-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fc4ebee
commit a156b0d
Showing
12 changed files
with
293 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
{ | ||
description = "nix-servers"; | ||
|
||
inputs = { | ||
# Nixpkgs | ||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; | ||
|
||
# Disko | ||
disko.url = "github:nix-community/disko"; | ||
disko.inputs.nixpkgs.follows = "nixpkgs"; | ||
|
||
# SOPS Nix | ||
sops-nix.url = "github:Mic92/sops-nix"; | ||
}; | ||
|
||
outputs = { | ||
self, | ||
nixpkgs, | ||
sops-nix, | ||
... | ||
} @ inputs: let | ||
inherit (self) outputs; | ||
in { | ||
nixosConfigurations = { | ||
mns = nixpkgs.lib.nixosSystem { | ||
specialArgs = {inherit inputs outputs;}; | ||
system = "x86_64-linux"; | ||
modules = [ | ||
./nodes/mns | ||
self.nixosModules.common | ||
]; | ||
}; | ||
}; | ||
nixosModules = { | ||
common = ./modules/common; | ||
}; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
# Use the systemd-boot EFI boot loader. | ||
boot.loader.systemd-boot.enable = true; | ||
boot.loader.efi.canTouchEfiVariables = true; | ||
|
||
boot.tmp.cleanOnBoot = true; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{ | ||
inputs, | ||
... | ||
}: | ||
{ | ||
imports = [ | ||
inputs.disko.nixosModules.disko | ||
inputs.sops-nix.nixosModules.sops | ||
./boot.nix | ||
./nix.nix | ||
./ssh.nix | ||
./users.nix | ||
]; | ||
|
||
time.timeZone = "Europe/Berlin"; | ||
i18n.defaultLocale = "de_DE.UTF-8"; | ||
|
||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; | ||
|
||
system.stateVersion = "23.11"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
nixpkgs.config.allowUnfree = true; | ||
|
||
nix = { | ||
settings.experimental-features = [ "nix-command" "flakes" ]; | ||
nixPath = [ "nixpkgs=flake:nixpkgs" ]; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
{ | ||
services.openssh.enable = true; | ||
services.openssh.settings.PasswordAuthentication = false; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
sops.secrets."users/peter/hashedPassword" = { | ||
neededForUsers = true; | ||
sopsFile = "${inputs.self}/secrets/common.yaml"; | ||
}; | ||
|
||
users.users.peter = { | ||
isNormalUser = true; | ||
extraGroups = [ | ||
"wheel" | ||
"networkmanager" | ||
"wireshark" | ||
"libvirtd" | ||
]; | ||
|
||
openssh.authorizedKeys.keys = [ | ||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1Ss4ebDys/jMEzTPTv3/h9uRly37034XKQ79w9y7Yf xgwq@kee" | ||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwWRxjlcObusKS+fO5RCmFlz+1nASaVAZddfE3ULgP6 [email protected]" | ||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEE/wLmMGV+SY/QzvjNTnDmRCVMZr1hk+xuxdXXwaOL6 2024-01-23-peter@gungnir-wsl" | ||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIufiw/wK2tMs2Kr2kZCkdJL0KNo1Ww2wJiS+c8I0QcBz9Ed+Wd6KixXPZK2XBZL3iv0bKXf/7U7mjj6bOetCz0ZI15pdNTYkk2nldvb5JkjXybgX+METJYNxAvoy5f5irDmRHPCG0RZayWCMLqu6uFMEkL6bV8Zn/Dr+PtzJTwgOyb36AWR1lscJ2CYc8tR7EmtxX1i9mexeF+WtG1fk3r3Qxqcxu1/kpncrZkYzvfb9MzuIhr0yWzgPaOd1jKPeAka/uNeQIozvz4VdT4rN8A2MzukAiLu5Cbs3DOQq/FW84Qk8q1me3SlTQ+MCskS0oJLYoxgxhWE85jtjYHU7woT6oehl448PJJk3L9dUX2wJclMbn/dM4YnhW9XN5OTLbhgl7pIzeuAmtV9G6uVafJkUov00/3id+iUrgrycMZrFFQJnKOChF+NVPJ17pCsGD7gycaNCVoXCvwF1GiFleKolfGQsPBShyT6Pop+JyDNQBNMHsGsrFYBQwHZaHhts7ngnt0CqS90/izrOS/kF1kserqZFErMeT9gpQCFjXPrwgSCUdA3c7A+DGpimFKARYUZitOTuZvBj6I2Aj3EX8VJ2tyRZvXQ11rpo33jqahCbUBCk6JOwu+OTvSjtMywqr6jYpcbIvRDaB9L7km/JfOMSFBUkO09JHxAfdwaqx9Q== cardno:20_158_828" | ||
