diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5836bfc --- /dev/null +++ b/flake.nix @@ -0,0 +1,38 @@ +{ + description = "nix-servers"; + + inputs = { + # Nixpkgs + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + # Disko + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + + # SOPS Nix + sops-nix.url = "github:Mic92/sops-nix"; + }; + + outputs = { + self, + nixpkgs, + sops-nix, + ... + } @ inputs: let + inherit (self) outputs; + in { + nixosConfigurations = { + mns = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + system = "x86_64-linux"; + modules = [ + ./nodes/mns + self.nixosModules.common + ]; + }; + }; + nixosModules = { + common = ./modules/common; + }; + }; +} diff --git a/modules/common/boot.nix b/modules/common/boot.nix new file mode 100644 index 0000000..4b2df4f --- /dev/null +++ b/modules/common/boot.nix @@ -0,0 +1,7 @@ +{ + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.tmp.cleanOnBoot = true; +} diff --git a/modules/common/default.nix b/modules/common/default.nix new file mode 100644 index 0000000..a21fc52 --- /dev/null +++ b/modules/common/default.nix @@ -0,0 +1,21 @@ +{ + inputs, + ... +}: +{ + imports = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + ./boot.nix + ./nix.nix + ./ssh.nix + ./users.nix + ]; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "de_DE.UTF-8"; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + system.stateVersion = "23.11"; +} diff --git a/modules/common/nix.nix b/modules/common/nix.nix new file mode 100644 index 0000000..3e63657 --- /dev/null +++ b/modules/common/nix.nix @@ -0,0 +1,8 @@ +{ + nixpkgs.config.allowUnfree = true; + + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + nixPath = [ "nixpkgs=flake:nixpkgs" ]; + }; +} diff --git a/modules/common/ssh.nix b/modules/common/ssh.nix new file mode 100644 index 0000000..674adc3 --- /dev/null +++ b/modules/common/ssh.nix @@ -0,0 +1,4 @@ +{ + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; +} diff --git a/modules/common/users.nix b/modules/common/users.nix new file mode 100644 index 0000000..9cb0401 --- /dev/null +++ b/modules/common/users.nix @@ -0,0 +1,25 @@ +{ + sops.secrets."users/peter/hashedPassword" = { + neededForUsers = true; + sopsFile = "${inputs.self}/secrets/common.yaml"; + }; + + users.users.peter = { + isNormalUser = true; + extraGroups = [ + "wheel" + "networkmanager" + "wireshark" + "libvirtd" + ]; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1Ss4ebDys/jMEzTPTv3/h9uRly37034XKQ79w9y7Yf xgwq@kee" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwWRxjlcObusKS+fO5RCmFlz+1nASaVAZddfE3ULgP6 peter@kleeblatt.xnee.net" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEE/wLmMGV+SY/QzvjNTnDmRCVMZr1hk+xuxdXXwaOL6 