genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 01:17:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add hetznix02 via nixos-anywhere

Browse source
This commit is contained in:
Gene Liverman 2024-09-04 22:53:54 -04:00
parent 5cf6172925
commit 7e9f4d5adb
10 changed files with 280 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/home-manager/hosts/hetznix02/gene.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, genebean-omp-themes, ... }: {
home.stateVersion = "24.05";
imports = [
../../common/all-cli.nix
../../common/all-linux.nix
];
}

2
modules/hosts/nixos/hetznix01/default.nix
View file

@ -93,7 +93,7 @@
extraGroups = [ "networkmanager" "wheel" ];
linger = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjigwV0KnnaTnFmKjjvnULa5X+hvsy2FAlu+lUUY59f gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
];
};

89
modules/hosts/nixos/hetznix02/default.nix Normal file
View file

@ -0,0 +1,89 @@
{ pkgs, username, ... }: {
imports = [
./hardware-configuration.nix
./disk-config.nix
./post-install
];
system.stateVersion = "24.05";
boot = {
loader.grub = {
# no need to set devices, disko will add all devices that have a
# EF02 partition to the list already
# devices = [ ];
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
tmp.cleanOnBoot = true;
};
environment.systemPackages = with pkgs; [
# podman-tui # status of containers in the terminal
# podman-compose
];
networking = {
# Open ports in the firewall.
firewall.allowedTCPPorts = [
22 # ssh
];
# firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# firewall.enable = false;
hostId = "89bbb3e6"; # head -c4 /dev/urandom | od -A none -t x4
networkmanager.enable = false;
useNetworkd = true;
};
programs.mtr.enable = true;
services = {
fail2ban.enable = true;
logrotate.enable = true;
udev.extraRules = ''
ATTR{address}=="96:00:03:ae:45:aa", NAME="eth0"
'';
};
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "enp1s0";
address = [
"195.201.224.89/32"
"2a01:4f8:1c1e:aa68::1/64"
"fe80::9400:3ff:feae:45aa/64"
];
dns = [
"185.12.64.1"
"185.12.64.2"
"2a01:4ff:ff00::add:1"
"2a01:4ff:ff00::add:2"
];
routes = [
{ routeConfig = { Destination = "172.31.1.1"; }; }
{ routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
{ routeConfig.Gateway = "fe80::1"; }
];
# make the routes on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
};
users.users.${username} = {
isNormalUser = true;
description = "Gene Liverman";
extraGroups = [ "networkmanager" "wheel" ];
linger = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
];
};
zramSwap.enable = true;
}

42
modules/hosts/nixos/hetznix02/disk-config.nix Normal file
View file

@ -0,0 +1,42 @@
# Example to create a bios compatible gpt partition
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
}

39
modules/hosts/nixos/hetznix02/hardware-configuration.nix Normal file
View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd = {
availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
kernelModules = [ "nvme" ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems = {
"/boot" = {
device = lib.mkForce "/dev/disk/by-uuid/D005-6C65";
fsType = "vfat";
};
"/" = {
device = lib.mkForce "/dev/sda1";
fsType = "ext4";
};
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

20
modules/hosts/nixos/hetznix02/post-install/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ username, ... }: {
sops = {
age.keyFile = /home/${username}/.config/sops/age/keys.txt;
defaultSopsFile = ../secrets.yaml;
secrets = {
local_git_config = {
owner = "${username}";
path = "/home/${username}/.gitconfig-local";
};
local_private_env = {
owner = "${username}";
path = "/home/${username}/.private-env";
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
};
};
};
}

