From 4d1521e4b420a24b91898bda713f9daf71e7741a Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Sun, 21 Apr 2024 16:04:30 +0100 Subject: [PATCH] be.lt: add beryllium laptop --- hosts/be.lt.ts.hillion.co.uk/default.nix | 43 +++++++++++++++ .../hardware-configuration.nix | 54 +++++++++++++++++++ hosts/be.lt.ts.hillion.co.uk/system | 1 + modules/common/ssh.nix | 3 ++ modules/impermanence.nix | 2 +- secrets/passwords/jake.age | 40 +++++++------- secrets/secrets.nix | 8 ++- secrets/tailscale/be.lt.ts.hillion.co.uk.age | 19 +++++++ 8 files changed, 150 insertions(+), 20 deletions(-) create mode 100644 hosts/be.lt.ts.hillion.co.uk/default.nix create mode 100644 hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix create mode 100644 hosts/be.lt.ts.hillion.co.uk/system create mode 100644 secrets/tailscale/be.lt.ts.hillion.co.uk.age diff --git a/hosts/be.lt.ts.hillion.co.uk/default.nix b/hosts/be.lt.ts.hillion.co.uk/default.nix new file mode 100644 index 0000000..dc17748 --- /dev/null +++ b/hosts/be.lt.ts.hillion.co.uk/default.nix @@ -0,0 +1,43 @@ +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../../modules/common/default.nix + ./hardware-configuration.nix + ]; + + config = { + system.stateVersion = "23.11"; + + networking.hostName = "be"; + networking.domain = "lt.ts.hillion.co.uk"; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + ## Impermanence + custom.impermanence = { + enable = true; + userExtraFiles.jake = [ + ".ssh/id_ecdsa_sk_keys" + ]; + }; + + ## Desktop + custom.users.jake.password = true; + custom.desktop.awesome.enable = true; + + ## Tailscale + age.secrets."tailscale/be.lt.ts.hillion.co.uk".file = ../../secrets/tailscale/be.lt.ts.hillion.co.uk.age; + services.tailscale = { + enable = true; + authKeyFile = config.age.secrets."tailscale/be.lt.ts.hillion.co.uk".path; + }; + + security.sudo.wheelNeedsPassword = lib.mkForce true; + + ## Enable btrfs compression + fileSystems."/data".options = [ "compress=zstd" ]; + fileSystems."/nix".options = [ "compress=zstd" ]; + }; +} diff --git a/hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix b/hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix new file mode 100644 index 0000000..77f1060 --- /dev/null +++ b/hosts/be.lt.ts.hillion.co.uk/hardware-configuration.nix @@ -0,0 +1,54 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "tmpfs"; + fsType = "tmpfs"; + options = [ "mode=0755" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/D184-A79B"; + fsType = "vfat"; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/c8ffa91a-5152-4d84-8995-01232fd5acd6"; + + fileSystems."