2024-01-23-peter@gungnir-wsl" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIufiw/wK2tMs2Kr2kZCkdJL0KNo1Ww2wJiS+c8I0QcBz9Ed+Wd6KixXPZK2XBZL3iv0bKXf/7U7mjj6bOetCz0ZI15pdNTYkk2nldvb5JkjXybgX+METJYNxAvoy5f5irDmRHPCG0RZayWCMLqu6uFMEkL6bV8Zn/Dr+PtzJTwgOyb36AWR1lscJ2CYc8tR7EmtxX1i9mexeF+WtG1fk3r3Qxqcxu1/kpncrZkYzvfb9MzuIhr0yWzgPaOd1jKPeAka/uNeQIozvz4VdT4rN8A2MzukAiLu5Cbs3DOQq/FW84Qk8q1me3SlTQ+MCskS0oJLYoxgxhWE85jtjYHU7woT6oehl448PJJk3L9dUX2wJclMbn/dM4YnhW9XN5OTLbhgl7pIzeuAmtV9G6uVafJkUov00/3id+iUrgrycMZrFFQJnKOChF+NVPJ17pCsGD7gycaNCVoXCvwF1GiFleKolfGQsPBShyT6Pop+JyDNQBNMHsGsrFYBQwHZaHhts7ngnt0CqS90/izrOS/kF1kserqZFErMeT9gpQCFjXPrwgSCUdA3c7A+DGpimFKARYUZitOTuZvBj6I2Aj3EX8VJ2tyRZvXQ11rpo33jqahCbUBCk6JOwu+OTvSjtMywqr6jYpcbIvRDaB9L7km/JfOMSFBUkO09JHxAfdwaqx9Q== cardno:20_158_828" + ]; + + hashedPasswordFile = config.sops.secrets."users/peter/hashedPassword".path; + }; +} diff --git a/nodes/mns/backup.nix b/nodes/mns/backup.nix new file mode 100644 index 0000000..85772ad --- /dev/null +++ b/nodes/mns/backup.nix @@ -0,0 +1,48 @@ +{ inputs +, config +, ... +}: +let + mkResticConfig = repository: { + user = "root"; + initialize = true; + repository = repository; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + passwordFile = config.sops.secrets."backup/password".path; + #pruneOpts = [ ]; + paths = [ + "/var/lib/minecraft" + ]; + exclude = [ + ]; + }; +in +{ + sops.secrets = + let + sopsFile = "${inputs.self}/secrets/common.yaml"; + in + { + "backup/ssh-key" = { + sopsFile = sopsFile; + }; + "backup/password" = { + sopsFile = sopsFile; + }; + }; + + programs.ssh = { + extraConfig = '' + Host u371467.your-storagebox.de + HostName u371467.your-storagebox.de + IdentityFile ${config.sops.secrets."backup/ssh-key".path} + ''; + knownHosts = { + "u371467.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; + }; + }; + services.restic.backups."${config.networking.hostName}-xgwq" = (mkResticConfig "sftp://u371467-sub2@u371467.your-storagebox.de:22//backup"); +} diff --git a/nodes/mns/default.nix b/nodes/mns/default.nix new file mode 100644 index 0000000..fa79a70 --- /dev/null +++ b/nodes/mns/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ + ./backup.nix + ./disko.nix + ./hardware-configuration.nix + ./networking.nix + ]; + + services.minecraft-server = { + enable = true; + eula = true; + openFirewall = true; + }; +} diff --git a/nodes/mns/disko.nix b/nodes/mns/disko.nix new file mode 100644 index 0000000..7f79e24 --- /dev/null +++ b/nodes/mns/disko.nix @@ -0,0 +1,34 @@ +{ + disko.devices = { + disk = { + sda = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + label = "NIXOS"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nodes/mns/hardware-configuration.nix b/nodes/mns/hardware-configuration.nix new file mode 100644 index 0000000..3a9585d --- /dev/null +++ b/nodes/mns/hardware-configuration.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nodes/mns/networking.nix b/nodes/mns/networking.nix new file mode 100644 index 0000000..b6d08f9 --- /dev/null +++ b/nodes/mns/networking.nix @@ -0,0 +1,41 @@ +{ + lib, + ... +}: +{ + networking = { + useNetworkd = true; + useDHCP = false; + hostName = "mns"; + usePredictableInterfaceNames = lib.mkDefault false; + domain = "xnee.net"; + nameservers = [ + #HETZNER + "2a01:4ff:ff00::add:2" + "2a01:4ff:ff00::add:1" + ]; + dhcpcd.enable = false; + }; + systemd.network = { + enable = true; + networks."10-wan" = { + networkConfig.DHCP = "no"; + matchConfig.Name = "eth0"; + address = [ + "128.140.47.30/32" + "2a01:4f8:c0c:5a5::1/64" + ]; + routes = [ + { routeConfig.Gateway = "fe80::1"; } + { routeConfig = { Destination = "172.31.1.1"; }; } + { + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + }; +} diff --git a/secrets/common.yaml b/secrets/common.yaml new file mode 100644 index 0000000..d886100 --- /dev/null +++ b/secrets/common.yaml @@ -0,0 +1,36 @@ +users: + peter: + hashedPassword: ENC[AES256_GCM,data:j34bDTixsTKTmU4qKaFAgPE7fZDqXFbBnFsfvbt13jTL58i4uP4qw5CVISoG5i1zPKYjQfkrYA1HO5fF3SHe2b/wmK9/d/85Tg==,iv:5RJDjFaE24ODAPQC2BrdkC65mLa2LVwyLFpX6IMHs1M=,tag:8URR4sPrWM3Ktb+Z3d7Pig==,type:str] +backup: + #ENC[AES256_GCM,data:bcDsF7TLnoGQb/lntAly81vxF+FI67WDIg7pDq7Y9A0i9vpJOEfKar5hfTYJeomspNc6JRK7tx3KG3nCVMkCsn4wPvFji0E6EiU130Qyc8CVrT0PaV3InppgWg0=,iv:Tj6vMRzXcx4US7z6KNx69yp/yHNb+MC71guz68YYqqM=,tag:lsKGesjVYKIrF9R0SjxuVg==,type:comment] + ssh-key: ENC[AES256_GCM,data:KlL8W/7q1KE1LUHf9zchMRgRwLdvtFw+urQ9JsNotPJEriHOYScuvAQ6kVXoiriNc8hsjHB1J52E6k46RWp1VdJc9yWwAQONdK7gRXA08aIn1nxy9/dAVmSvkZRnS6tL+6vt2xsjqHbfBN8h0bTWnyha4HcKkaTB3yhGKe75s798JlW3R6iU0pqBeZSRmv28mVbUeSLcRh/tIsYraju7yQ3NXJYlHKM1CC6usGmlLCSJV7JgI6Bdf4JlA2NqCJu2CTsWwy3LTUX7CU2JavuSMD2i7/sIYcTh/gqdh5MlZUg5HLC5o4T1InYAdOeVQYuzkOTT2qugEYbNvK/NGJbsEfR6OWSLbsSsYLPFpO/qKa6+uLTr8OZ45N4sOVieX9p/jZvr0nYL6oSVRlWFK4ETR4qf4zcgSvVqLX9pkZ9IRINVnP1gs2FGkG/NkV2UdHAde+EqbUByLWFjt3/OXKEDP7dphLJC/Nb3xVhEQyaGlAUF8nPp4qOT6rPXviPw95ZzTvvYorDYCai2k6DmMYnm,iv:BV983R2D+q62Qzzm6EUfCJkGZZHMMwnHYGmma3n/4Iw=,tag:IuVSKbD8fsAPgUZbTGUlug==,type:str] + password: ENC[AES256_GCM,data:Sx0dr5ht2u8n87cJf6Rkg08NsSCPFSw5w0WEzeTdnszOFGc/+8s3xA==,iv:0L4SpcRumX7EUDXm0T6kOXWSz0XA403TXu0sdTL11ws=,tag:tKTSls6xOvD803dsMQI/GA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWUh4SkVkRVhpeTV4Vitm + NDlWN2p5KytVK2hWaXlyZ1RNbmVybE55b3dnCkk5eVAwK0NNdW0yYzNJdUk2UUsx + bEFyb2JyY0pQc05wSC9ndUZpRXNsSGMKLS0tIGhYQjVWRFdUTHhZTDQ5NmZWOHRB + ZnliN2lkdEJ4UXNHTkw0WmFyVVFBZjAKpi+pV3XxfRAZuZYXNFzloaUOxnnNAKg0 + RIfuP8x57S94h0kgRli8CsAjPYwMvUdJl88XjFLcVubmTE8EEuYilw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hn4emw7z4k4q856fxfk8nv8tkrv3c7d5ycrsjp9jay4llmvcqv9qqs0axl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVmdwbGpOMjBJK0FQYzJV + U3duTyswL1ZUNzFyUmhwUEFQSVFwMm5LTFF3CjlwUEgycW9ZTHRBQzljdGJKb3NF + N0pES05YRVNoTXBWeXdJcVJRM1U0NEkKLS0tIHV6QXdYRkt2NzU3SXRYREN6U3NY + SkMyQVVWdDdsYW9HWi8vNGFGRE5WZlkKlpJ5XJ59gEOMrfebniJ+ZwLSR9nsRINH + IrNhQ//HIw9dZHyOdBUcwLcXiZAmSFJiLAFdeqEH6DLNKr0iQPXXIA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-19T17:41:41Z" + mac: ENC[AES256_GCM,data:S8PWuHdD4HFuluWiAE+iBncltTVHz73k+hN3ssuCuTgZw3aRiEXugcGBTn8VxG6m+CUiJhFqd0AW+93ic5C0mgnMTnHA8OJsIPxtj0qvpV76kMhkUr68himtoKHnrjwj6B6Eh3RXRP8qtuaYkmopNQU416TISP+lZNfqJAUxmW8=,iv:8T9JyGI90+/lYI4QHnXl59Hwj74h54NHe99eWh3VvW0=,tag:3MImaroxs6wTOILiRdKoZw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1