This commit is contained in:
Motiejus Jakštys 2023-04-14 14:12:45 +03:00
parent 5f8cc2f9ba
commit 26747bd639
34 changed files with 430 additions and 249 deletions

2
.envrc
View File

@ -1,5 +1,3 @@
export PASSWORD_STORE_DIR=$PWD
if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs="
fi

View File

@ -1,10 +0,0 @@
keys:
- &motiejus 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
- &server_hel1a age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
creation_rules:
- path_regex: hosts/hel1-a/secrets.yaml$
key_groups:
- pgp:
- *motiejus
age:
- *server_hel1a

View File

@ -12,18 +12,28 @@ Upcoming flakes:
$ nix build .#deploy.nodes.hel1-a.profiles.system.path
Managing secrets
----------------
VM:
$ nix build .#nixosConfigurations.vm.config.system.build.vm
Encoding host-only secrets
--------------------------
Encode a secret on host:
rage -e -r $(ssh-to-age < /etc/ssh/ssh_host_ed25519_key.pub) -o secret.age /etc/plaintext
rage -e -r "$(cat /etc/ssh/ssh_host_ed25519_key.pub)" -o secret.age /path/to/plaintext
Decode a secret on host (to test things out):
age -d -i <(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) secret.age
rage -d -i /etc/ssh/ssh_host_ed25519_key secret.age
If/when [str4d/rage#379](https://github.com/str4d/rage/issues/379) is fixed, we
can replace the above command to `rage`.
Bootstrapping
-------------
Prereqs:
mkdir -p /etc/secrets/initrd
ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519
[1]: https://cgit.krebsco.de/krops/about/

View File

@ -1,3 +1,64 @@
{
pubkeys = {}; # TODO
rec {
ips = {
vno1 = "88.223.107.21";
hel1a = "65.21.7.119";
};
ssh_pubkeys = {
motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ==";
vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
};
systems = {
"vno1-oh2.servers.jakst" = {
extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY";
};
"hel1-a.servers.jakst" = {
extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
};
"mtwork.motiejus.jakst" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb";
};
"zh2769.rsync.net" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd";
};
"github.com" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
};
"git.sr.ht" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
};
};
tailscale_subnet = {
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
};
jakstysLTZone = ''
$ORIGIN jakstys.lt.
$TTL 86400
@ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400)
@ NS ns1.jakstys.lt.
@ NS ns2.jakstys.lt.
@ A ${ips.hel1a}
www A ${ips.hel1a}
ns1 A ${ips.vno1}
ns2 A ${ips.hel1a}
beta A ${ips.hel1a}
turn A ${ips.hel1a}
vpn A ${ips.hel1a}
git A ${ips.hel1a}
auth A ${ips.hel1a}
dl A ${ips.vno1}
hel1-a A ${ips.hel1a}
vno1 A ${ips.vno1}
@ MX 10 aspmx.l.google.com.
@ MX 20 alt1.aspmx.l.google.com.
@ MX 20 alt2.aspmx.l.google.com.
@ MX 30 aspmx2.googlemail.com.
@ MX 30 aspmx3.googlemail.com.
'';
}

View File

@ -49,12 +49,27 @@
nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./configuration.nix
./hardware-configuration.nix
./zfs.nix
./hosts/hel1-a/configuration.nix
./hosts/hel1-a/hardware-configuration.nix
./hosts/hel1-a/zfs.nix
./modules
agenix.nixosModules.default
{
age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age;
age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
age.secrets.synapse-macaroon-secret-key.file = ./secrets/hel1-a/synapse/macaroon_secret_key.age;
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
}
];
specialArgs = inputs;
specialArgs = {inherit myData;} // inputs;
};
deploy.nodes.hel1-a = {

