mns: Init

flake.nix

@@ -0,0 +1,38 @@
+{
+  description = "nix-servers";
+
+  inputs = {
+    # Nixpkgs
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    # Disko
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
+    # SOPS Nix
+    sops-nix.url = "github:Mic92/sops-nix";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    sops-nix,
+    ...
+  } @ inputs: let
+    inherit (self) outputs;
+  in {
+    nixosConfigurations = {
+      mns = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        system = "x86_64-linux";
+        modules = [
+          ./nodes/mns
+          self.nixosModules.common
+        ];
+      };
+    };
+    nixosModules = {
+      common = ./modules/common;
+    };
+  };
+}

modules/common/boot.nix

@@ -0,0 +1,7 @@
+{
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.tmp.cleanOnBoot = true;
+}

modules/common/default.nix

@@ -0,0 +1,21 @@
+{
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    inputs.sops-nix.nixosModules.sops
+    ./boot.nix
+    ./nix.nix
+    ./ssh.nix
+    ./users.nix
+  ];
+
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "de_DE.UTF-8";
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  system.stateVersion = "23.11";
+}

modules/common/nix.nix

@@ -0,0 +1,8 @@
+{
+  nixpkgs.config.allowUnfree = true;
+
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    nixPath = [ "nixpkgs=flake:nixpkgs" ];
+  };
+}

modules/common/ssh.nix

@@ -0,0 +1,4 @@
+{
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+}

modules/common/users.nix

@@ -0,0 +1,25 @@
+{
+  sops.secrets."users/peter/hashedPassword" = {
+    neededForUsers = true;
+    sopsFile = "${inputs.self}/secrets/common.yaml";
+  };
+
+  users.users.peter = {
+    isNormalUser = true;
+    extraGroups = [ 
+      "wheel"
+      "networkmanager"
+      "wireshark"
+      "libvirtd"
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1Ss4ebDys/jMEzTPTv3/h9uRly37034XKQ79w9y7Yf xgwq@kee"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwWRxjlcObusKS+fO5RCmFlz+1nASaVAZddfE3ULgP6 [email protected]"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEE/wLmMGV+SY/QzvjNTnDmRCVMZr1hk+xuxdXXwaOL6 2024-01-23-peter@gungnir-wsl"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIufiw/wK2tMs2Kr2kZCkdJL0KNo1Ww2wJiS+c8I0QcBz9Ed+Wd6KixXPZK2XBZL3iv0bKXf/7U7mjj6bOetCz0ZI15pdNTYkk2nldvb5JkjXybgX+METJYNxAvoy5f5irDmRHPCG0RZayWCMLqu6uFMEkL6bV8Zn/Dr+PtzJTwgOyb36AWR1lscJ2CYc8tR7EmtxX1i9mexeF+WtG1fk3r3Qxqcxu1/kpncrZkYzvfb9MzuIhr0yWzgPaOd1jKPeAka/uNeQIozvz4VdT4rN8A2MzukAiLu5Cbs3DOQq/FW84Qk8q1me3SlTQ+MCskS0oJLYoxgxhWE85jtjYHU7woT6oehl448PJJk3L9dUX2wJclMbn/dM4YnhW9XN5OTLbhgl7pIzeuAmtV9G6uVafJkUov00/3id+iUrgrycMZrFFQJnKOChF+NVPJ17pCsGD7gycaNCVoXCvwF1GiFleKolfGQsPBShyT6Pop+JyDNQBNMHsGsrFYBQwHZaHhts7ngnt0CqS90/izrOS/kF1kserqZFErMeT9gpQCFjXPrwgSCUdA3c7A+DGpimFKARYUZitOTuZvBj6I2Aj3EX8VJ2tyRZvXQ11rpo33jqahCbUBCk6JOwu+OTvSjtMywqr6jYpcbIvRDaB9L7km/JfOMSFBUkO09JHxAfdwaqx9Q== cardno:20_158_828"
+    ];
+
+    hashedPasswordFile = config.sops.secrets."users/peter/hashedPassword".path;
+  };
+}

