From 168c355181211faf0ff30a51469641f12684c9dc Mon Sep 17 00:00:00 2001 From: Michael Walker Date: Tue, 10 Dec 2024 21:41:20 +0000 Subject: [PATCH] [yuggoth] Initial configuration --- .sops.yaml | 6 +++++ flake.nix | 1 + hosts/yuggoth/configuration.nix | 32 ++++++++++++++++++++++ hosts/yuggoth/hardware.nix | 47 +++++++++++++++++++++++++++++++++ hosts/yuggoth/secrets.yaml | 31 ++++++++++++++++++++++ tools/provision-machine.sh | 3 ++- 6 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 hosts/yuggoth/configuration.nix create mode 100644 hosts/yuggoth/hardware.nix create mode 100644 hosts/yuggoth/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index c393cd2b..8e058f8f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,3 +13,9 @@ creation_rules: - age: - *barrucadu - 'age1700sgwfejx38fh66k6sajxe507w9x6ptcxfh4dmyffflml75w4fqmteyfy' + + - path_regex: hosts/yuggoth/secrets(/[^/]+)?\.yaml$ + key_groups: + - age: + - *barrucadu + - 'age1xj0vderjss6wvyuu5uw5gag6lhxzfh6qwfrewgpff5ttpfa03azsxc8600' diff --git a/flake.nix b/flake.nix index 8d0528d1..a60807a0 100644 --- a/flake.nix +++ b/flake.nix @@ -70,6 +70,7 @@ { carcosa = mkNixosConfiguration "carcosa" [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ]; nyarlathotep = mkNixosConfiguration "nyarlathotep" [ "${nixpkgs}/nixos/modules/installer/scan/not-detected.nix" ]; + yuggoth = mkNixosConfiguration "yuggoth" [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ]; }; packages.${system} = diff --git a/hosts/yuggoth/configuration.nix b/hosts/yuggoth/configuration.nix new file mode 100644 index 00000000..79691877 --- /dev/null +++ b/hosts/yuggoth/configuration.nix @@ -0,0 +1,32 @@ +# This is a VPS (hosted by Hetzner Cloud). +# +# It serves a redundant deployment of a few of my websites. +# +# **Alerting:** disabled +# +# **Backups:** disabled +# +# **Public hostname:** `yuggoth.barrucadu.co.uk` +# +# **Role:** server +{ config, lib, pkgs, ... }: + +with lib; +{ + networking.hostId = "62f520b4"; + boot.supportedFilesystems = { zfs = true; }; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + + networking.interfaces.enp1s0 = { + ipv6.addresses = [{ address = "2a01:4ff:f0:3a38::"; prefixLength = 64; }]; + }; + networking.defaultGateway6 = { address = "fe80::1"; interface = "enp1s0"; }; + + nixfiles.eraseYourDarlings.enable = true; + nixfiles.eraseYourDarlings.machineId = "ee9cfe217f0f4d45bab5e897e782ca91"; + nixfiles.eraseYourDarlings.barrucaduPasswordFile = config.sops.secrets."users/barrucadu".path; + sops.secrets."users/barrucadu".neededForUsers = true; +} + diff --git a/hosts/yuggoth/hardware.nix b/hosts/yuggoth/hardware.nix new file mode 100644 index 00000000..c11f0124 --- /dev/null +++ b/hosts/yuggoth/hardware.nix @@ -0,0 +1,47 @@ +{ ... }: + +{ + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "local/volatile/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/A5EB-2AC0"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/home" = + { + device = "local/persistent/home"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { + device = "local/persistent/nix"; + fsType = "zfs"; + }; + + fileSystems."