From c4f1595402eee1fbc740a2cbac68129816fd3c82 Mon Sep 17 00:00:00 2001 From: notohh Date: Fri, 5 Jan 2024 11:12:11 -0500 Subject: [PATCH] hosts: init kaze --- hosts/default.nix | 23 +++++++++++++++++ hosts/deploy.nix | 10 +++++++ hosts/kaze/default.nix | 33 ++++++++++++++++++++++++ hosts/kaze/hardware.nix | 32 +++++++++++++++++++++++ hosts/kaze/home.nix | 14 ++++++++++ hosts/kaze/networking.nix | 15 +++++++++++ hosts/kaze/services/default.nix | 4 +++ hosts/kaze/services/minio.nix | 22 ++++++++++++++++ hosts/kaze/services/tailscale.nix | 43 +++++++++++++++++++++++++++++++ 9 files changed, 196 insertions(+) create mode 100644 hosts/kaze/default.nix create mode 100644 hosts/kaze/hardware.nix create mode 100644 hosts/kaze/home.nix create mode 100644 hosts/kaze/networking.nix create mode 100644 hosts/kaze/services/default.nix create mode 100644 hosts/kaze/services/minio.nix create mode 100644 hosts/kaze/services/tailscale.nix diff --git a/hosts/default.nix b/hosts/default.nix index 0d03a03..1df70df 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -6,6 +6,7 @@ inputs: let nix-index-Module = inputs.nix-index-database.hmModules.nix-index; anyrunModule = inputs.anyrun.homeManagerModules.default; agsModule = inputs.ags.homeManagerModules.default; + atticModule = inputs.attic.nixosModules.atticd; inherit (inputs.nixpkgs.lib) nixosSystem; in { tsuki = nixosSystem { @@ -15,6 +16,7 @@ in { ./tsuki sopsModule hmModule + atticModule { home-manager = { useGlobalPkgs = true; @@ -140,6 +142,7 @@ in { ./sora sopsModule hmModule + atticModule { home-manager = { useGlobalPkgs = true; @@ -193,4 +196,24 @@ in { } ]; }; + kaze = nixosSystem { + inherit system; + specialArgs = {inherit inputs;}; + modules = [ + ./kaze + sopsModule + hmModule + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users.notoh = { + imports = [ + ./kaze/home.nix + ]; + }; + }; + } + ]; + }; } diff --git a/hosts/deploy.nix b/hosts/deploy.nix index e807d66..d54f9b2 100644 --- a/hosts/deploy.nix +++ b/hosts/deploy.nix @@ -70,5 +70,15 @@ inputs: { sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; magicRollback = true; }; + kaze = { + hostname = ""; + profiles.system = { + user = "root"; + path = activate.nixos inputs.self.nixosConfigurations.kaze; + }; + sshUser = "root"; + sshOpts = ["-t" "-i" "~/.ssh/forgejo"]; + magicRollback = true; + }; }; } diff --git a/hosts/kaze/default.nix b/hosts/kaze/default.nix new file mode 100644 index 0000000..0fa1c43 --- /dev/null +++ b/hosts/kaze/default.nix @@ -0,0 +1,33 @@ +{...}: { + imports = [ + ./hardware.nix + ./services + ./networking.nix + ../../modules + ]; + + boot.loader = { + grub = { + enable = true; + configurationLimit = 5; + device = "/dev/vda"; + useOSProber = true; + }; + }; + + networking = { + hostName = "kaze"; + }; + + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + users.users.notoh.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4qfqJNxwNg9ryeT/XbjfQyuDKbBAwRn2Lzq3Iq5kA7 kaze" + ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo" + ]; +} diff --git a/hosts/kaze/hardware.nix b/hosts/kaze/hardware.nix new file mode 100644 index 0000000..02487ab --- /dev/null +++ b/hosts/kaze/hardware.nix @@ -0,0 +1,32 @@ +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/9cb414ab-0bb4-4db7-b77e-7d2a8cafd657"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/100a4262-ce57-47a7-b99a-f124a8e369de";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/kaze/home.nix b/hosts/kaze/home.nix new file mode 100644 index 0000000..c7eafac --- /dev/null +++ b/hosts/kaze/home.nix @@ -0,0 +1,14 @@ +{...}: { + imports = [ + ../../home + ]; + + systemd.user.startServices = "sd-switch"; + programs.home-manager.enable = true; + + home = { + username = "notoh"; + homeDirectory = "/home/notoh"; + stateVersion = "23.05"; + }; +} diff --git a/hosts/kaze/networking.nix b/hosts/kaze/networking.nix new file mode 100644 index 0000000..11382db --- /dev/null +++ b/hosts/kaze/networking.nix @@ -0,0 +1,15 @@ +_: { + networking = { + networkmanager.enable = true; + nameservers = ["1.1.1.1"]; + firewall = { + enable = true; + }; + }; + environment.etc = { + "resolv.conf".text = '' + nameserver 1.1.1.1 + nameserver 1.0.0.1 + ''; + }; +} diff --git a/hosts/kaze/services/default.nix b/hosts/kaze/services/default.nix new file mode 100644 index 0000000..06ec57d --- /dev/null +++ b/hosts/kaze/services/default.nix @@ -0,0 +1,4 @@ +_: { + imports = [ + ]; +} diff --git a/hosts/kaze/services/minio.nix b/hosts/kaze/services/minio.nix new file mode 100644 index 0000000..1552bf5 --- /dev/null +++ b/hosts/kaze/services/minio.nix @@ -0,0 +1,22 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = [pkgs.minio-client]; + sops.secrets.minio = { + owner = "minio"; + group = "minio"; + mode = "0600"; + restartUnits = ["minio.service"]; + }; + services.minio = { + enable = true; + region = "us-east-1"; + consoleAddress = "100.104.42.96:9006"; + listenAddress = "100.104.42.96:9005"; + rootCredentialsFile = config.sops.secrets.minio.path; + dataDir = ["/var/lib/mounted/minio/data"]; + configDir = "/var/lib/mounted/minio/config"; + }; +} diff --git a/hosts/kaze/services/tailscale.nix b/hosts/kaze/services/tailscale.nix new file mode 100644 index 0000000..cb7892c --- /dev/null +++ b/hosts/kaze/services/tailscale.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: { + sops.secrets.tsauth-kaze = { + sopsFile = ../../../secrets/tailscale/secrets.yaml; + }; + environment.systemPackages = [pkgs.jq pkgs.tailscale]; + services.tailscale = { + useRoutingFeatures = lib.mkDefault "client"; + }; + networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; + networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName]; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-kaze.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false + ''; + }; +}