View File

@ -2,25 +2,10 @@
config,
pkgs,
lib,
agenix,
myData,
...
}: let
gitea_uidgid = 995;
tailscale_subnet = {
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
};
ips = {
vno1 = "88.223.107.21";
hel1a = "65.21.7.119";
};
ssh_pubkeys = {
motiejus = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+qpaaD+FCYPcUU1ONbw/ff5j0xXu5DNvp/4qZH/vOYwG13uDdfI5ISYPs8zNaVcFuEDgNxWorVPwDw4p6+1JwRLlhO4J/5tE1w8Gt6C7y76LRWnp0rCdva5vL3xMozxYIWVOAiN131eyirV2FdOaqTwPy4ouNMmBFbibLQwBna89tbFMG/jwR7Cxt1I6UiYOuCXIocI5YUbXlsXoK9gr5yBRoTjl2OfH2itGYHz9xQCswvatmqrnteubAbkb6IUFYz184rnlVntuZLwzM99ezcG4v8/485gWkotTkOgQIrGNKgOA7UNKpQNbrwdPAMugqfSTo6g8fEvy0Q+6OXdxw5X7en2TJE+BLVaXp4pVMdOAzKF0nnssn64sRhsrUtFIjNGmOWBOR2gGokaJcM6x9R72qxucuG5054pSibs32BkPEg6Qzp+Bh77C3vUmC94YLVg6pazHhLroYSP1xQjfOvXyLxXB1s9rwJcO+s4kqmInft2weyhfaFE0Bjcoc+1/dKuQYfPCPSB//4zvktxTXud80zwWzMy91Q4ucRrHTBz3PrhO8ys74aSGnKOiG3ccD3HbaT0Ff4qmtIwHcAjrnNlINAcH/A2mpi0/2xA7T8WpFnvgtkQbcMF0kEKGnNS5ULZXP/LC8BlLXxwPdqTzvKikkTb661j4PhJhinhVwnQ==";
vno1_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiWb7yeSeuFCMZWarKJD6ZSxIlpEHbU++MfpOIy/2kh";
};
backup_paths = {
var_lib = {
mountpoint = "/var/lib";
@ -45,6 +30,7 @@
};
turn_cert_dir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/turn.jakstys.lt";
gitea_uidgid = 995;
# functions
mountLatest = (
@ -72,26 +58,24 @@ in {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = builtins.attrValues ssh_pubkeys;
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
};
security = {
sudo = {
wheelNeedsPassword = false;
execWheelOnly = true;
mj = {
stateVersion = "22.11";
timeZone = "UTC";
base.initrd = {
enable = true;
authorizedKeys = builtins.attrValues myData.ssh_pubkeys;
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
};
time.timeZone = "UTC";
users = {
mutableUsers = false;
users = {
git = {
users.git = {
description = "Gitea Service";
home = "/var/lib/gitea";
useDefaultShell = true;
@ -100,29 +84,14 @@ in {
uid = gitea_uidgid;
};
motiejus = {
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
openssh.authorizedKeys.keys = [ssh_pubkeys.motiejus];
};
};
groups.gitea.gid = gitea_uidgid;
};
environment = {
systemPackages = with pkgs; [
jq
git
dig
wget
tree
lsof
file
tmux
htop
rage
#ncdu
nmap
ipset
@ -135,56 +104,25 @@ in {
tcpdump
vimv-rs
openssl
ripgrep
bsdgames
binutils
moreutils
headscale
mailutils
nixos-option
unixtools.xxd
graphicsmagick
];
variables = {
EDITOR = "nvim";
};
};
programs = {
mtr.enable = true;
mosh.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
ssh.knownHosts = {
"vno1-oh2.servers.jakst" = {
extraHostNames = ["dl.jakstys.lt" "vno1-oh2.jakstys.lt"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtYsaht57g2sp6UmLHqsCK+fHjiiZ0rmGceFmFt88pY";
};
"hel1-a.servers.jakst" = {
extraHostNames = ["hel1-a.jakstys.lt" "git.jakstys.lt" "vpn.jakstys.lt" "jakstys.lt" "www.jakstys.lt"];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
};
"mtwork.motiejus.jakst" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvNuABV5KXmh6rmS+R50XeJ9/V+Sgpuc1DrlYXW2bQb";
};
"zh2769.rsync.net" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd";
};
"github.com" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
};
"git.sr.ht" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
};
};
};
services = {
tailscale.enable = true;
nsd = {
enable = true;
interfaces = [ "0.0.0.0" "::" ];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};
};
zfs = {
autoScrub.enable = true;
trim.enable = true;
@ -192,11 +130,6 @@ in {
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
extraConfig = ''
AcceptEnv GIT_PROTOCOL
'';
@ -240,7 +173,7 @@ in {
repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /var/src/secrets/borgbackup/password";
passCommand = "cat ${config.age.secrets.borgbackup-password.path}";
};
paths = value.paths;
extraArgs = "--remote-path=borg1";
