Add heptifili

peterablehmann · Jun 20, 2024 · 1a2adda · 1a2adda
1 parent a2fae8e
commit 1a2adda
Show file tree

Hide file tree

Showing 11 changed files with 231 additions and 24 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -3,6 +3,7 @@ keys:
   - &system_mns age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
   - &system_sync age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
   - &system_ymir age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q
+  - &system_heptifili age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav
 
 creation_rules:
   - path_regex: secrets/common.(yaml|json|env|ini)$
@@ -12,6 +13,7 @@ creation_rules:
       - *system_mns
       - *system_sync
       - *system_ymir
+      - *system_heptifili
 
   - path_regex: secrets/mns.(yaml|json|env|ini)$
     key_groups:
@@ -30,3 +32,9 @@ creation_rules:
     - age:
       - *peter
       - *system_ymir
+
+  - path_regex: secrets/heptifili.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *peter
+      - *system_heptifili
diff --git a/dns.nix b/dns.nix
@@ -71,6 +71,16 @@
       };
       "xnee.de" = lib.recursiveUpdate defaults { };
       "xnee.net" = lib.recursiveUpdate defaults {
+        "ip.heptifili" = {
+          a = {
+            data = "192.168.10.10";
+            ttl = 1;
+          };
+          aaaa = {
+            data = "fd00::10:10";
+            ttl = 1;
+          };
+        };
         "fritzbox".cname.data = "pm50yyz373t4yr6i.myfritz.net";
       };
     };

diff --git a/flake.nix b/flake.nix
@@ -87,6 +87,16 @@
       } // builtins.mapAttrs (name: value: { imports = value._module.args.modules; }) conf;
 
       nixosConfigurations = {
+        heptifili = nixpkgs.lib.nixosSystem {
+          specialArgs = { inherit inputs outputs; };
+          system = "x86_64-linux";
+          extraModules = [ inputs.colmena.nixosModules.deploymentOptions ];
+          modules = [
+            ./nodes/heptifili
+            self.nixosModules.common
+            nix-topology.nixosModules.default
+          ];
+        };
         mns = nixpkgs.lib.nixosSystem {
           specialArgs = { inherit inputs outputs; };
           system = "x86_64-linux";

diff --git a/modules/common/exporters.nix b/modules/common/exporters.nix
@@ -18,7 +18,7 @@ let
 in
 {
   networking.domains.subDomains.${domain} = { };
-  security.acme.certs."${domain}" = { };
+  security.acme.certs."${domain}" = { webroot = null; dnsProvider = "hetzner"; };
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;
     forceSSL = true;