/data" = + { device = "/dev/disk/by-uuid/3fdc1b00-28d5-41dd-b8e0-fa6b1217f6eb"; + fsType = "btrfs"; + options = [ "subvol=data" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s20f0u1u4.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/be.lt.ts.hillion.co.uk/system b/hosts/be.lt.ts.hillion.co.uk/system new file mode 100644 index 0000000..9bdfd5f --- /dev/null +++ b/hosts/be.lt.ts.hillion.co.uk/system @@ -0,0 +1 @@ +x86_64-linux \ No newline at end of file diff --git a/modules/common/ssh.nix b/modules/common/ssh.nix index 872df86..d41ec84 100644 --- a/modules/common/ssh.nix +++ b/modules/common/ssh.nix @@ -2,6 +2,8 @@ { users.users."jake".openssh.authorizedKeys.keys = [ + "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBwJH4udKNvi9TjOBgkxpBBy7hzWqmP0lT5zE9neusCpQLIiDhr6KXYMPXWXdZDc18wH1OLi2+639dXOvp8V/wgAAAAEc3NoOg== jake@beryllium-keys" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOt74U+rL+BMtAEjfu/Optg1D7Ly7U+TupRxd5u9kfN7oJnW4dJA25WRSr4dgQNq7MiMveoduBY/ky2s0c9gvIA= jake@jake-gentoo" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC0uKIvvvkzrOcS7AcamsQRFId+bqPwUC9IiUIsiH5oWX1ReiITOuEo+TL9YMII5RyyfJFeu2ZP9moNuZYlE7Bs= jake@jake-mbp" @@ -26,6 +28,7 @@ "ssh.gitea.hillion.co.uk".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxQpywsy+WGeaEkEL67xOBL1NIE++pcojxro5xAPO6VQe2N79388NRFMLlX6HtnebkIpVrvnqdLOs0BPMAokjaWCC4Ay7T/3ko1kXSOlqHY5Ye9jtjRK+wPHMZgzf74a3jlvxjrXJMA70rPQ3X+8UGpA04eB3JyyLTLuVvc6znMe53QiZ0x+hSz+4pYshnCO2UazJ148vV3htN6wRK+uqjNdjjQXkNJ7llNBSrvmfrLidlf0LRphEk43maSQCBcLEZgf4pxXBA7rFuZABZTz1twbnxP2ziyBaSOs7rcII+jVhF2cqJlElutBfIgRNJ3DjNiTcdhNaZzkwJ59huR0LUFQlHI+SALvPzE9ZXWVOX/SqQG+oIB8VebR52icii0aJH7jatkogwNk0121xmhpvvR7gwbJ9YjYRTpKs4lew3bq/W/OM8GF/FEuCsCuNIXRXKqIjJVAtIpuuhxPymFHeqJH3wK3f6jTJfcAz/z33Rwpow2VOdDyqrRfAW8ti73CCnRlN+VJi0V/zvYGs9CHldY3YvMr7rSd0+fdGyJHSTSRBF0vcyRVA/SqSfcIo/5o0ssYoBnQCg6gOkc3nNQ0C0/qh1ww17rw4hqBRxFJ2t3aBUMK+UHPxrELLVmG6ZUmfg9uVkOoafjRsoML6DVDB4JAk5JsmcZhybOarI9PJfEQ=="; # Tailscale hosts + "be.lt.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm"; "dancefloor.dancefloor.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXkGueVYKr2wp/VHo2QLis0kmKtc/Upg3pGoHr6RkzY"; "gendry.jakehillion.terminals.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c"; "homeassistant.homeassistant.ts.hillion.co.uk".