notohh/snowflake
notohh/snowflake
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity

hosts: init kaze

Browse source
This commit is contained in:
notohh 2024-01-05 11:12:11 -05:00
parent 08d9ae9e48
commit c4f1595402
Signed by: notohh
GPG key ID: BD47506D475EE86D
9 changed files with 196 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
hosts/default.nix
View file

@ -6,6 +6,7 @@ inputs: let
nix-index-Module = inputs.nix-index-database.hmModules.nix-index;
anyrunModule = inputs.anyrun.homeManagerModules.default;
agsModule = inputs.ags.homeManagerModules.default;
atticModule = inputs.attic.nixosModules.atticd;
inherit (inputs.nixpkgs.lib) nixosSystem;
in {
tsuki = nixosSystem {
@ -15,6 +16,7 @@ in {
./tsuki
sopsModule
hmModule
atticModule
{
home-manager = {
useGlobalPkgs = true;
@ -140,6 +142,7 @@ in {
./sora
sopsModule
hmModule
atticModule
{
home-manager = {
useGlobalPkgs = true;
@ -193,4 +196,24 @@ in {
}
];
};
kaze = nixosSystem {
inherit system;
specialArgs = {inherit inputs;};
modules = [
./kaze
sopsModule
hmModule
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.notoh = {
imports = [
./kaze/home.nix
];
};
};
}
];
};
}

10
hosts/deploy.nix
View file

@ -70,5 +70,15 @@ inputs: {
sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
magicRollback = true;
};
kaze = {
hostname = "";
profiles.system = {
user = "root";
path = activate.nixos inputs.self.nixosConfigurations.kaze;
};
sshUser = "root";
sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
magicRollback = true;
};
};
}

33
hosts/kaze/default.nix Normal file
View file

@ -0,0 +1,33 @@
{...}: {
imports = [
./hardware.nix
./services
./networking.nix
../../modules
];
boot.loader = {
grub = {
enable = true;
configurationLimit = 5;
device = "/dev/vda";
useOSProber = true;
};
};
networking = {
hostName = "kaze";
};
services.xserver = {
layout = "us";
xkbVariant = "";
};
users.users.notoh.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4qfqJNxwNg9ryeT/XbjfQyuDKbBAwRn2Lzq3Iq5kA7 kaze"
];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
];
}

32
hosts/kaze/hardware.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/9cb414ab-0bb4-4db7-b77e-7d2a8cafd657";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/100a4262-ce57-47a7-b99a-f124a8e369de";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

14
hosts/kaze/home.nix Normal file
View file

@ -0,0 +1,14 @@
{...}: {
imports = [
../../home
];
systemd.user.startServices = "sd-switch";
programs.home-manager.enable = true;
home = {
username = "notoh";
homeDirectory = "/home/notoh";
stateVersion = "23.05";
};
}

15
hosts/kaze/networking.nix Normal file
View file

@ -0,0 +1,15 @@
_: {
networking = {
networkmanager.enable = true;
nameservers = ["1.1.1.1"];
firewall = {
enable = true;
};
};
environment.etc = {
"resolv.conf".text = ''
nameserver 1.1.1.1
nameserver 1.0.0.1
'';
};
}

4
hosts/kaze/services/default.nix Normal file
View file

@ -0,0 +1,4 @@
_: {
imports = [
];
}

22
hosts/kaze/services/minio.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
pkgs,
...
}: {
environment.systemPackages = [pkgs.minio-client];
sops.secrets.minio = {
owner = "minio";
group = "minio";
mode = "0600";
restartUnits = ["minio.service"];
};
services.minio = {
enable = true;
region = "us-east-1";
consoleAddress = "100.104.42.96:9006";
listenAddress = "100.104.42.96:9005";
rootCredentialsFile = config.sops.secrets.minio.path;
dataDir = ["/var/lib/mounted/minio/data"];
configDir = "/var/lib/mounted/minio/config";
};
}

43
hosts/kaze/services/tailscale.nix Normal file
View file

@ -0,0 +1,43 @@
{
config,
lib,
pkgs,
...
}: {
sops.secrets.tsauth-kaze = {
sopsFile = ../../../secrets/tailscale/secrets.yaml;
};
environment.systemPackages = [pkgs.jq pkgs.tailscale];
services.tailscale = {
useRoutingFeatures = lib.mkDefault "client";
};
networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-kaze.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
'';
};
}