diff --git a/modules/common/tailscale.nix b/modules/common/tailscale.nix
@@ -16,7 +16,6 @@
     extraUpFlags = [
       "--advertise-exit-node"
       "--stateful-filtering"
-      "--accept-routes"
     ];
   };
 }
diff --git a/nodes/heptifili/default.nix b/nodes/heptifili/default.nix
@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./disko.nix
+    ./dyndns.nix
+    ./hardware-configuration.nix
+    ./networking.nix
+  ];
+}
diff --git a/nodes/heptifili/disko.nix b/nodes/heptifili/disko.nix
@@ -0,0 +1,34 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/nvme0n1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              label = "EFI";
+              type = "EF00";
+              size = "100M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              label = "NIXOS";
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/nodes/heptifili/dyndns.nix b/nodes/heptifili/dyndns.nix
@@ -0,0 +1,53 @@
+{ inputs
+, config
+, pkgs
+, ...
+}:
+{
+  sops.secrets."dyndns/hetzner_api_key" = {
+    sopsFile = "${inputs.self}/secrets/common.yaml";
+  };
+
+  systemd.timers."dyndns" = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1m";
+      OnUnitActiveSec = "1m";
+      Unit = "dyndns.service";
+    };
+  };
+
+  systemd.services."dyndns" = {
+    script = ''
+      zone_id=7DbNys3Lx4MWjg4eXEvMG4
+      recordid_ipv4=effda54b31515ed8d0b108f7fa08773d
+      recordid_ipv6=b742c12c5334e81248ffe69632c4a914
+      # Get in use IP-addresses
+      current_ipv4=$(${pkgs.curl}/bin/curl -s4 https://ip.hetzner.com)
+      current_ipv6=$(${pkgs.curl}/bin/curl -s6 https://ip.hetzner.com)
+      # Get IP-addresses set in DNS
+      dns_ipv4=$(${pkgs.curl}/bin/curl -s "https://dns.hetzner.com/api/v1/records/$recordid_ipv4" -H "Auth-API-Token: $(cat ${config.sops.secrets."dyndns/hetzner_api_key".path})" | ${pkgs.jq}/bin/jq ".record.value" | tr -d '"')
+      dns_ipv6=$(${pkgs.curl}/bin/curl -s "https://dns.hetzner.com/api/v1/records/$recordid_ipv6" -H "Auth-API-Token: $(cat ${config.sops.secrets."dyndns/hetzner_api_key".path})" | ${pkgs.jq}/bin/jq ".record.value" | tr -d '"')
+
+      if [ $current_ipv4 = $dns_ipv4 ]
+      then
+        echo "IPv4 already up to date"
+      else
+        echo "$dns_ipv4 => $current_ipv4"
+        ${pkgs.curl}/bin/curl -s -X "PUT" "https://dns.hetzner.com/api/v1/records/$recordid_ipv4" -H 'Content-Type: application/json' -H "Auth-API-Token: $(cat ${config.sops.secrets."dyndns/hetzner_api_key".path})" -d $'{"value": "'$current_ipv4'", "ttl": 60, "type": "A", "name": "'ip.hetifili'", "zone_id": "'$zone_id'"}'
+      fi
+
+      if [ $current_ipv6 = $dns_ipv6 ]
+      then
+        echo "IPv6 already up to date"
+      else
+        echo "$dns_ipv6 => $current_ipv6"
+        ${pkgs.curl}/bin/curl -s -X "PUT" "https://dns.hetzner.com/api/v1/records/$recordid_ipv6" -H 'Content-Type: application/json' -H "Auth-API-Token: $(cat ${config.sops.secrets."dyndns/hetzner_api_key".path})" -d $'{"value": "'$current_ipv6'", "ttl": 60, "type": "AAAA", "name": "'ip.heptifili'", "zone_id": "'$zone_id'"}'
+      fi
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+}
diff --git a/nodes/heptifili/hardware-configuration.nix b/nodes/heptifili/hardware-configuration.nix