23
modules/hosts/nixos/hetznix02/secrets.yaml Normal file
View file

@ -0,0 +1,23 @@
local_git_config: ENC[AES256_GCM,data:iA21ugn3r8VOyDS0T6/MiyDEP0j9wSWIE55AQ55neG9YiRER+dwJbIA=,iv:Tyksa16llda//qiZpiHp8SPQQpdl4bbu6ytO3N/NK68=,tag:lk+TCIK8xpG7Cdgx3bX2/Q==,type:str]
local_private_env: ENC[AES256_GCM,data:Vfbw+jRsrqB1oJUtMwu6imzu6UTzQ1Yirb//o4mAuTJeAZ72qgxjXcqYCP82/7IP4hHnoQ1+YFPQxvekEQ==,iv:+7sxEbsz7tT/daAqR7xYPbBpamo9sLcGUGLiclKMV8A=,tag:ckxeQeeiHlxVOa9BfEEkaw==,type:str]
tailscale_key: ENC[AES256_GCM,data:8/ZqHv/XqL9ACkw3HQfK6DCRs/w+2d4NJxEsP7/D8aZyuc99PL3MV6kDM4q1b792CthiioQrHnc=,iv:wfi1RS8PTwazMOUNc64Njoj7NylYUN0R/bx0Ggod+yc=,tag:Y359/pOlYTuykP0oOFUrfw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaC95bVRMQ2F0aTlaeGNL
QlJuNDZnQ3MwVmRVdmhQQ2hrcDVKYXhJSldzCkdaY0JRK3NGVE5OQXJwMVNjeEZK
djFjU1BJY2lVVVA2bFlWRm40d0o0SDQKLS0tIE5WdVo4c09DbjN4Q1ZSUkd0VFdE
K3NIVTBXdlVjbGZoSTdwUHYvMzRCUWMKixJlZliRrsKOQVGYwwINSmHDZm7zsLRM
k0aGV0MJUafukPMYRbT/2H7dh/yhZx/Tn0fVFHbSeLvpf9ig3x8jkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-07T01:44:24Z"
mac: ENC[AES256_GCM,data:xB0CvralCxv3oHUha4PEdmolKGMxJYaOsIomN3V0J64Wyq/UnCicFel/uraED/LKbMBprQRsXjkh3vB9ncINUI3vYr1Cm61XnL4WEfxaUYLso0Xn1gc8rJP6qXGDSShpCaZQj+oRi4tPzNXYc1v90IKZboukjBHWF0D4zEP1rWQ=,iv:1So597QQyyrVwXXkjXRe7hgyPgghdNgr/fpdaxYjUls=,tag:6X1Ds4mfy8LjHuJKIGKmMQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

