ssh-ed25519 mbw8xA u1l5e1uS2/U5ha5EGAp4x790uKJyRN4L7vPKLkGcqRA
bGAA/pFSsNT+ZGOEVxqz5tfORvbdZ2HU/+1QpS6r1hI
-> ssh-ed25519 2a2Yhw 9liF3i4BNYAS3N/wCIwD/ks0UEYzEQNBtISNostxoXU
L8zcyadtJyMl+H5ndJDc2eZS8nHDfUb/dER+hSTS9sw
-> ssh-ed25519 dMQYog YgBTvIkJEm7IrC75tuLsRyRJDe4bJvMFXlxbfW8E+Bw
2synWFO1aCMPup44qx9m9+Q3VIHyReJEmgaSXXdeNdY
-> ssh-ed25519 6AT2/g XWEVpDjWhUgz8kQn26jOlK9pmzyaLY/zZHHCL3zmOTY
LISRuoS5+PXLqN8UfMp6W2lhntejObGWeVGMQmZ8GaQ
-> ssh-ed25519 fwBF+g v/YxEBKCPcrsw17S7qxVfZZMfmOiA4+PPTPEsLuNFl0
Gqu0LoYGraAQoRuCaMxLKZYFxxPTqJXno+gtIfPwS+w
-> ssh-ed25519 yHDAQw ETqeum+DKSj8P8+GYt6aqplIElw71E8qS7XFEfdk9Hs
5fDPFlLpm5uoM9ASrxyEnJDURLpjvLcap/TTbrnes48
-> ssh-ed25519 VyYH/Q JgQLP5848LEJNjEYDtWO+pildvixJwr548a3WDuUk3c
K9RH2E+vmsemxFuoENVDOyU2APB0JGKWLCRv1YFwblE
-> ssh-ed25519 hPp1nw 2H3olp3s1Ong037spS7tekMKwB8FemQYdWXAvdLBjEY
4BhO0GhFC/zqGUs1R4yigIuLtLaWswrmv/9lFuQ+jXI
-> 5y'BWp-grease 4\h10!^" 47#Gqf VQbey`1
pRs8xYTuqqZ+6B5W2+zAWCXMpgO2k2/x77RKjCmbf48p0LM
--- ymSK6Hd6lQSBtkIPdfWdMoI+ty8BMo+QM5FC/fQsIpY
/e­ÁÄæ<C384>B.`õ+ÎîBÙÃ6¬
&%¿¥Ö}+Ì"<¤ýå2Ñ°Ù~ñ‹@Q€ˆÙtþàÎmLdIJ½öýƒ»òžÂŒÀu L\Þ{“Dcà°1ÅŒ@{Ã7ïô‡èÞî

32
secrets/wolframalpha.age
View File

@@ -1,10 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 6AT2/g xp04CsJvlYhBZS5W/MSDLWGiNCegAjg4XPv43wU5u0g
i6q0YgKOFGaHOKVYMppNtcvjCFfHHqOS9M+oh2mqc1M
-> ssh-ed25519 dMQYog Mk90WFb+fYCFV7afu3+VbuAtOlvRAgpJGFGqn4ZWGjE
wHeScgV248lHiL0B/QEraD4QOBudezhJPrppY50u7S8
-> G/9-grease
0hCyP7pGu5xkk4eWJTpLWy6f8Zuo8wmgBSNFK7bgzfYdW29mdOrO2Ey3Oa2Gvtji
rze9v27gMUFRXOqPHNmaSjAneCwtcqTMReV+LZr9q9FN6qZnzAE
--- /SN6cSyrvbDEHTiIvv4MdoVkIjz3yZkvtr2SVBE1rRk
=„ñ1fJ…XÍô~ÃÝÆD¬c¹aFâ¨@ݹc=89;¿sôv®Ï ú´‘
-> ssh-ed25519 xoAm7w uiG2dFOijKdrdBXfdbO36C58tRkmz4MjBX8rEGfsl1Y
eIOekwe5iDZZUcVYEXie+j5qok84fIx1cF8Sna0GdZY
-> ssh-ed25519 mbw8xA IGrOTs8sVX3qZQ6l0160q/xYsAvFEj69kN1Dj7yKYi8
EnhYbIDhGyirnlsbUCk3GOVzE7QTMkncRFmpiRAOvs0
-> ssh-ed25519 2a2Yhw wl2vaJQ1gXLb46y/IXJMgCYUvhW3cgjJ10+fLhoS/Bw
EOwsKVzPjbYWXQ+c8KWVd4FadamJrn3+qDb5G4R6Moc
-> ssh-ed25519 dMQYog QAVPULFTcffOptY4nML8/DyYb95IqBOomztdNaRN1g0
qfSGtU3pl/7fMCjZM8syfLvgHhyd38AA/SICm3maHbI
-> ssh-ed25519 6AT2/g oaH9KRPHLkl1WXKIvtP7liWf8Apy1yEf41UHkFvdJjk
Rpfn7Gt6bORSI2qITHC7HAb1zlzOK4gDh3Ya7JwUUzk
-> ssh-ed25519 fwBF+g ilPZbir/rHhDv+drBmEsVEgjmIJHeISK9cZGltytClc
ODhQutW6IMHsFw+wQC4n6TOMCbydrPUWXlfwgQelpZs
-> ssh-ed25519 yHDAQw xbtvz5r0XfNY/cKWiIuUKO5tt+iGZMbc0d/PT4HhyGs
g/3IKnsKniQ3aB++htgM1JUmfsDzWWJ4lylAw5rBpyI
-> ssh-ed25519 VyYH/Q yhDle9FTAXot4gB23F7rOLNqJ1j3PMZmk7OMbKaGayE
j2XnSG589GUmvM4NunfgbcvdDBCpDJ6GubxI2UR3IE4
-> ssh-ed25519 hPp1nw I86wd3J4YZTlis1s/Q6SQP7j492NVe64DWu6Pe8ujFI
jgkh4YTEuBE1qCTooWPWZxQri8KSPYnWYkIhcEhIAIM
-> C+QwV1[-grease 7bFy^.lq Y) 5
Vw2f+pwTja8b9veFqdxVZSMGsgii+SMUfn9eAVqTjEAmWxawSQ
--- V75Y+46buomIjWtz/zwOBNkZ9ZAKcKV3NDy42NDjPU4
äìºöC<C3B6>rF<72>ϦA
„62-¾§Ì<C2A7>©©ŠD s&˜H