@@ -0,0 +1,24 @@
+{ config
+, lib
+, modulesPath
+, ...
+}:
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nodes/heptifili/networking.nix b/nodes/heptifili/networking.nix
@@ -0,0 +1,50 @@
+{ lib
+, config
+, ...
+}:
+let
+  inherit (config.lib.topology) mkConnectionRev;
+  IPv4 = "192.168.10.10";
+  IPv6 = "fd00::10:10";
+in
+{
+  topology.self.interfaces.eth0 = {
+    network = "Internet";
+    physicalConnections = [ (mkConnectionRev "Fritz!Box" "*") ];
+  };
+
+  networking = {
+    domains = {
+      enable = true;
+      subDomains = {
+        "${config.networking.fqdn}" = { };
+      };
+      baseDomains."${config.networking.domain}" = {
+        cname.data = "ip.heptifili.xnee.net";
+      };
+    };
+    useNetworkd = true;
+    useDHCP = false;
+    hostName = "heptifili";
+    usePredictableInterfaceNames = lib.mkDefault true;
+    domain = "xnee.net";
+    nameservers = [
+      "192.168.10.10"
+      "fd00::6b4:feff:feca:b60b"
+    ];
+    dhcpcd.enable = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      networkConfig.DHCP = "yes";
+      matchConfig.Name = "enp87s0";
+      address = [
+        "${IPv4}/23"
+        "${IPv6}/64"
+      ];
+      routes = [{ Gateway = "192.168.10.1"; }];
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}
diff --git a/secrets/common.yaml b/secrets/common.yaml
@@ -5,6 +5,8 @@ backup:
     wasabi: ENC[AES256_GCM,data:J1l40cGrZNJ2CXg3csQGyOBmnNCLTjQDf/sVECYx22dylQiohNQwFhQj8uq6fXyHY3OTOuW+62nJ4pa9Avq+/9Wcdk/8g0s+4uIiDjsAi0hrUEvEhi7dIE14SQVXTBO6/pidYw0=,iv:Z/9nqeiEVDguC845G3MQgVyeXpwHFiKrbEW73pQlSfs=,tag:iOVTjW4zFf5eAVFJ4JRE0w==,type:str]
 acme:
     environment: ENC[AES256_GCM,data:QvneNh+eLJ9Pt5jFM8O3ztGJzCyxwYvFZT/31aoCU0mAIpU7wLIn/RVXJy4bfRYErg==,iv:ccpmWUhT7QZF9mjsXb5aaUJDAtosSFL8CWpEneF/9tA=,tag:NQ5KCDBw+5hSqRJmZvd0cQ==,type:str]
+dyndns:
+    hetzner_api_key: ENC[AES256_GCM,data:gDJuCvLVPiP2Qy9l6NVIoWX9D9zDrrMgynifQZkCGXI=,iv:gsZtJrpuvn22u1/FTpAEOPVQHL+vhoNWWqroBgJhtZc=,tag:dzYH/N0wKnTU/fkRMIo2OQ==,type:str]
 tailscale:
     authkey: ENC[AES256_GCM,data:vsk1t0P8f51wiCvATXT2YRyyVH2076Q8V1gMTjhh+trisqlFnJbqsJ/Lra6Pk3OZqg71VtC4GPD3LAXyHys=,iv:FiJXI5LkYnK/JCLDEsHpCYWAzZtJWdPmr9gwUfa8ZZg=,tag:IkHWcP5jsbtmPkXkVtV+5g==,type:str]
 sops:
@@ -16,41 +18,50 @@ sops:
         - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eUJML25MQnhpZWJBN3lQ
-            amtjNkVtQngzRncyalJJWDhqa0pWc0gxNVI0CnIzU2M3NEpWeWRid1Z1VnNyRFJw
-            RnpMSUFQMmJybVlyTWZqMC96SzRqWk0KLS0tIFg3V3dJa0pzY1NMV2RQdkhwd0Z4
-            b0VCeUJucXU4dHZheVpFRFhxc1k3TDAKY0LOBXp9PDZN4enT6L8/drxCkMeA/O3A
-            Ve3RixsRdwOcgsJdjIUHTAdCAUhNuRjcn8Pjs8UxBhou5fHIaV4aZw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZVBzdzZaSnNXd0dHRWVG
+            eFF2Qzd5TmFLa2wvbWdiVy9jMGlDRjRBR3hFCnJYYzEvSmxkczJTMzdGOU5GMGth
+            T2FEVnM0ZWl5bmJ4RHB0RTF4aDAvRVkKLS0tIEZmRUVET3ZTQnNsdWpRZjdUL0lo
+            MVZBMDdnRXMvaFVobDR4QmVsVEFIQ2sKiwZSJUdlQqv/elJ3Gh58b2xjU1LSxsdZ
+            Ydz0AzeFBlIgVVpfNRez+NYZCQthnP3QT6nT0sAVZWa7hJFzQLjVVQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSCttamJHZkNiUk1rS2la
-            TDhiTzRuRldrT25ZZG16NDBNTEs3OGFEbzBnClhUNmhLYjd2YjNMZlpnMnNTL3k3