nodes/mns/backup.nix

@@ -0,0 +1,48 @@
+{ inputs
+, config
+, ...
+}:
+let
+  mkResticConfig = repository: {
+    user = "root";
+    initialize = true;
+    repository = repository;
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+    passwordFile = config.sops.secrets."backup/password".path;
+    #pruneOpts = [ ];
+    paths = [
+      "/var/lib/minecraft"
+    ];
+    exclude = [
+    ];
+  };
+in
+{
+  sops.secrets =
+    let
+      sopsFile = "${inputs.self}/secrets/common.yaml";
+    in
+    {
+      "backup/ssh-key" = {
+        sopsFile = sopsFile;
+      };
+      "backup/password" = {
+        sopsFile = sopsFile;
+      };
+    };
+
+  programs.ssh = {
+    extraConfig = ''
+      Host u371467.your-storagebox.de
+        HostName u371467.your-storagebox.de
+        IdentityFile ${config.sops.secrets."backup/ssh-key".path}
+    '';
+    knownHosts = {
+      "u371467.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
+    };
+  };
+  services.restic.backups."${config.networking.hostName}-xgwq" = (mkResticConfig "sftp://[email protected]:22//backup");
+}

nodes/mns/default.nix

@@ -0,0 +1,14 @@
+{
+  imports = [
+    ./backup.nix
+    ./disko.nix
+    ./hardware-configuration.nix
+    ./networking.nix
+  ];
+
+  services.minecraft-server = {
+    enable = true;
+    eula = true;
+    openFirewall = true;
+  };
+}

nodes/mns/disko.nix

@@ -0,0 +1,34 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              label = "EFI";
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              label = "NIXOS";
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nodes/mns/hardware-configuration.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nodes/mns/networking.nix

@@ -0,0 +1,41 @@
+{
+  lib,
+  ...
+}:
+{
+  networking = {
+    useNetworkd = true;
+    useDHCP = false;
+    hostName = "mns";
+    usePredictableInterfaceNames = lib.mkDefault false;
+    domain = "xnee.net";
+    nameservers = [
+      #HETZNER
+      "2a01:4ff:ff00::add:2"
+      "2a01:4ff:ff00::add:1"
+    ];
+    dhcpcd.enable = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      networkConfig.DHCP = "no";
+      matchConfig.Name = "eth0";
+      address = [
+        "128.140.47.30/32"
+        "2a01:4f8:c0c:5a5::1/64"
+      ];
+      routes = [
+        { routeConfig.Gateway = "fe80::1"; }
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}