79
modules/system/common/secrets.yaml
View file

@ -12,65 +12,74 @@ sops:
- recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2WHN1S29tU21PRmRpcGQ4
cm9hTW5wWVRNWlBDWGtOaUlzNWZndDgzd1NZCkVJZExBUkNFOFBNTUJKTDJBR2Vs
UmVCcWoxRzdGeHAraFZoZitZL21nTzAKLS0tIDNsY0VGVW5nUkY4enoxMWFLZTYr
ay84cjcrZFNyc0d0N3o1RkV6UTdGQ0EKcCzKdxFpXpuVCP/H3vxKsj/nU5MjxUuw
kW6psp5pA+0HHozeZoN+nv4dTaaz6GQLZdY+b/tfOem81/Bl1YXnnQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLWnUrOGU0Sk43Vzk3WFlO
SGVvU3lwS0dqK2Zkb3NxK201UHhBcWt1c1I0CldQU3d2bHBnYTV1UHUrbHF6YmZq
YXpaUE1ySis0cnJMQmZiODVMS1VIVkkKLS0tIE0rd1g3c2IwcC9DRk5jcnpXSnBF
K2FoMlZkalRUMnFZTTZCc2ZRSElpcjAKB5KXVdpZDY3m3RI7VuCgY559cJ60hK29
I4PexxpYlOvQqu6k29KmbjznHRIonXDLV7YPnKGGCF52/fjNOnpaOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age180w4c04kga07097u0us6d72aslnv2523hx64x8fzgzu4tccrxuyqa50hpm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucnA2SVNzaEVFMkpPVW9P
YUdlTmIwM05EVGZ6ekh0N25hcEJiZytkUFhJCllIdWlDUllqOUhaOW01Tzg2MnJm
YWxqNHUyOW15MlBiNThOT2NOYzhoZnMKLS0tIDR1Z1BDdVdDSGFSckxTOVFVMG16
R2N6a0t1YmlTb05leFd2L0MzL0JTdmsKh4fwAg/AVJ9skTrgbIMNIY+E+u7U6nN5
gADaBwJrKKcxY3tFxUkEw3/LNrVH64JDEyhqfUM6yB2TM+pMCpO1Sw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd1hvWU8yOUhzKy9WU2NU
SnVra1hHVjNTY05YSmhkL0JpcWo2Z0tPSmhVCnAyWWg4c2NUazA4RTZoazRMUHJz
OCtsYmVicmphMmJyVUIwbWlzaHNwSTgKLS0tIHNzMFlsMEw0eVBjdmdVWERnZzZZ
WEU0NkNvbjd4NkE0KzdhRXIxT0dla0UKxMxIMNdkh5LFm9+A9lAQNO4qWm+URRBu
dDPLuF+Jw1wkd2aZjAolOcMfdCgTS2WUeY1615bT6GoAUl96v0fQHw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UXlUK1hEMW9EUmNacDFh
Y3FRc0VGMllMTGV6WDMwL2VNYnA5RVRhd1JrCit0WWsxK3lPaVEzSzlXbXQwWisv
YUxHdnpQSGNzTUdVMDA2OXZsNG85Qk0KLS0tIFI5Z1g4OTFaZTM5K0dlcEVpVkNy
K1p6a1RkRy9JYU5rZVJZQUtSelFnUE0KkWBLKwEhDPwBFMslhXmKRCcWotDDSuwO
zrPDwr2eAlCOkNXbLga+z/onfRm7bQhY/axucQWicCQAP8rShyhyKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3NXNU82djJnNkI0aUF3
WHFpTTQxUnB0Ynlmb1pOUmhYQk1lc1dRS1hRCnhzbnZ5d3NIWHI3c2VtbHIrMm44
QnZMY3FXT25sV1N3YWNGNnFpYkxUQncKLS0tIHlEb2UyMFp6UWhiam5zL0Vqa2px
eUVjdzlFdkJKQTBxRitjQ2M3TTVpcHcKs6qM7CfLvcEbpKFjfbmUJjSBLcVZ5SEt
8MG5VefhVJiVGAX8q6SVZn15FpjLm8PtiuAWoBhi2kboLb6/faK2Cw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM3ZucFB2bk1KVmVnOGlR
R3FUWE5kOWNpeE11d0IyZ2JsUGhCQzNoVTFzCjRGSnFETmV0aU5lcFgzQ1loSnpj
LzJqRTB0U1FIR0FJZ1E0ZGsyTjVPaEkKLS0tIHlvZVk0b0t5cVByTGgrSGd0WG0y
anJlU0FDQk14UUZPcG5IdmJCR1VJSWcKvTqLLRWeBmiA/4cBrjXxeNrPBXKuLPQX
AkiQTrtC9bao22QhmJ6+ebA5l8x+rUYm6PIQpieVKRRpqZFS6Cj/GQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QlRIRGNwaEsrWGxoQnpp
dThhRUxBYXJ1ZlBsMmhweHpmd1hjb3RnMmhrCmg4dTZBY0kyUkxnZHZCdXFnOThS