-            RVd1M3l6MllCRGdQNlE0cjFQbmE4dVkKLS0tIEcwbm43MnBTNFpIY3lEN2xOdXYy
-            ZWdtZ3VIQWdTK2tUc0hUbzliQWtHazAKdJcZTxBTP1SbTn6pfeiAMjxTzeAlf+rp
-            LpboQI3qPNA+Imqtbx8lacP5jAbgpFoWRkYMxuSFh0QzHoaraxYgQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SmZubjVIWUp0b3FSMEI5
+            cDdYMm85MEN5L0E5YTB4Y3lCWHFiWi81S0U0CldYeGVseEFkUXFiWlhaMjVlR1pD
+            c2VFRDg4TkU1SFRlYlo3TjhoZDduYXcKLS0tIHlaRkN6cWkxUHVGSmpLM0FUeFF5
+            Qk9zMy91VE9KNVRTckRVMDRBY0dXZ3cKrD6N/VcepEEcaXPr00MjTF6cpgMXO7sb
+            YdE1S0EGe5x59jU8TtHELOJ91TJaolp0WD0pvAXhHIAcBfnqEdpKbg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdThDbXBXWFdhRGVCZXJC
-            WWVXa05oSCtKS0VhYytNMGVTVGMrZXljR2tRCkwvQ3h4bENjMFZvRnBtSUFvdnc1
-            cTJWVlVkQVZjOUxZclJNa3ZYaktiYWsKLS0tIFg1QzJUMmJLOTRicnYxOWVXS0JB
-            dE95akkyNUtOUDlnTGN5YVZMaGFQbEUK06k7tnbFA93+pVzLYkpIt4u4aO5WzWi3
-            qtgAgNJZqTqSy02pvbAMtDCArIBgGPZwGhxPuZLhLfEeNjkyoYG8gw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUThrTGFKbmRXNjNUbWZQ
+            R3lKZ2xwUEd6bVlFUGZaY29PRTk0alZhQmpVClNwUi9kdE53endJZ2dCeHdET3c5
+            djltYmdSSmlmQy9iSk1sYmtHVmZJa00KLS0tIHVHSzNaeDlmV1I1eWlHUUVBUkxV
+            N1AzL0JNOE15eUpQVkNKdFNSVWtmQmsKphXeERyM93OKHDtH6Fm9UnB207LVxGt/
+            flSanMWVNYqLVsNLuXQYOdlU7RCowHobH+y+eUKYEutm8SXa30ixKg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMFNNSEZVWUJTYVpsbkxT
-            QXp4Vit5N05oR282OUhPUmd0SzFaUDZ1RDJvCmg5V3RUdFlFWlRNS2lRUHp3bGs5
-            WXQ5Uk1BTDhBaTB6TUwrL20vYXhEbDgKLS0tIGVuM1MvdUxOMy9JalZEVjhCeGlS
-            S2JvMzZya2dCbUtSVzNPOWVITHF1WFUKCxDwdj+hq0mEprx8N5NzYLBE08O8Jfl2
-            H3SPrww3gmQExa4eI6rZ8UtD+OTXXtDDrr7aBKcgqrTH5jb5l16hDw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEblZNTlptbTZxNVk4SG50
+            Q2lyZHRoakdRaktENFVYWU1GaEFTV3dPbDFVCjhHY2FrSzY4aW1pWXc5VFdnb3k4
+            NEc2TGJ4VnJJZ21jKzZnMi9EdEtDSHMKLS0tIFl2U3gxL3liZVpZOTVzbVc4Z1lS
+            WE82VHMyeElrbDhYL0VjZHdQWjY1VmMK+q+tW+HNgG13OvL3VqlkzhKYI2r5ceoG
+            u4x4wpajiiQgCAub1SddFmGPX8iPeyfyCg7ijeUUguFMPpCXHbx2Yw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-18T18:55:54Z"
-    mac: ENC[AES256_GCM,data:rT4xvOvSnze3ubMOQNAZ/mJYgCBGL5OnqgCnV6KmsUWCou1nZxeWIyOUCPZpCj1qLRD1+CVlaPWvB1AsHznzaaulBmr0unQsCRVr4KOkisMP1b3VqVEfGcQsIEZ238l1J0YTRhwU+Sgyf8sB53K1b3HtOWJSO9/H7GJrVTJ+/i4=,iv:U0413JJWERZ9E84/YaNkBZOj7D5ODIdtjJUS7XY2krY=,tag:ZuJp8lw0vZ2c9mqO78rF6Q==,type:str]
+        - recipient: age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeVlKNmRaVDRKV0xDcWpW
+            MEE4WHJZWnNQSlpURmlVWUZHZ2YxTUhnZEVnCmdYQjVSZ1FZOWkrdkhiUDQ2ME1W
+            MlFnM2ZSZ3NzTTBHbXN5djJsVDJCYWcKLS0tIFJzaFgwL3hzbnVCT0x0YnA1Wk9a
+            MmVwWTNta2JNRDhkRlFLNkNMcS9EUkkKyvKHpErzUGuunZI2p1tWS01XzBQFF3If
+            YnoWAP4iX9OVK5XBP96+cxKNRbhnujGb2PphZcepXk8dUwOvGS13Fg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-20T17:51:30Z"
+    mac: ENC[AES256_GCM,data:0r1m04XA3+2harSHoWWM6Jf++JShsZ9ghU0Gcq4m3Ot9AAocDE4g4IEIsTw69RiVsH+mFtSZlM/QoOs/pmHLA/070RMIBuqVb0gFaVWlfFeSsqd42lK86hu8j3wTzZofPHlgRhMX2E58BJ4Dp6Y1L1FVFkVRBhE014SgDnhnVdI=,iv:L8P2iuoo9+96sIlooMG+fp97x8AHfouLDqSlmiFduB4=,tag:ndtAJMovOp11Tn/5NUuEEQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1