Merge pull request #368 from genebean/hetznix01

Add hetznix01
2026-03-27 01:17:42 -04:00 · 2024-02-05 22:55:27 -05:00 · 2024-02-05 22:55:27 -05:00 · 437a34a26d
commit 437a34a26d
parent 0d868fc0aa 8753230721
11 changed files with 220 additions and 14 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,11 +1,16 @@
 ---
 keys:
+  - &system_hetznix01 age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9
  - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
  - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
  - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
  - &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
  - &user_mini_watcher age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq
 creation_rules:
+  - path_regex: hetznix01/secrets.yaml$
+    key_groups:
+      - age:
+          - *system_hetznix01
  - path_regex: nixnuc/secrets.yaml$
    key_groups:
      - age:
@ -29,6 +34,7 @@ creation_rules:
  - path_regex: modules/system/common/secrets.yaml$
    key_groups:
      - age:
+          - *system_hetznix01
          - *system_nixnuc
          - *system_rainbow_planet
          - *user_airpuppet
--- a/README.md
+++ b/README.md
@ -119,3 +119,16 @@ read -s ak
 read -s ap
 atuin login --key $ak --password $ap --username gene
 ```
+
+## Adding a NixOS host
+
+### Post-install
+
+1. clone this repo
+2. setup SOPS via `mkdir -p ~/.config/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt && nix run nixpkgs#ssh-to-age --  -i ~/.ssh/id_ed25519.pub  > ~/.config/sops/age/pub-keys.txt`
+3. copy output of `~/.config/sops/age/pub-keys.txt`
+4. add entries to `.sops.yaml`
+5. run `sops modules/hosts/nixos/$(hostname)/secrets.yaml`
+  - if there is an empty yaml file in where you target you will get an error... just delete it and try again
+6. edit `sops modules/hosts/nixos/$(hostname)/default.nix` and add the tailscale service and the block of config for sops.
+  - if there is an empty yaml file in where you target you 
--- a/flake.nix
+++ b/flake.nix
@ -92,6 +92,8 @@
      };
      specialArgs = { inherit inputs username hostname; };
      modules = [
+        disko.nixosModules.disko
+
        home-manager.nixosModules.home-manager {
          home-manager = {
            extraSpecialArgs = { inherit genebean-omp-themes hostname username; };
@ -139,6 +141,7 @@
      };

      nixosConfigurations = {
+        hetznix01 = nixosHostConfig "aarch64-linux" "hetznix01" "gene";
        nixnuc = nixosHostConfig "x86_64-linux" "nixnuc" "gene";
        rainbow-planet = nixosHostConfig "x86_64-linux" "rainbow-planet" "gene";
      };
--- a/modules/home-manager/hosts/hetznix01/gene.nix
+++ b/modules/home-manager/hosts/hetznix01/gene.nix
@ -0,0 +1,7 @@
+{ pkgs, genebean-omp-themes, ... }: {
+  home.stateVersion = "23.11";
+  imports = [
+    ../../common/all-cli.nix
+    ../../common/all-linux.nix
+  ];  
+}
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@ -0,0 +1,95 @@
+{ inputs, config, disko, hostname, pkgs, sops-nix, username,  ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+  ];
+
+  boot.loader.grub = {
+    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
+    # devices = [ ];
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  system.stateVersion = "23.11";
+
+  networking = {
+    # Open ports in the firewall.
+    firewall.allowedTCPPorts = [ 22 ];
+    # firewall.allowedUDPPorts = [ ... ];
+    # Or disable the firewall altogether.