UkJsWnBUeEc1ZG1lTkFrYnlxWnFmS00KLS0tIG5pUTJKaXJydFB5YkxVMHdPanBH
TjZGWjZqbXVhV3kvZ3dHMmJndVRwS28KE1+lw8BZLTv7zeSBw/fd2dqPS/hiq37x
VfOHwiTw9TDbbCm1pCtBl44/qB5vKlqAOtWBjM7hiv06QcZrDgfxZg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYTg4SlhvUW8vdXVxY04z
SWVzOFRpeDdYdEx5M3kwaEdlNitJY0F3UlhvCkU2MUdqQ29jZHpZVG8rU2lwQUVs
ZnNna1JkR25saThiK25ocWFOUWNPMDQKLS0tIHNHbDFveHN2KzRHN20rcjBXK1lS
cWh5bGptQ2ZrNnpTbXJQNFcyNWpCOWsK2IIip2rhMMXem3ALeOvw4Hxp6HF7UpRk
YmKAoN6OwWHwgkWXxapUCTrhx4mLr/Okx9zK3B+6cVNd5yyVtrcBnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZkVWMGFmZU9OSXhQWFF4
Q3pjelptQzhHK3pnZGFSS2dCUUkvVGF1eVM4CityNVRFUyswMUxEN0RSakd0Ymp0
ZXdnVXJtVDhycVRRSmR3RWhoMk15RFkKLS0tIGR6bVljY1Rnc2JRU05FaXlXQW1H
S0YxZWZ5Q2taQks5VmxGY21CZ01IVUUKU593ro9pDrKkUGAV226dbo0dK7QnI49I
VyGJGcQ/bXEBVJazcwWGhIwA6WACY/HldrUU45WsowlVQgIwtPVkfw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMW1CVzA2YnB6OUlFTktu
SEk1UkhqalZNZklGVmo2c1RmWmJ1WC9QMFRrCjNoVUJjM0trN2F1d2lLMWd2Zmh4
bXZFQ2hqaktQRFdCSHN2eGZQeDFwVmcKLS0tIGNBS0x1T3FCOTNmeERrN3RYOXpV
UGc5aFF3cXBoYU45WHFyU0NXajhMRzgKtPbwNjOmoe7KL6LdlFV//TF6Q5PAJ40i
y/CzPN05BlcTQNUcm/ZpFMT6Mn5l5fDER79LKyzBBzL3s3qYzdruBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYkhuWllyTDk4NEpOdVFV
K1JVWUM4THNGSVpkS1V6VTZzNFF3b0xydW44CkpEYlFya0MyTWZLby9zb1dzTGNk
WElCYnpEQStKOUFWWXdVM1dWOEpMSWcKLS0tIDB5aDY3T25MSmtUUmw4YVREeU5l
WnBoZzdHb3NzSVd2NDhiUDY4YUhUS2MKZg09GBkZrL4kqpA7y/dQNVpStLjZTrYz
8jlhf06x0L/oLrSfP4Ct0apnjHRoPJlpTRLZKEVNfE3t0E8JgW3JDg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZlhDN3k5QnZhTnFzb0Ni
cUZwMDgvTGtQUHlJZ2NRU1hhMEdPNFlYSldNCjhiTFNlUzdmaTM5bHd1RzExTTBB
bGRWd1JkK1RSKzExT2NkVkkvc3ljWVEKLS0tIEErOVdBVnA4NGZ0VXc4S1psUE9U
bnhYRDFHaTFYQnBPU0ZMUWZaaVNaaHcKryDBNTvoy2x/to0/zOzLaQLfYR9jO335
Svt2eAxMXt59x964hLRmuaON0jxNqpVyCOFAk8UWyqq952YCerG1Iw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQM1ZrZHplbVRhR3Rtd2dN
N0RXazhNR1hqQzAxb0lpdCttQW9EUzYwZldzCjlFVjV0RG9oQnM4UHJNTjdnNjlo
Y3ZRQ0J0VGxUQ1NYWitWVnFIZHdSRDgKLS0tIG9GdThMKzdQaGZCcy92L3N1TWJZ
OEtqTWJvU2ptTmJEQmhRZDFDTW0zemsKol6EX/Ap98DQXDoMaY8cR9x2N02SiqYg
/6ufAo+0qxF+BS5dWdxAQJOZnTa9+xRePrlp/8bnnpJ4aalRqZj65w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5L3dUSHRLQjZOUXB4NlVi
aXRjWHJONXVsMFZKSmJCU1VYWlY5UUJXYXdBCmloYndMR2VnWHR3T3p5NytyUVZt
dHk5YWJFQ09xR1Qvd3BEWjJXVHJrQWsKLS0tIEhFQXJLTDBUWXNzYnhoZ1l3bFRE
dDQybkwzOUtraGk1U21VeHBkNUpLeGsKgBP+mn2AZmKf6v15JnOE4YeSUpsKMAgP
DbbDSJBf3zgwcUECglSB9pM09ZkxM/WA8+sBPNt7/pepUfpKWfoiIA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-15T21:02:47Z"
mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str]