From a62a3d136a555002e531c8e27e8d7f6369ef766a Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 5 Feb 2024 00:45:52 -0500 Subject: [PATCH 1/4] Add hetznix01 --- flake.nix | 3 ++ modules/home-manager/hosts/hetznix01/gene.nix | 7 ++++ modules/hosts/nixos/hetznix01/default.nix | 32 ++++++++++++++ modules/hosts/nixos/hetznix01/disk-config.nix | 42 +++++++++++++++++++ .../hetznix01/hardware-configuration.nix | 24 +++++++++++ modules/hosts/nixos/hetznix01/secrets.yaml | 0 modules/hosts/nixos/nixnuc/default.nix | 5 +++ .../hosts/nixos/rainbow-planet/default.nix | 7 +++- modules/system/common/all-nixos.nix | 14 +------ 9 files changed, 120 insertions(+), 14 deletions(-) create mode 100644 modules/home-manager/hosts/hetznix01/gene.nix create mode 100644 modules/hosts/nixos/hetznix01/default.nix create mode 100644 modules/hosts/nixos/hetznix01/disk-config.nix create mode 100644 modules/hosts/nixos/hetznix01/hardware-configuration.nix create mode 100644 modules/hosts/nixos/hetznix01/secrets.yaml diff --git a/flake.nix b/flake.nix index 8106e85..01d591d 100644 --- a/flake.nix +++ b/flake.nix @@ -92,6 +92,8 @@ }; specialArgs = { inherit inputs username hostname; }; modules = [ + disko.nixosModules.disko + home-manager.nixosModules.home-manager { home-manager = { extraSpecialArgs = { inherit genebean-omp-themes hostname username; }; @@ -139,6 +141,7 @@ }; nixosConfigurations = { + hetznix01 = nixosHostConfig "aarch64-linux" "hetznix01" "gene"; nixnuc = nixosHostConfig "x86_64-linux" "nixnuc" "gene"; rainbow-planet = nixosHostConfig "x86_64-linux" "rainbow-planet" "gene"; }; diff --git a/modules/home-manager/hosts/hetznix01/gene.nix b/modules/home-manager/hosts/hetznix01/gene.nix new file mode 100644 index 0000000..30158a5 --- /dev/null +++ b/modules/home-manager/hosts/hetznix01/gene.nix @@ -0,0 +1,7 @@ +{ pkgs, genebean-omp-themes, ... }: { + home.stateVersion = "23.11"; + imports = [ + ../../common/all-cli.nix + ../../common/all-linux.nix + ]; +} diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix new file mode 100644 index 0000000..102f240 --- /dev/null +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -0,0 +1,32 @@ +{ inputs, config, disko, hostname, pkgs, sops-nix, username, ... }: { + imports = [ + ./hardware-configuration.nix + ./disk-config.nix + ]; + + system.stateVersion = "23.11"; + + networking = { + # Open ports in the firewall. + firewall.allowedTCPPorts = [ 22 ]; + # firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # firewall.enable = false; + + hostId = "85d0e6cb"; # head -c4 /dev/urandom | od -A none -t x4 + + networkmanager.enable = true; + }; + + programs.mtr.enable = true; + + users.users.${username} = { + isNormalUser = true; + description = "Gene Liverman"; + extraGroups = [ "networkmanager" "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N bluerock" + ]; + }; +} diff --git a/modules/hosts/nixos/hetznix01/disk-config.nix b/modules/hosts/nixos/hetznix01/disk-config.nix new file mode 100644 index 0000000..76a07cd --- /dev/null +++ b/modules/hosts/nixos/hetznix01/disk-config.nix @@ -0,0 +1,42 @@ +# Example to create a bios compatible gpt partition +{ lib, ... }: +{ + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix new file mode 100644 index 0000000..f2551e3 --- /dev/null +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; +} diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml new file mode 100644 index 0000000..e69de29 diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index 13865f9..3ad18a9 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -114,6 +114,8 @@ }; }; tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tailscale_key.path; extraUpFlags = [ "--advertise-exit-node" "--operator" @@ -136,6 +138,9 @@ owner = "${username}"; path = "/home/${username}/.private-env"; }; + tailscale_key = { + restartUnits = [ "tailscaled-autoconnect.service" ]; + }; }; }; diff --git a/modules/hosts/nixos/rainbow-planet/default.nix b/modules/hosts/nixos/rainbow-planet/default.nix index cb2c521..748f765 100644 --- a/modules/hosts/nixos/rainbow-planet/default.nix +++ b/modules/hosts/nixos/rainbow-planet/default.nix @@ -1,4 +1,4 @@ -{ pkgs, username, ... }: { +{ config, pkgs, username, ... }: { imports = [ ./hardware-configuration.nix ../../../system/common/linux/flatpaks.nix @@ -73,6 +73,8 @@ gvfs.enable = true; # Used by Nautilus printing.enable = true; # Enable CUPS tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tailscale_key.path; extraUpFlags = [ "--operator" "${username}" @@ -120,6 +122,9 @@ owner = "${username}"; path = "/home/${username}/.private-env"; }; + tailscale_key = { + restartUnits = [ "tailscaled-autoconnect.service" ]; + }; }; }; diff --git a/modules/system/common/all-nixos.nix b/modules/system/common/all-nixos.nix index 646901a..6a2bb3c 100644 --- a/modules/system/common/all-nixos.nix +++ b/modules/system/common/all-nixos.nix @@ -52,21 +52,9 @@ services = { openssh.enable = true; - tailscale = { - enable = true; - authKeyFile = config.sops.secrets.tailscale_key.path; - }; }; - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets = { - tailscale_key = { - restartUnits = [ "tailscaled-autoconnect.service" ]; - sopsFile = ../../hosts/nixos/${hostname}/secrets.yaml; - }; - }; - }; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; time.timeZone = "America/New_York"; From d9f826453bf1dd7a7ded5e61c3e07203d8efbc09 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 5 Feb 2024 16:51:45 -0500 Subject: [PATCH 2/4] Add IP addresses for hetznix01 --- .../nixos/hetznix01/hardware-configuration.nix | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix index f2551e3..c633c46 100644 --- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -13,12 +13,18 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + systemd.network.networks."10-wan" = { + networkConfig.DHCP = "no"; + address = [ + "167.235.18.32/32" + "2a01:4f8:c2c:2e49::1/64" + ]; + routes = [ + { routeConfig = { Destination = "172.31.1.1"; }; } + { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; } + { routeConfig.Gateway = "fe80::1"; } + ]; + }; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } From d77634f7f738cea898214a8558d9eb2f21621f67 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 5 Feb 2024 17:03:13 -0500 Subject: [PATCH 3/4] Add bootloader and not-detected.nix import --- modules/hosts/nixos/hetznix01/default.nix | 7 +++++++ modules/hosts/nixos/hetznix01/hardware-configuration.nix | 7 ++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 102f240..a8c7c21 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -4,6 +4,13 @@ ./disk-config.nix ]; + boot.loader.grub = { + # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # devices = [ ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + system.stateVersion = "23.11"; networking = { diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix index c633c46..8ef049d 100644 --- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -4,9 +4,10 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; boot.initrd.kernelModules = [ ]; From 8753230721bd5721385a605945e586da11e1b564 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Mon, 5 Feb 2024 22:38:53 -0500 Subject: [PATCH 4/4] enable fail2ban, fix network config --- .sops.yaml | 6 ++ README.md | 13 +++++ modules/hosts/nixos/hetznix01/default.nix | 56 +++++++++++++++++++ .../hetznix01/hardware-configuration.nix | 12 ---- modules/hosts/nixos/hetznix01/secrets.yaml | 23 ++++++++ 5 files changed, 98 insertions(+), 12 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 0414560..2c1d07c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,11 +1,16 @@ --- keys: + - &system_hetznix01 age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 - &system_nixnuc age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 - &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d - &user_mini_watcher age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq creation_rules: + - path_regex: hetznix01/secrets.yaml$ + key_groups: + - age: + - *system_hetznix01 - path_regex: nixnuc/secrets.yaml$ key_groups: - age: @@ -29,6 +34,7 @@ creation_rules: - path_regex: modules/system/common/secrets.yaml$ key_groups: - age: + - *system_hetznix01 - *system_nixnuc - *system_rainbow_planet - *user_airpuppet diff --git a/README.md b/README.md index 0177651..e1bde52 100644 --- a/README.md +++ b/README.md @@ -119,3 +119,16 @@ read -s ak read -s ap atuin login --key $ak --password $ap --username gene ``` + +## Adding a NixOS host + +### Post-install + +1. clone this repo +2. setup SOPS via `mkdir -p ~/.config/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt && nix run nixpkgs#ssh-to-age -- -i ~/.ssh/id_ed25519.pub > ~/.config/sops/age/pub-keys.txt` +3. copy output of `~/.config/sops/age/pub-keys.txt` +4. add entries to `.sops.yaml` +5. run `sops modules/hosts/nixos/$(hostname)/secrets.yaml` + - if there is an empty yaml file in where you target you will get an error... just delete it and try again +6. edit `sops modules/hosts/nixos/$(hostname)/default.nix` and add the tailscale service and the block of config for sops. + - if there is an empty yaml file in where you target you diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index a8c7c21..292d6a4 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -27,6 +27,62 @@ programs.mtr.enable = true; + services = { + fail2ban.enable = true; + tailscale = { + enable = true; + authKeyFile = config.sops.secrets.tailscale_key.path; + extraUpFlags = [ + "--advertise-exit-node" + "--operator" + "${username}" + "--ssh" + ]; + }; + }; + + sops = { + age.keyFile = /home/${username}/.config/sops/age/keys.txt; + defaultSopsFile = ./secrets.yaml; + secrets = { + local_git_config = { + owner = "${username}"; + path = "/home/${username}/.gitconfig-local"; + }; + local_private_env = { + owner = "${username}"; + path = "/home/${username}/.private-env"; + }; + tailscale_key = { + restartUnits = [ "tailscaled-autoconnect.service" ]; + }; + }; + }; + + systemd.network = { + enable = true; + networks."10-wan" = { + matchConfig.Name = "enp1s0"; + address = [ + "167.235.18.32/32" + "2a01:4f8:c2c:2e49::1/64" + ]; + dns = [ + "185.12.64.1" + "185.12.64.2" + "2a01:4ff:ff00::add:1" + "2a01:4ff:ff00::add:2" + ]; + routes = [ + { routeConfig = { Destination = "172.31.1.1"; }; } + { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; } + { routeConfig.Gateway = "fe80::1"; } + ]; + # make the routes on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + }; + users.users.${username} = { isNormalUser = true; description = "Gene Liverman"; diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix index 8ef049d..d0554f2 100644 --- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -14,18 +14,6 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - systemd.network.networks."10-wan" = { - networkConfig.DHCP = "no"; - address = [ - "167.235.18.32/32" - "2a01:4f8:c2c:2e49::1/64" - ]; - routes = [ - { routeConfig = { Destination = "172.31.1.1"; }; } - { routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; } - { routeConfig.Gateway = "fe80::1"; } - ]; - }; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index e69de29..543ee2e 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -0,0 +1,23 @@ +local_git_config: ENC[AES256_GCM,data:/1FaGgxRJT01Xg3NYvcGfTaqxklv3PtoBdVN/H7+Mhlxwed5O++leUA=,iv:VKjkzqH8ayRE9hgNrqwSSx4RKCBYVkUkPtA1dvnkfvA=,tag:lfgezmDGQ/yVfLypLBanYA==,type:str] +local_private_env: "" +tailscale_key: ENC[AES256_GCM,data:yiAug7VEfZ5jROEg3NVmZcfdbfUxBZk2duM6mG/BVXKuAYj4u0SB1HtMCmvX6nr7P3y3YyuqiLw6,iv:bN5xbBOPWJfH+DxcHp2ODLm95jyzUwjSkKynPmvQvnY=,tag:8b/0hnNH7T64xBFMkXRjeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2NFBqRFNnSmJCK0ZPYUR5 + SXRXRDhaMmVCbGFVUWxoYkhPbUczdHBJdkZvClcxcE5IUnMvN0tHbllNU3hwMTY1 + SXlhUHFJd3JCYU5MVDB2UnJPaW5xYncKLS0tIENqd3N1dnZ1NFltQ1pOSjA2dU5N + VUIzR0FqbFNvOXAzREZtdDJNTWhjYUEKYfA5s8PRVbefoOefKLs7NiHUd6fYZ62I + ZwUi9YZt+zHxBxxFFMpduSSd5q50Qz+CMBNQHv2CPOBcGeFjToiDxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-06T02:07:39Z" + mac: ENC[AES256_GCM,data:JWLLdojUJlI0SDdT8Yg0pj03Jmc7eCJL8GHPtXOfw28vcqlK2tnR/yWLI+MClFVu+o4vrV9HZv+41VItqAkeMjBlgAYib9JgTwtkiECZz8o6i8FXEk09Qkml9WKyKrAU1Og/+gt3y1MUSzrmGgg8YkM3YVv7nyGr8lZ0nf/rWb8=,iv:rYtawgUgxsXCY4OHbLW6l2X/x1f+C7X22MoYVlfHIaw=,tag:pdACJHoe56N1lllrFoyHow==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1