+    # firewall.enable = false;
+
+    hostId = "85d0e6cb"; # head -c4 /dev/urandom | od -A none -t x4
+
+    networkmanager.enable = true;
+  };
+
+  programs.mtr.enable = true;
+
+  services = {
+    fail2ban.enable = true;
+    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tailscale_key.path;
+      extraUpFlags = [
+        "--advertise-exit-node"
+        "--operator"
+        "${username}"
+        "--ssh"
+      ];
+    };
+  };
+
+  sops = {
+    age.keyFile = /home/${username}/.config/sops/age/keys.txt;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      local_git_config = {
+        owner = "${username}";
+        path = "/home/${username}/.gitconfig-local";
+      };
+      local_private_env = {
+        owner = "${username}";
+        path = "/home/${username}/.private-env";
+      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      matchConfig.Name = "enp1s0";
+      address = [
+        "167.235.18.32/32"
+        "2a01:4f8:c2c:2e49::1/64"
+      ];
+      dns = [
+        "185.12.64.1"
+        "185.12.64.2"
+        "2a01:4ff:ff00::add:1"
+        "2a01:4ff:ff00::add:2"
+      ];
+      routes = [
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
+        { routeConfig.Gateway = "fe80::1"; }
+      ];
+      # make the routes on this interface a dependency for network-online.target
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    description = "Gene Liverman";
+    extraGroups = [ "networkmanager" "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock"
+    ];
+  };
+}
--- a/modules/hosts/nixos/hetznix01/disk-config.nix
+++ b/modules/hosts/nixos/hetznix01/disk-config.nix
@ -0,0 +1,42 @@
+# Example to create a bios compatible gpt partition
+{ lib, ... }:
+{
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+              mountOptions = [
+                "defaults"
+              ];
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix
+++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix
@ -0,0 +1,19 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/modules/hosts/nixos/hetznix01/secrets.yaml
+++ b/modules/hosts/nixos/hetznix01/secrets.yaml
@ -0,0 +1,23 @@
+local_git_config: ENC[AES256_GCM,data:/1FaGgxRJT01Xg3NYvcGfTaqxklv3PtoBdVN/H7+Mhlxwed5O++leUA=,iv:VKjkzqH8ayRE9hgNrqwSSx4RKCBYVkUkPtA1dvnkfvA=,tag:lfgezmDGQ/yVfLypLBanYA==,type:str]
+local_private_env: ""
+tailscale_key: ENC[AES256_GCM,data:yiAug7VEfZ5jROEg3NVmZcfdbfUxBZk2duM6mG/BVXKuAYj4u0SB1HtMCmvX6nr7P3y3YyuqiLw6,iv:bN5xbBOPWJfH+DxcHp2ODLm95jyzUwjSkKynPmvQvnY=,tag:8b/0hnNH7T64xBFMkXRjeQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NFBqRFNnSmJCK0ZPYUR5
+            SXRXRDhaMmVCbGFVUWxoYkhPbUczdHBJdkZvClcxcE5IUnMvN0tHbllNU3hwMTY1
+            SXlhUHFJd3JCYU5MVDB2UnJPaW5xYncKLS0tIENqd3N1dnZ1NFltQ1pOSjA2dU5N
+            VUIzR0FqbFNvOXAzREZtdDJNTWhjYUEKYfA5s8PRVbefoOefKLs7NiHUd6fYZ62I
+            ZwUi9YZt+zHxBxxFFMpduSSd5q50Qz+CMBNQHv2CPOBcGeFjToiDxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-06T02:07:39Z"
+    mac: ENC[AES256_GCM,data:JWLLdojUJlI0SDdT8Yg0pj03Jmc7eCJL8GHPtXOfw28vcqlK2tnR/yWLI+MClFVu+o4vrV9HZv+41VItqAkeMjBlgAYib9JgTwtkiECZz8o6i8FXEk09Qkml9WKyKrAU1Og/+gt3y1MUSzrmGgg8YkM3YVv7nyGr8lZ0nf/rWb8=,iv:rYtawgUgxsXCY4OHbLW6l2X/x1f+C7X22MoYVlfHIaw=,tag:pdACJHoe56N1lllrFoyHow==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@ -114,6 +114,8 @@
      };
    };
    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tailscale_key.path;
      extraUpFlags = [
        "--advertise-exit-node"
        "--operator"
@ -136,6 +138,9 @@
        owner = "${username}";
        path = "/home/${username}/.private-env";
      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
    };
  };

--- a/modules/hosts/nixos/rainbow-planet/default.nix
+++ b/modules/hosts/nixos/rainbow-planet/default.nix
@ -1,4 +1,4 @@
-{ pkgs, username, ... }: {
+{ config, pkgs, username, ... }: {
  imports = [
    ./hardware-configuration.nix
    ../../../system/common/linux/flatpaks.nix
@ -73,6 +73,8 @@
    gvfs.enable = true; # Used by Nautilus
    printing.enable = true; # Enable CUPS
    tailscale = {
+      enable = true;
+      authKeyFile = config.sops.secrets.tailscale_key.path;
      extraUpFlags = [
        "--operator"
        "${username}"
@ -120,6 +122,9 @@
        owner = "${username}";
        path = "/home/${username}/.private-env";
      };
+      tailscale_key = {
+        restartUnits = [ "tailscaled-autoconnect.service" ];
+      };
    };
  };

--- a/modules/system/common/all-nixos.nix
+++ b/modules/system/common/all-nixos.nix
@ -52,21 +52,9 @@

  services = {
    openssh.enable = true;
-    tailscale = {
-      enable = true;
-      authKeyFile = config.sops.secrets.tailscale_key.path;
-    };
  };

-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets = {
-      tailscale_key = {
-        restartUnits = [ "tailscaled-autoconnect.service" ];
-        sopsFile = ../../hosts/nixos/${hostname}/secrets.yaml;
-      };
-    };
-  };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  time.timeZone = "America/New_York";