JakeHillion/nixos
1
0
Fork 0
Code Issues 10 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

add gendry.jakehillion-terminals host
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Jake Hillion 2022-11-18 20:47:23 +00:00
parent eb72b6e468
commit bb319e22e5
8 changed files with 171 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
flake.nix
View File

@ -10,6 +10,18 @@
description = "Hillion Nix flake"; description = "Hillion Nix flake";
outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs: { outputs = { self, nixpkgs, nixpkgs-unstable, agenix }@inputs: {
nixosConfigurations."gendry.jakehillion-terminals.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs;
modules = [
./hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix
agenix.nixosModule
{
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}
];
};
nixosConfigurations."vm.strangervm.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem { nixosConfigurations."vm.strangervm.ts.hillion.co.uk" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = inputs; specialArgs = inputs;

65
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix Normal file
View File

@ -0,0 +1,65 @@
{ config, pkgs, lib, ... }:
{
config.system.stateVersion = "22.05";
config.networking.hostName = "gendry";
config.networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
imports = [
../../modules/common/default.nix
./hardware-configuration.nix
];
config.boot.loader.systemd-boot.enable = true;
config.boot.loader.efi.canTouchEfiVariables = true;
## Tailscale
config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
config.tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
## Password (for interactive logins)
config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
config.users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
config.security.sudo.wheelNeedsPassword = lib.mkForce true;
## Persist files (due to tmpfs root)
### Set root tmpfs to 0755
config.fileSystems."/".options = [ "mode=0755" ];
### Require data at boot (to have access to host keys for agenix)
config.fileSystems."/data".neededForBoot = true;
### OpenSSH Host Keys (SSH + agenix secrets)
config.services.openssh = {
hostKeys = [
{
path = "/data/system/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/data/system/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
### Persistent directory symlinks
config.systemd.tmpfiles.rules = [
#### Persistent home subdirectories
"L /root/local - - - - /data/users/root"
"L /home/jake/local - - - - /data/users/jake"
];
### Persistent /etc/nixos
config.fileSystems."/etc/nixos" = {
device = "/data/users/root/repos/nixos";
options = [ "bind" ];
};
### Persistent zsh history
config.programs.zsh.histFile = lib.mkForce "$HOME/local/.zsh_history";
}

58
hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/hardware-configuration.nix Normal file
View File

@ -0,0 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "tmpfs";
fsType = "tmpfs";
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/b29084d3-635c-4548-a3f2-7e656c894608";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/af328e8d-d929-43f1-8d04-1c96b5147e5e";
fileSystems."/data" =
{
device = "/dev/disk/by-uuid/b29084d3-635c-4548-a3f2-7e656c894608";
fsType = "btrfs";
options = [ "subvol=data" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/768E-4995";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

8
modules/common/shell.nix
View File

@ -4,9 +4,17 @@
config.programs.zsh = { config.programs.zsh = {
enable = true; enable = true;
histSize = 100000; histSize = 100000;
histFile = "$HOME/.zsh_history";
syntaxHighlighting = { syntaxHighlighting = {
enable = true; enable = true;
}; };
autosuggestions = {
enable = true;
highlightStyle = "fg=5";
strategy = [ "match_prev_cmd" "completion" "history" ];
};
}; };
} }

1
modules/common/ssh.nix
View File

@ -1,7 +1,6 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
users.mutableUsers = false;
users.users."jake".openssh.authorizedKeys.keyFiles = [ ./authorized_keys ]; users.users."jake".openssh.authorizedKeys.keyFiles = [ ./authorized_keys ];
programs.mosh.enable = true; programs.mosh.enable = true;

BIN
secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age Normal file
View File

Binary file not shown.