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM2ytacl/zYXhgvosvhudsl0zW5eQRHXm9aMqG9adux"; diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 37c161b..6112b24 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -45,7 +45,7 @@ in directories = [ "/etc/nixos" - ] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++ + ] ++ (listIf (config.services.tailscale.enable || config.custom.tailscale.enable) [ "/var/lib/tailscale" ]) ++ (listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]) ++ (listIf config.services.postgresql.enable [ config.services.postgresql.dataDir ]) ++ (listIf config.hardware.bluetooth.enable [ "/var/lib/bluetooth" ]) ++ diff --git a/secrets/passwords/jake.age b/secrets/passwords/jake.age index e2b11b2..0113eb8 100644 --- a/secrets/passwords/jake.age +++ b/secrets/passwords/jake.age @@ -1,21 +1,25 @@ age-encryption.org/v1 -> ssh-rsa GxPFJQ -clM3ZZ+BrFyrKzQEptaVd8zHVtQJZi2gCxeQcdr4X07XFFfDoz+Ft2uY8+FVq54E -U2d1Qorf14/K7ubHlTMFcTLksD9CsMSpj4tiVzZ6jLzoL2g8ygsnllyT2IcG6dmB -8ZLRL+agcZJo+9cfdxOYwJTzjbDuuhGKsQDfS5T833CgDfleJ96XVFkDEnf4yQcB -DBNU4R10SIyHAhRDjZpIRyDAOkwfTVABxHFS9TFfIOWho6tRwfdUeoWAnzqO4wUJ -FFTvnbiX44WU5VbUf7Em/92NDWtDJM98B2s+LbgZpGk3oqcY4iyVJIhi7Tfrz5+m -5EXsa62mgd30xXHkdBp+6w +V2AvkOD5bHByhebVLzXhGpKgD+ZbpXVU8qizj+nvcmsapadSjtnqo/PYHLatc3Hc +9zJoCvW4hXu8DVx6sgEapBUibny8mRBUYm58yxi9UIv4PfutFfOqAaTDolOZkVr2 +5cNY6JTjB8l3x0j+rQfSATMebCJr0mexi/vCxfk20BYAYxm71FWa/3HchH5ktf76 +YyQFgBG3zSLaWRS8wgWPZxbr3oz2mlQsgAgc2Q+D0RKQ9k9y4MFDy2kQgyBD0mh/ +LfEy27pFYDcFq5YFrHDx1mzFP6zmdrgNvJtTvIVHurMX0bjkMVvL1EMPkK89zft0 +2fO5lhEhjN1ZtsiRdi1AHw -> ssh-rsa K9mW1w -hMggZlLSWTyf2LhYSVnvC11S9yPM7GN5uMRYlRyQoppHsHvNMkRQKYdwdzJUX2QA -5OZ8XQwxct1MAxCp1kiwa7B/EwrlZfoFZgao8VWSs0TZTMCJnYFJ+ETBmVU1JnNa -ZOJR+0bTdFMvWCkf5FeIAPz2CeOQ4XfmyU4QMnMdENzUVqPMoB0vPDd9mPNrWeiz -wuZgD4jqzZDbyuRhveOy4fCBQ485jxnqaT9l+VPQSA9xrDUMC5TA6Vg6yxwmu/hY -pv1Dni7aCiYALRPr7UK2hNUU84cG+8eFf53w+rngzt1lZElvjO0Oailaz5weCkP7 -nmSfOOpf5/sHE8uhHb9TSA --> ssh-ed25519 rjda/A rnnAChws0QFbuQeviARY1GxIMf7Q1EGcLclq9b/pFxM -sOIHM3BMvKIKzXi14CRXJEiIHikJuRf2cl5egADncV4 --> ssh-ed25519 8+Ls0w tJ9gHXR03ez8quA9/KSLzc+g8y1HE7RJ6SPsJ8O66hY -J+YWnfPQClYZRZehQco7zpCZUorLYv8uNinfmcEtq+o ---- iHsZcXh9VESnGPGMQnB7mdn3EVgCUXduFshfX1q88q0 -AZZ=:N3VLA"6N4Һ:ƉX`Ϳk9s/raWP@znE,P{0V$mj'"=L&B9$(w,mgtT8J<0 _!PEvJY鳲 \ No newline at end of file +Ma3+rklXzp3GvZeLMJRsBFzQn7zx2XSRbeYGjbpwQ15aDaLkvwj30tTkC8T8UOaJ +BxhMcsqVJtUQ+8VDT+8TI8G6z8FZRincI0RTpLXkjnd7wr+7dJGty3I8lvmAZLfc +Lq/ufWLR5siaHbPIdzD7xc3uIOM6uCEtirO69jylsOxI1ln2nFs/XmB7KFKVXFoR +BU7guCumIoxrPU/PRXsSxW2ZgnI/gMGzTFxdfBB+DG5ji3FQJDlQw7PZSKZV3e9r +0zOnJiRIdxwcdw22C5OWPV0NmchcVk07RVMC7g7ZlYn1ZvzyH4F6915vBO0AliQn +owjfSi9xeR8B+6prms40Mw +-> ssh-ed25519 rjda/A R372Lvn/wI+8QHzPHlfdjHbJdsd3CpUP+rDGgBQJCWI +PohaMx5p6FHhx+EwypsBRHq2R3ujNU8UpbmYS8TKOBM +-> ssh-ed25519 8+Ls0w jQRlUZRjOdFjp2jmKLBWiG1EM6XP1JYScC+y5ju62mA +Siiu+PBmnnlXkY3iP16fOaqADppeMLW9csE6ezXOLCQ +-> ssh-ed25519 ikTTQA qQIFOuadfKL5Ie3YekLaMDP5txofg9RDtirNvuun4DQ +C+o9BE/MLnklCpTqR3z4VDULpcHuGolyxfDRMvmzSDM +--- 6gNHbYKsXqKslBJBUbRtAGIGQqqS2uulAq7tmlOBYm4 +(rNP+_CLs z#v-)`Cj}}A.1ḎW| +gWb) +4_XarHػ@A}YzQp(2m% n \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 38a9149..e5f9253 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ let microserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver"; router = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlCj/i2xprN6h0Ik2tthOJQy6Qwq3Ony73+yfbHYTFu root@router"; }; + lt = { be = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV3OSUT+cqFqrFHZGfn7/xi5FW3n1qjUFy8zBbYs2Sm root@be"; }; pop = { li = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQWgcDFL9UZBDKHPiEGepT1Qsc4gz3Pee0/XVHJ6V6u root@li"; }; terminals = { jakehillion = { gendry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry"; }; }; storage = { @@ -34,9 +35,14 @@ let in { # User Passwords - "passwords/jake.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.home.router ]; + "passwords/jake.age".publicKeys = jake_users ++ [ + ts.terminals.jakehillion.gendry + ts.home.router + ts.lt.be + ]; # Tailscale Pre-Auth Keys + "tailscale/be.lt.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.lt.be ]; "tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ]; "tailscale/jorah.cx.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.cx.jorah ]; "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.home.microserver ]; diff --git a/secrets/tailscale/be.lt.ts.hillion.co.uk.age b/secrets/tailscale/be.lt.ts.hillion.co.uk.age new file mode 100644 index 0000000..305cf4b --- /dev/null +++ b/secrets/tailscale/be.lt.ts.hillion.co.uk.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-rsa GxPFJQ +quD5S+nsgtv5VnsIk08B5Fqhs4oJFmwuw/mj2GwhOhzgMSzF/KiWnkRlcKL3w2LY +zXnh2hB4kQHeudSNXLEh+3WupvynPcaSiuzBQaG559lBroFHR/Vw90MthhnnJszv +a0WQzcLy0e+46gyV5PGD+qX281/lLJMztC6onR7WdGwfBdGsv9z/y4RVkGi/A34n +pfXeJuTAP+tRcIeQCXUP87XBZdXBruNNtlRwM16UaVx2SzQH/WAirTD1zaG9GNG5 +oN8Uj030maXgxVBAzCwyM+9euWllx5XBuvpVsxypB0uqZZV7YJ108tjyY5ydDGTY +tIV99TBm9IsENczBY85+ng +-> ssh-rsa K9mW1w +ZfMMTh58zNW63m9HaAdZ9KmlCiCAWfmMUyYBfnMEc3h7K5bIJPU3E7DymtvlO53/ +CsXMGb+t/cnctrTGlFT2VP8OhoQ5vQfDShjBbS49zYaP6oZR2D0iX7LqRSzZPpQF +SWyFWnXKvYIRmtSXT8Ld+kfONBna3nLWUcPiBgQjLJ7pcRA2UJb78+t5sDKJp7iu +CFbOEBIHBwnt5uk4tThzB/uZlJO1UMNRttgW5yyiivUSMHuVL729vllXNN2+4EUn +H0r88XV6jR6j26Xvx7VmdZV6lLBUFJiBjy353OYfvl7wYWsTMZqRttJi+MZ6kx6V +5NmbqWhtJ8ZoM3L1oV6DEQ +-> ssh-ed25519 ikTTQA ahMu1d62ggresMO+p12kL27Sv+m0jMGG+FH9Knq27yM +0dxGvslHl7EYLOl1nmXPqJBclwtid2+nV3zhJUNa8uQ +--- JLHa4NeSjrwXflyWsZpr/vFO6SpTGXOpocmEDVOotE8 +0#I S5%r:oLk?<ڇN!T`6 .Ɉx:S~$UnX(\d ;W \ No newline at end of file