@ -267,7 +200,7 @@ in {
settings = {
server_url = "https://vpn.jakstys.lt";
ip_prefixes = [
tailscale_subnet.cidr
myData.tailscale_subnet.cidr
"fd7a:115c:a1e0:59b0::/64"
];
log.level = "warn";
@ -407,7 +340,7 @@ in {
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=${tailscale_subnet.range}
denied-peer-ip=${myData.tailscale_subnet.range}
'';
};
@ -419,7 +352,7 @@ in {
admin_contact = "motiejus@jakstys.lt";
enable_registration = false;
report_stats = true;
signing_key_path = "/run/matrix-synapse/jakstys.lt.signing.key";
signing_key_path = "/run/matrix-synapse/jakstys_lt_signing_key";
extraConfigFiles = ["/run/matrix-synapse/secrets.yaml"];
log_config = pkgs.writeText "log.config" ''
version: 1
@ -509,13 +442,13 @@ in {
"127.0.0.1/8"
"[::ffff:127.0.0.0]/104"
"[::1]/128"
tailscale_subnet.cidr
myData.tailscale_subnet.cidr
];
hostname = "${config.networking.hostName}.${config.networking.domain}";
relayHost = "smtp.sendgrid.net";
relayPort = 587;
mapFiles = {
sasl_passwd = "/var/src/secrets/postfix/sasl_passwd";
sasl_passwd = config.age.secrets.sasl-passwd.path;
};
extraConfig = ''
smtp_sasl_auth_enable = yes
@ -549,52 +482,10 @@ in {
blocktime = 900;
whitelist = [
"192.168.0.0/16"
tailscale_subnet.cidr
ips.vno1
myData.tailscale_subnet.cidr
myData.ips.vno1
];
};
knot = let
jakstysLTZone = pkgs.writeText "jakstys.lt.zone" ''
$ORIGIN jakstys.lt.
$TTL 86400
@ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023032100 86400 86400 86400 86400)
@ NS ns1.jakstys.lt.
@ NS ns2.jakstys.lt.
@ A ${ips.hel1a}
www A ${ips.hel1a}
ns1 A ${ips.vno1}
ns2 A ${ips.hel1a}
beta A ${ips.hel1a}
turn A ${ips.hel1a}
vpn A ${ips.hel1a}
git A ${ips.hel1a}
auth A ${ips.hel1a}
dl A ${ips.vno1}
fwmine A ${ips.hel1a}
hel1-a A ${ips.hel1a}
vno1 A ${ips.vno1}
recordrecap A ${ips.hel1a}
www.recordrecap A ${ips.hel1a}
@ MX 10 aspmx.l.google.com.
@ MX 20 alt1.aspmx.l.google.com.
@ MX 20 alt2.aspmx.l.google.com.
@ MX 30 aspmx2.googlemail.com.
@ MX 30 aspmx3.googlemail.com.
'';
in {
enable = true;
extraConfig = ''
server:
listen: 0.0.0.0@53
listen: ::@53
version: 42
zone:
- domain: jakstys.lt
file: ${jakstysLTZone}
semantic-checks: on
'';
};
};
networking = {
@ -683,7 +574,7 @@ in {
"${turn_cert_dir}/turn.jakstys.lt.crt"
];
serviceConfig.LoadCredential = [
"static-auth-secret:/var/src/secrets/turn/static-auth-secret"
"static-auth-secret:${config.age.secrets.turn-static-auth-secret.path}"
"tls-key.pem:${turn_cert_dir}/turn.jakstys.lt.key"
"tls-cert.pem:${turn_cert_dir}/turn.jakstys.lt.crt"
];
@ -704,7 +595,7 @@ in {
secretsScript = pkgs.writeShellScript "write-secrets" ''
set -euo pipefail
umask 077
ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys.lt.signing.key /run/matrix-synapse/jakstys.lt.signing.key
ln -sf ''${CREDENTIALS_DIRECTORY}/jakstys_lt_signing_key /run/matrix-synapse/jakstys_lt_signing_key
cat > /run/matrix-synapse/secrets.yaml <<EOF
registration_shared_secret: "$(cat ''${CREDENTIALS_DIRECTORY}/registration_shared_secret)"
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
@ -714,10 +605,10 @@ in {
in {
serviceConfig.ExecStartPre = ["" secretsScript];
serviceConfig.LoadCredential = [
"jakstys.lt.signing.key:/var/src/secrets/synapse/jakstys.lt.signing.key"
"registration_shared_secret:/var/src/secrets/synapse/registration_shared_secret"
"macaroon_secret_key:/var/src/secrets/synapse/macaroon_secret_key"
"turn_shared_secret:/var/src/secrets/turn/static-auth-secret"
"jakstys_lt_signing_key:${config.age.secrets.synapse-jakstys-signing-key.path}"
"registration_shared_secret:${config.age.secrets.synapse-registration-shared-secret.path}"
"macaroon_secret_key:${config.age.secrets.synapse-macaroon-secret-key.path}"
"turn_shared_secret:${config.age.secrets.turn-static-auth-secret.path}"
];
};
@ -784,7 +675,4 @@ in {
};
};
};
# Do not change
system.stateVersion = "22.11";
}