]; | ||
|
||
hashedPasswordFile = config.sops.secrets."users/peter/hashedPassword".path; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
{ inputs | ||
, config | ||
, ... | ||
}: | ||
let | ||
mkResticConfig = repository: { | ||
user = "root"; | ||
initialize = true; | ||
repository = repository; | ||
timerConfig = { | ||
OnCalendar = "daily"; | ||
Persistent = true; | ||
}; | ||
passwordFile = config.sops.secrets."backup/password".path; | ||
#pruneOpts = [ ]; | ||
paths = [ | ||
"/var/lib/minecraft" | ||
]; | ||
exclude = [ | ||
]; | ||
}; | ||
in | ||
{ | ||
sops.secrets = | ||
let | ||
sopsFile = "${inputs.self}/secrets/common.yaml"; | ||
in | ||
{ | ||
"backup/ssh-key" = { | ||
sopsFile = sopsFile; | ||
}; | ||
"backup/password" = { | ||
sopsFile = sopsFile; | ||
}; | ||
}; | ||
|
||
programs.ssh = { | ||
extraConfig = '' | ||
Host u371467.your-storagebox.de | ||
HostName u371467.your-storagebox.de | ||
IdentityFile ${config.sops.secrets."backup/ssh-key".path} | ||
''; | ||
knownHosts = { | ||
"u371467.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; | ||
}; | ||
}; | ||
services.restic.backups."${config.networking.hostName}-xgwq" = (mkResticConfig "sftp://[email protected]:22//backup"); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
imports = [ | ||
./backup.nix | ||
./disko.nix | ||
./hardware-configuration.nix | ||
./networking.nix | ||
]; | ||
|
||
services.minecraft-server = { | ||
enable = true; | ||
eula = true; | ||
openFirewall = true; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
disko.devices = { | ||
disk = { | ||
sda = { | ||
device = "/dev/sda"; | ||
type = "disk"; | ||
content = { | ||
type = "gpt"; | ||
partitions = { | ||
ESP = { | ||
label = "EFI"; | ||
type = "EF00"; | ||
size = "500M"; | ||
content = { | ||
type = "filesystem"; | ||
format = "vfat"; | ||
mountpoint = "/boot"; | ||
}; | ||
}; | ||
root = { | ||
label = "NIXOS"; | ||
size = "100%"; | ||
content = { | ||
type = "filesystem"; | ||
format = "ext4"; | ||
mountpoint = "/"; | ||
}; | ||
}; | ||
}; | ||
}; | ||
}; | ||
}; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ config, lib, pkgs, modulesPath, ... }: | ||
{ | ||
imports = | ||
[ (modulesPath + "/profiles/qemu-guest.nix") | ||
]; | ||
|
||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; | ||
|
||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking | ||
# (the default) this is the recommended approach. When using systemd-networkd it's | ||
# still possible to use this option, but it's recommended to use it in conjunction | ||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. | ||
networking.useDHCP = lib.mkDefault true; | ||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; | ||
|
||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
{ | ||
lib, | ||
... | ||
}: | ||
{ | ||
networking = { | ||
useNetworkd = true; | ||
useDHCP = false; | ||
hostName = "mns"; | ||
usePredictableInterfaceNames = lib.mkDefault false; | ||
domain = "xnee.net"; | ||
nameservers = [ | ||
#HETZNER | ||
"2a01:4ff:ff00::add:2" | ||
"2a01:4ff:ff00::add:1" | ||
]; | ||
dhcpcd.enable = false; | ||
}; | ||
systemd.network = { | ||
enable = true; | ||
networks."10-wan" = { | ||