7
secrets/secrets.nix
View File

@ -3,13 +3,18 @@ let
jake-mbp = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp"; jake-mbp = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAyFsYYjLZ/wyw8XUbcmkk6OKt2IqLOnWpRE5gEvm3X0V4IeTOL9F4IL79h7FTsPvi2t9zGBL1hxeTMZHSGfrdWaMJkQp94gA1W30MKXvJ47nEVt0HUIOufGqgTTaAn4BHxlFUBUuS7UxaA4igFpFVoPJed7ZMhMqxg+RWUmBAkcgTWDMgzUx44TiNpzkYlG8cYuqcIzpV2dhGn79qsfUzBMpGJgkxjkGdDEHRk66JXgD/EtVasZvqp5/KLNnOpisKjR88UJKJ6/buV7FLVra4/0hA9JtH9e1ecCfxMPbOeluaxlieEuSXV2oJMbQoPP87+/QriNdi/6QuCHkMDEhyGw== jake@jake-mbp";
users = [ jake-gentoo jake-mbp ]; users = [ jake-gentoo jake-mbp ];
gendry_terminals = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPXM5aDvNv4MTITXAvJWSS2yvr/mbxJE31tgwJtcl38c root@gendry";
vm_strangervm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm"; vm_strangervm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINb9mgyD/G3Rt6lvO4c0hoaVOlLE8e3+DUfAoB1RI5cy root@vm";
microserver_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver"; microserver_home = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPOCPqXm5a+vGB6PsJFvjKNgjLhM5MxrwCy6iHGRjXw root@microserver";
microserver_parents = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver"; microserver_parents = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0cjjNQPnJwpu4wcYmvfjB1jlIfZwMxT+3nBusoYQFr root@microserver";
systems = [ vm_strangervm microserver_home microserver_parents ]; systems = [ gendry_terminals vm_strangervm microserver_home microserver_parents ];
in in
{ {
# User Passwords
"passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age".publicKeys = users ++ [ gendry_terminals ];
# Tailscale Pre-Auth Keys # Tailscale Pre-Auth Keys
"tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age".publicKeys = users ++ [ gendry_terminals ];
"tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = users ++ [ vm_strangervm ]; "tailscale/vm.strangervm.ts.hillion.co.uk.age".publicKeys = users ++ [ vm_strangervm ];
"tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_home ]; "tailscale/microserver.home.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_home ];
"tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_parents ]; "tailscale/microserver.parents.ts.hillion.co.uk.age".publicKeys = users ++ [ microserver_parents ];

22
secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age Normal file
View File

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-rsa GxPFJQ
KjPYZi1OFmBBhU9v7xRqatjJ9uR4G17zCJx0nnzSMdattCIp5Oqyfe2WF7GGwKRD
kI0+5gHQFBE6h3B0gp2LZIBYL0mOcu17qwMq2IkNSqZJozjdDmr1KbAoIEGUe8jV
tahRxb5o74pDIICaC1RbfWtGKH3pago6cn+/nrwpwQqEPSZqHdat12UYl3qqZVOt
js6S4wWmijgPm4W+WgWCUqirJthGmjMIG9gkpV4ylKzjQj5kWRKUatQ6T3/gl4px
y0caQK+V9zU4CdK0od7bxKLVYN3fyOIAimBqPRmoQxEJrCR4gA0c9RHC85NreWtW
SDP5bbg5rYjACsMmvxXgBA
-> ssh-rsa K9mW1w
ZrUyn3jcFmRaEKE25dsQ3q6T+kEsuo48OyDYcWWFbfbfZHUPA14tlRrr9vXnO0z1
UmFSGcFiWWFUwJw7tIUbbdDKj2tmNtDSkET4Z7jgxJ1qdHLBdH6I6D+g7BWwiEJt
Bspn9Y7ngJyBm4HFvUlSV47nhcG3+vDO3jYqNYDE8faMhumVX7JfR2Hg20msE/9G
Gk1jLgqg8fl7eycSb64MhdTGr4hxFqlltK14RcDnt3L/yO5nWYWf2DTO04xBtyWk
ypFkMSAiIn68Cw47b8nabqkfKpwhpR5WcT2wqUnkMPzqc/iFm7sC+tXPV33ZAnLP
jC2JTgNwBbtSIIX8cfSY4g
-> ssh-ed25519 rjda/A uGrydFlzSMircul6ytkWwfUxONXNzQW1djteOBNqTGQ
G+gqoNTwxLwK1OFUmbi+jEHYR1igyZ6wlfbr3xcTvPY
-> O-grease
m5D7+NoQaIInhzyfV0EylS1d7c+CbV9Zd+cgTeNQJ6j/yYKB5Zy3MjPriUAZ1xkX
SBDaXekeAJNNT73+F6QsVmoN3TB2NZhpKlspmM8h40BmH4M+lPgC
--- Ug7/z36ERkXTM5Kh2gtBgxiB3IGy8Sj2+cWJGQTsYTw
©æÆ]Lüƒ¦eóÄ<>ËÙ8)XȤã˜Zï€?ÖQø‡k"Í΢Իþ<C2BB>öâ}.ÙÙ%Ä$ƒ$ÿi[|=p “ü“*dзnpuu µöÂ