From 1dd6350434fbde8ffa42c1dd5ac88bca40d66887 Mon Sep 17 00:00:00 2001 From: Peter Lehmann Date: Wed, 19 Jun 2024 00:00:47 +0200 Subject: [PATCH] Add heptifili --- .sops.yaml | 8 +++ flake.nix | 10 ++++ nodes/heptifili/default.nix | 8 +++ nodes/heptifili/disko.nix | 34 +++++++++++++ nodes/heptifili/hardware-configuration.nix | 19 ++++++++ nodes/heptifili/networking.nix | 57 ++++++++++++++++++++++ secrets/common.yaml | 49 +++++++++++-------- 7 files changed, 165 insertions(+), 20 deletions(-) create mode 100644 nodes/heptifili/default.nix create mode 100644 nodes/heptifili/disko.nix create mode 100644 nodes/heptifili/hardware-configuration.nix create mode 100644 nodes/heptifili/networking.nix diff --git a/.sops.yaml b/.sops.yaml index ab32dd6..8c6d1e4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &system_mns age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr - &system_sync age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76 - &system_ymir age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q + - &system_heptifili age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav creation_rules: - path_regex: secrets/common.(yaml|json|env|ini)$ @@ -12,6 +13,7 @@ creation_rules: - *system_mns - *system_sync - *system_ymir + - *system_heptifili - path_regex: secrets/mns.(yaml|json|env|ini)$ key_groups: @@ -30,3 +32,9 @@ creation_rules: - age: - *peter - *system_ymir + + - path_regex: secrets/heptifili.(yaml|json|env|ini)$ + key_groups: + - age: + - *peter + - *system_heptifili diff --git a/flake.nix b/flake.nix index 7f7cfd8..5befd0e 100644 --- a/flake.nix +++ b/flake.nix @@ -87,6 +87,16 @@ } // builtins.mapAttrs (name: value: { imports = value._module.args.modules; }) conf; nixosConfigurations = { + heptifili = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + system = "x86_64-linux"; + extraModules = [ inputs.colmena.nixosModules.deploymentOptions ]; + modules = [ + ./nodes/heptifili + self.nixosModules.common + nix-topology.nixosModules.default + ]; + }; mns = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs outputs; }; system = "x86_64-linux"; diff --git a/nodes/heptifili/default.nix b/nodes/heptifili/default.nix new file mode 100644 index 0000000..8cbf48e --- /dev/null +++ b/nodes/heptifili/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + # ./backup.nix + ./disko.nix + ./hardware-configuration.nix + ./networking.nix + ]; +} diff --git a/nodes/heptifili/disko.nix b/nodes/heptifili/disko.nix new file mode 100644 index 0000000..8c6d146 --- /dev/null +++ b/nodes/heptifili/disko.nix @@ -0,0 +1,34 @@ +{ + disko.devices = { + disk = { + sda = { + device = "/dev/nvme0n1"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + type = "EF00"; + size = "100M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + label = "NIXOS"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nodes/heptifili/hardware-configuration.nix b/nodes/heptifili/hardware-configuration.nix new file mode 100644 index 0000000..793b960 --- /dev/null +++ b/nodes/heptifili/hardware-configuration.nix @@ -0,0 +1,19 @@ +{ config +, lib +, modulesPath +, ... +}: +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nodes/heptifili/networking.nix b/nodes/heptifili/networking.nix new file mode 100644 index 0000000..8a103f7 --- /dev/null +++ b/nodes/heptifili/networking.nix @@ -0,0 +1,57 @@ +{ lib +, config +, ... +}: +let + inherit (config.lib.topology) mkConnectionRev; + IPv4 = "192.168.10.10"; + IPv6 = "fd00::10:10"; +in +{ + topology.self.interfaces.eth0 = { + network = "Internet"; + physicalConnections = [ (mkConnectionRev "Fritz!Box" "*") ]; + }; + + services.tailscale.extraUpFlags = [ "--advertise-routes 192.168.10.0/23,fd00::/64" ]; + + networking = { + domains = { + enable = true; + subDomains."${config.networking.fqdn}" = { }; + baseDomains."${config.networking.domain}" = { + a.data = IPv4; + aaaa.data = IPv6; + }; + }; + useNetworkd = true; + useDHCP = false; + hostName = "heptifili"; + usePredictableInterfaceNames = lib.mkDefault true; + domain = "xnee.net"; + nameservers = [ + #HETZNER + "192.168.10.10" + "fd00::6b4:feff:feca:b60b" + ]; + dhcpcd.enable = false; + }; + systemd.network = { + enable = true; + networks."10-wan" = { + networkConfig.DHCP = "no"; + matchConfig.Name = "enp87s0"; + address = [ + "${IPv4}/23" + "${IPv6}/64" + ]; + routes = [ + { Gateway = "fe80::6b4:feff:feca:b60b"; } + { + Gateway = "192.168.10.1"; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + }; +} diff --git a/secrets/common.yaml b/secrets/common.yaml index 55c7d56..6767cd8 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -16,38 +16,47 @@ sops: - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eUJML25MQnhpZWJBN3lQ - amtjNkVtQngzRncyalJJWDhqa0pWc0gxNVI0CnIzU2M3NEpWeWRid1Z1VnNyRFJw - RnpMSUFQMmJybVlyTWZqMC96SzRqWk0KLS0tIFg3V3dJa0pzY1NMV2RQdkhwd0Z4 - b0VCeUJucXU4dHZheVpFRFhxc1k3TDAKY0LOBXp9PDZN4enT6L8/drxCkMeA/O3A - Ve3RixsRdwOcgsJdjIUHTAdCAUhNuRjcn8Pjs8UxBhou5fHIaV4aZw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZVBzdzZaSnNXd0dHRWVG + eFF2Qzd5TmFLa2wvbWdiVy9jMGlDRjRBR3hFCnJYYzEvSmxkczJTMzdGOU5GMGth + T2FEVnM0ZWl5bmJ4RHB0RTF4aDAvRVkKLS0tIEZmRUVET3ZTQnNsdWpRZjdUL0lo + MVZBMDdnRXMvaFVobDR4QmVsVEFIQ2sKiwZSJUdlQqv/elJ3Gh58b2xjU1LSxsdZ + Ydz0AzeFBlIgVVpfNRez+NYZCQthnP3QT6nT0sAVZWa7hJFzQLjVVQ== -----END AGE ENCRYPTED FILE----- - recipient: age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSCttamJHZkNiUk1rS2la - TDhiTzRuRldrT25ZZG16NDBNTEs3OGFEbzBnClhUNmhLYjd2YjNMZlpnMnNTL3k3 - RVd1M3l6MllCRGdQNlE0cjFQbmE4dVkKLS0tIEcwbm43MnBTNFpIY3lEN2xOdXYy - ZWdtZ3VIQWdTK2tUc0hUbzliQWtHazAKdJcZTxBTP1SbTn6pfeiAMjxTzeAlf+rp - LpboQI3qPNA+Imqtbx8lacP5jAbgpFoWRkYMxuSFh0QzHoaraxYgQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SmZubjVIWUp0b3FSMEI5 + cDdYMm85MEN5L0E5YTB4Y3lCWHFiWi81S0U0CldYeGVseEFkUXFiWlhaMjVlR1pD + c2VFRDg4TkU1SFRlYlo3TjhoZDduYXcKLS0tIHlaRkN6cWkxUHVGSmpLM0FUeFF5 + Qk9zMy91VE9KNVRTckRVMDRBY0dXZ3cKrD6N/VcepEEcaXPr00MjTF6cpgMXO7sb + YdE1S0EGe5x59jU8TtHELOJ91TJaolp0WD0pvAXhHIAcBfnqEdpKbg== -----END AGE ENCRYPTED FILE----- - recipient: age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdThDbXBXWFdhRGVCZXJC - WWVXa05oSCtKS0VhYytNMGVTVGMrZXljR2tRCkwvQ3h4bENjMFZvRnBtSUFvdnc1 - cTJWVlVkQVZjOUxZclJNa3ZYaktiYWsKLS0tIFg1QzJUMmJLOTRicnYxOWVXS0JB - dE95akkyNUtOUDlnTGN5YVZMaGFQbEUK06k7tnbFA93+pVzLYkpIt4u4aO5WzWi3 - qtgAgNJZqTqSy02pvbAMtDCArIBgGPZwGhxPuZLhLfEeNjkyoYG8gw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJUThrTGFKbmRXNjNUbWZQ + R3lKZ2xwUEd6bVlFUGZaY29PRTk0alZhQmpVClNwUi9kdE53endJZ2dCeHdET3c5 + djltYmdSSmlmQy9iSk1sYmtHVmZJa00KLS0tIHVHSzNaeDlmV1I1eWlHUUVBUkxV + N1AzL0JNOE15eUpQVkNKdFNSVWtmQmsKphXeERyM93OKHDtH6Fm9UnB207LVxGt/ + flSanMWVNYqLVsNLuXQYOdlU7RCowHobH+y+eUKYEutm8SXa30ixKg== -----END AGE ENCRYPTED FILE----- - recipient: age183wgf8xp46chqk049ekyg7vsan2p50zh4lqfllcllzwuekeywdzqn7pz0q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMFNNSEZVWUJTYVpsbkxT - QXp4Vit5N05oR282OUhPUmd0SzFaUDZ1RDJvCmg5V3RUdFlFWlRNS2lRUHp3bGs5 - WXQ5Uk1BTDhBaTB6TUwrL20vYXhEbDgKLS0tIGVuM1MvdUxOMy9JalZEVjhCeGlS - S2JvMzZya2dCbUtSVzNPOWVITHF1WFUKCxDwdj+hq0mEprx8N5NzYLBE08O8Jfl2 - H3SPrww3gmQExa4eI6rZ8UtD+OTXXtDDrr7aBKcgqrTH5jb5l16hDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEblZNTlptbTZxNVk4SG50 + Q2lyZHRoakdRaktENFVYWU1GaEFTV3dPbDFVCjhHY2FrSzY4aW1pWXc5VFdnb3k4 + NEc2TGJ4VnJJZ21jKzZnMi9EdEtDSHMKLS0tIFl2U3gxL3liZVpZOTVzbVc4Z1lS + WE82VHMyeElrbDhYL0VjZHdQWjY1VmMK+q+tW+HNgG13OvL3VqlkzhKYI2r5ceoG + u4x4wpajiiQgCAub1SddFmGPX8iPeyfyCg7ijeUUguFMPpCXHbx2Yw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xvkj88jyajrefredvy4t7xgwfxrerezunsjcqqqfxytpw648l4aqfjakav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZeVlKNmRaVDRKV0xDcWpW + MEE4WHJZWnNQSlpURmlVWUZHZ2YxTUhnZEVnCmdYQjVSZ1FZOWkrdkhiUDQ2ME1W + MlFnM2ZSZ3NzTTBHbXN5djJsVDJCYWcKLS0tIFJzaFgwL3hzbnVCT0x0YnA1Wk9a + MmVwWTNta2JNRDhkRlFLNkNMcS9EUkkKyvKHpErzUGuunZI2p1tWS01XzBQFF3If + YnoWAP4iX9OVK5XBP96+cxKNRbhnujGb2PphZcepXk8dUwOvGS13Fg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-06-18T18:55:54Z" mac: ENC[AES256_GCM,data:rT4xvOvSnze3ubMOQNAZ/mJYgCBGL5OnqgCnV6KmsUWCou1nZxeWIyOUCPZpCj1qLRD1+CVlaPWvB1AsHznzaaulBmr0unQsCRVr4KOkisMP1b3VqVEfGcQsIEZ238l1J0YTRhwU+Sgyf8sB53K1b3HtOWJSO9/H7GJrVTJ+/i4=,iv:U0413JJWERZ9E84/YaNkBZOj7D5ODIdtjJUS7XY2krY=,tag:ZuJp8lw0vZ2c9mqO78rF6Q==,type:str]