/persist" = + { + device = "local/persistent/persist"; + fsType = "zfs"; + }; + + fileSystems."/var/log" = + { + device = "local/persistent/var-log"; + fsType = "zfs"; + }; + + swapDevices = [ ]; +} diff --git a/hosts/yuggoth/secrets.yaml b/hosts/yuggoth/secrets.yaml new file mode 100644 index 00000000..725edf3e --- /dev/null +++ b/hosts/yuggoth/secrets.yaml @@ -0,0 +1,31 @@ +users: + barrucadu: ENC[AES256_GCM,data:AydpgRw6tSPNsj0YJgNKDIwcCF2bo+vwJhrRJhbeJAY39yJHlP9xTarGGNBAczrKBwKKMN2EAA27hRyX+tDc/ne9mtOx4P5JS86mN9wkLKpaHbIamJNGfatDlu3uBvStNIKSC/CrnsFZ,iv:fW5+OJ2O8R9VB6YmKUP3jmKOHDEtZ4fBsVUmqbrkPjw=,tag:N04QCMG9/WV10Sd1lgGzhA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sdnp5uxhdtujc78penv2gntnenzcfju7est4hslz6eqgfk26u9nskkk634 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaTNzNVdaYnY5cVdVSjZs + bkF6LzhIQnVQWFI5STV4VjdKMVF5ZDdyMXpVCms5bXI2c3U3aDdsRUovdUJFQitF + cnZyNEE4cDlBWGYrUEgweGYzdnhIcHMKLS0tIHFlWUZTeGxySERJYlR3a1B0NnA5 + a0cwbGFQb2xqdXRxS214ckw4cjNwL2cKsxnsN8q1zPMBWO60Ndr0ozsaPzeGlPhm + pilwuo1I/xXqEfHBumwC089C5FT+XVmuychY3iox/zYvycdg3wGYIg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xj0vderjss6wvyuu5uw5gag6lhxzfh6qwfrewgpff5ttpfa03azsxc8600 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3dpYUdPdGk5OFNRc3U4 + a05tNFFPVTRqaEFxQjJtSTV4TlB1Nm1USkVRCk9PdHNXczEzbGw0RGxsRTZ6YUVp + MmFSaGw5eGp0cFRPTjNTWWR6Y2wxd0UKLS0tIGJ4SjFaZU90eGNHNFl0VjB4Z3Fu + NVBIU1I2MDRqVGt3eGRzbjdDb0d5Yk0KGPo6sIu5pp6s1r/IhyNjfNgDwxl3SWM3 + TMmIsx3iHsy+xgxUuGQXCsUkCy4YBzEjRVVtycCRfd5IAXryGhHEuQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-10T21:19:17Z" + mac: ENC[AES256_GCM,data:yqZiP7oWMe+5fBa9cNb6+OG8XWKX9gV4JZ2STU6Z5mgiEUBS5S/ubt/l9xqUO7yI0562r0XEW0MrUTBUNK2ARtYnbVtZcYFWka9yX78mac6OYJpMlUeDBAL3yeHtZ7cmJhocirbGrTfFL2OHzy246gQy+f41NRDqoAvzZ7yAGxU=,iv:NmYcM/JyZKuaB8SWCxQGS3IMfNzkC34eHfuX7CAvFGg=,tag:vpfU5yYYxnTGfULlkchYvg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/tools/provision-machine.sh b/tools/provision-machine.sh index 68baeee4..2a73c62f 100644 --- a/tools/provision-machine.sh +++ b/tools/provision-machine.sh @@ -116,8 +116,9 @@ EOF nixos-generate-config --root /mnt cat /mnt/persist/etc/nixos/hosts/new/header.nix /mnt/etc/nixos/configuration.nix > /mnt/persist/etc/nixos/hosts/new/configuration.nix +rm /mnt/persist/etc/nixos/hosts/new/header.nix rm /mnt/etc/nixos/configuration.nix -mv /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hardware.nix +mv /mnt/etc/nixos/hardware-configuration.nix /mnt/persist/etc/nixos/hosts/new/hardware.nix rmdir /mnt/etc/nixos nano /mnt/persist/etc/nixos/hosts/new/configuration.nix