secrets/common.yaml

@@ -0,0 +1,36 @@
+users:
+    peter:
+        hashedPassword: ENC[AES256_GCM,data:j34bDTixsTKTmU4qKaFAgPE7fZDqXFbBnFsfvbt13jTL58i4uP4qw5CVISoG5i1zPKYjQfkrYA1HO5fF3SHe2b/wmK9/d/85Tg==,iv:5RJDjFaE24ODAPQC2BrdkC65mLa2LVwyLFpX6IMHs1M=,tag:8URR4sPrWM3Ktb+Z3d7Pig==,type:str]
+backup:
+    #ENC[AES256_GCM,data:bcDsF7TLnoGQb/lntAly81vxF+FI67WDIg7pDq7Y9A0i9vpJOEfKar5hfTYJeomspNc6JRK7tx3KG3nCVMkCsn4wPvFji0E6EiU130Qyc8CVrT0PaV3InppgWg0=,iv:Tj6vMRzXcx4US7z6KNx69yp/yHNb+MC71guz68YYqqM=,tag:lsKGesjVYKIrF9R0SjxuVg==,type:comment]
+    ssh-key: ENC[AES256_GCM,data:KlL8W/7q1KE1LUHf9zchMRgRwLdvtFw+urQ9JsNotPJEriHOYScuvAQ6kVXoiriNc8hsjHB1J52E6k46RWp1VdJc9yWwAQONdK7gRXA08aIn1nxy9/dAVmSvkZRnS6tL+6vt2xsjqHbfBN8h0bTWnyha4HcKkaTB3yhGKe75s798JlW3R6iU0pqBeZSRmv28mVbUeSLcRh/tIsYraju7yQ3NXJYlHKM1CC6usGmlLCSJV7JgI6Bdf4JlA2NqCJu2CTsWwy3LTUX7CU2JavuSMD2i7/sIYcTh/gqdh5MlZUg5HLC5o4T1InYAdOeVQYuzkOTT2qugEYbNvK/NGJbsEfR6OWSLbsSsYLPFpO/qKa6+uLTr8OZ45N4sOVieX9p/jZvr0nYL6oSVRlWFK4ETR4qf4zcgSvVqLX9pkZ9IRINVnP1gs2FGkG/NkV2UdHAde+EqbUByLWFjt3/OXKEDP7dphLJC/Nb3xVhEQyaGlAUF8nPp4qOT6rPXviPw95ZzTvvYorDYCai2k6DmMYnm,iv:BV983R2D+q62Qzzm6EUfCJkGZZHMMwnHYGmma3n/4Iw=,tag:IuVSKbD8fsAPgUZbTGUlug==,type:str]
+    password: ENC[AES256_GCM,data:Sx0dr5ht2u8n87cJf6Rkg08NsSCPFSw5w0WEzeTdnszOFGc/+8s3xA==,iv:0L4SpcRumX7EUDXm0T6kOXWSz0XA403TXu0sdTL11ws=,tag:tKTSls6xOvD803dsMQI/GA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWUh4SkVkRVhpeTV4Vitm
+            NDlWN2p5KytVK2hWaXlyZ1RNbmVybE55b3dnCkk5eVAwK0NNdW0yYzNJdUk2UUsx
+            bEFyb2JyY0pQc05wSC9ndUZpRXNsSGMKLS0tIGhYQjVWRFdUTHhZTDQ5NmZWOHRB
+            ZnliN2lkdEJ4UXNHTkw0WmFyVVFBZjAKpi+pV3XxfRAZuZYXNFzloaUOxnnNAKg0
+            RIfuP8x57S94h0kgRli8CsAjPYwMvUdJl88XjFLcVubmTE8EEuYilw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hn4emw7z4k4q856fxfk8nv8tkrv3c7d5ycrsjp9jay4llmvcqv9qqs0axl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVmdwbGpOMjBJK0FQYzJV
+            U3duTyswL1ZUNzFyUmhwUEFQSVFwMm5LTFF3CjlwUEgycW9ZTHRBQzljdGJKb3NF
+            N0pES05YRVNoTXBWeXdJcVJRM1U0NEkKLS0tIHV6QXdYRkt2NzU3SXRYREN6U3NY
+            SkMyQVVWdDdsYW9HWi8vNGFGRE5WZlkKlpJ5XJ59gEOMrfebniJ+ZwLSR9nsRINH
+            IrNhQ//HIw9dZHyOdBUcwLcXiZAmSFJiLAFdeqEH6DLNKr0iQPXXIA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-19T17:41:41Z"
+    mac: ENC[AES256_GCM,data:S8PWuHdD4HFuluWiAE+iBncltTVHz73k+hN3ssuCuTgZw3aRiEXugcGBTn8VxG6m+CUiJhFqd0AW+93ic5C0mgnMTnHA8OJsIPxtj0qvpV76kMhkUr68himtoKHnrjwj6B6Eh3RXRP8qtuaYkmopNQU416TISP+lZNfqJAUxmW8=,iv:8T9JyGI90+/lYI4QHnXl59Hwj74h54NHe99eWh3VvW0=,tag:3MImaroxs6wTOILiRdKoZw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1