networkConfig.DHCP = "no"; | ||
matchConfig.Name = "eth0"; | ||
address = [ | ||
"128.140.47.30/32" | ||
"2a01:4f8:c0c:5a5::1/64" | ||
]; | ||
routes = [ | ||
{ routeConfig.Gateway = "fe80::1"; } | ||
{ routeConfig = { Destination = "172.31.1.1"; }; } | ||
{ | ||
routeConfig = { | ||
Gateway = "172.31.1.1"; | ||
GatewayOnLink = true; | ||
}; | ||
} | ||
]; | ||
linkConfig.RequiredForOnline = "routable"; | ||
}; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
users: | ||
peter: | ||
hashedPassword: ENC[AES256_GCM,data:j34bDTixsTKTmU4qKaFAgPE7fZDqXFbBnFsfvbt13jTL58i4uP4qw5CVISoG5i1zPKYjQfkrYA1HO5fF3SHe2b/wmK9/d/85Tg==,iv:5RJDjFaE24ODAPQC2BrdkC65mLa2LVwyLFpX6IMHs1M=,tag:8URR4sPrWM3Ktb+Z3d7Pig==,type:str] | ||
backup: | ||
#ENC[AES256_GCM,data:bcDsF7TLnoGQb/lntAly81vxF+FI67WDIg7pDq7Y9A0i9vpJOEfKar5hfTYJeomspNc6JRK7tx3KG3nCVMkCsn4wPvFji0E6EiU130Qyc8CVrT0PaV3InppgWg0=,iv:Tj6vMRzXcx4US7z6KNx69yp/yHNb+MC71guz68YYqqM=,tag:lsKGesjVYKIrF9R0SjxuVg==,type:comment] | ||
ssh-key: ENC[AES256_GCM,data:KlL8W/7q1KE1LUHf9zchMRgRwLdvtFw+urQ9JsNotPJEriHOYScuvAQ6kVXoiriNc8hsjHB1J52E6k46RWp1VdJc9yWwAQONdK7gRXA08aIn1nxy9/dAVmSvkZRnS6tL+6vt2xsjqHbfBN8h0bTWnyha4HcKkaTB3yhGKe75s798JlW3R6iU0pqBeZSRmv28mVbUeSLcRh/tIsYraju7yQ3NXJYlHKM1CC6usGmlLCSJV7JgI6Bdf4JlA2NqCJu2CTsWwy3LTUX7CU2JavuSMD2i7/sIYcTh/gqdh5MlZUg5HLC5o4T1InYAdOeVQYuzkOTT2qugEYbNvK/NGJbsEfR6OWSLbsSsYLPFpO/qKa6+uLTr8OZ45N4sOVieX9p/jZvr0nYL6oSVRlWFK4ETR4qf4zcgSvVqLX9pkZ9IRINVnP1gs2FGkG/NkV2UdHAde+EqbUByLWFjt3/OXKEDP7dphLJC/Nb3xVhEQyaGlAUF8nPp4qOT6rPXviPw95ZzTvvYorDYCai2k6DmMYnm,iv:BV983R2D+q62Qzzm6EUfCJkGZZHMMwnHYGmma3n/4Iw=,tag:IuVSKbD8fsAPgUZbTGUlug==,type:str] | ||
password: ENC[AES256_GCM,data:Sx0dr5ht2u8n87cJf6Rkg08NsSCPFSw5w0WEzeTdnszOFGc/+8s3xA==,iv:0L4SpcRumX7EUDXm0T6kOXWSz0XA403TXu0sdTL11ws=,tag:tKTSls6xOvD803dsMQI/GA==,type:str] | ||
sops: | ||
kms: [] | ||
gcp_kms: [] | ||
azure_kv: [] | ||
hc_vault: [] | ||
age: | ||
- recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g | ||
enc: | | ||
-----BEGIN AGE ENCRYPTED FILE----- | ||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWUh4SkVkRVhpeTV4Vitm | ||
NDlWN2p5KytVK2hWaXlyZ1RNbmVybE55b3dnCkk5eVAwK0NNdW0yYzNJdUk2UUsx | ||
bEFyb2JyY0pQc05wSC9ndUZpRXNsSGMKLS0tIGhYQjVWRFdUTHhZTDQ5NmZWOHRB | ||
ZnliN2lkdEJ4UXNHTkw0WmFyVVFBZjAKpi+pV3XxfRAZuZYXNFzloaUOxnnNAKg0 | ||
RIfuP8x57S94h0kgRli8CsAjPYwMvUdJl88XjFLcVubmTE8EEuYilw== | ||
-----END AGE ENCRYPTED FILE----- | ||
- recipient: age1hn4emw7z4k4q856fxfk8nv8tkrv3c7d5ycrsjp9jay4llmvcqv9qqs0axl | ||
enc: | | ||
-----BEGIN AGE ENCRYPTED FILE----- | ||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVmdwbGpOMjBJK0FQYzJV | ||
U3duTyswL1ZUNzFyUmhwUEFQSVFwMm5LTFF3CjlwUEgycW9ZTHRBQzljdGJKb3NF | ||
N0pES05YRVNoTXBWeXdJcVJRM1U0NEkKLS0tIHV6QXdYRkt2NzU3SXRYREN6U3NY | ||
SkMyQVVWdDdsYW9HWi8vNGFGRE5WZlkKlpJ5XJ59gEOMrfebniJ+ZwLSR9nsRINH | ||
IrNhQ//HIw9dZHyOdBUcwLcXiZAmSFJiLAFdeqEH6DLNKr0iQPXXIA== | ||
-----END AGE ENCRYPTED FILE----- | ||
lastmodified: "2024-02-19T17:41:41Z" | ||
mac: ENC[AES256_GCM,data:S8PWuHdD4HFuluWiAE+iBncltTVHz73k+hN3ssuCuTgZw3aRiEXugcGBTn8VxG6m+CUiJhFqd0AW+93ic5C0mgnMTnHA8OJsIPxtj0qvpV76kMhkUr68himtoKHnrjwj6B6Eh3RXRP8qtuaYkmopNQU416TISP+lZNfqJAUxmW8=,iv:8T9JyGI90+/lYI4QHnXl59Hwj74h54NHe99eWh3VvW0=,tag:3MImaroxs6wTOILiRdKoZw==,type:str] | ||
pgp: [] | ||
unencrypted_suffix: _unencrypted | ||
version: 3.8.1 |