View File

@ -1,41 +0,0 @@
borgbackup-password: ENC[AES256_GCM,data:igLuxWZujydxdJO8Qt7sIOhIT9SqOkCvjw==,iv:pHk2V/VBb/HzHGieHyL4KY1RpmN6bqjjSDuTTnsH4bM=,tag:36aSlD6zY3AXE5X9ejs6CA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1wxwfy32jwskgzudzc8kvvx4uya5kr6lc5vp03y07ly0wpe3jk9gqqree6q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNldGbmdndDJSclV5TFJ2
aVNhR3hlSEdiaGVBVk5ReTN3TmM0ckNFNVZJCmtmdkdyT0ZBNUVmemNvaFlaMnda
eXBpdEtDNFlNNkdBNVQxSloxc0dMcVUKLS0tIDZWZ3lvTWYzUHBxd3ZOa3UyREY5
YmdScHFndG1leTl0VFo0dzh2SjhZTU0Kp3aiUTvTWMzw6y+D0ELT9BE4enrJAVDD
1c0TvbFwDAJI3KB8T/Mz23qerExtZZQeCnm9zQKd+NsSKZCf52JEkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-06T20:01:44Z"
mac: ENC[AES256_GCM,data:PRjs8bZ/DGGlfDjRexvImDdAuE/W74HPa+KdQtE1Qktu6nz1cqlFy8a+CiA/mw+Y3P4NntzXHxU30sONrZWXA+n5RXAn8kMgpOYzRWqZWn0zzIyfhZ9+jPmP7uLpJWGZIEayw8NRfHGthDb7SLTnM9OpbkIP9dl4NgMSvn0A2MA=,iv:ma2ekXqtJGlTE2lAIw9YapvtXns/P1BwSgj+Ly4W+gE=,tag:z/ypCNkpdi2B1BFoZx5Jyw==,type:str]
pgp:
- created_at: "2023-04-05T19:33:35Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAznIq2pQRYaoARAApA2PMariUuuZ5D+XKf2W8od3oaTzGH9ttu6u7jNg2lqX
3Ov1jbvUhT+stH5+DjbeApxxRJPcxMa3cA8g8907b3MagtyJYfxYJbqRNur2kOfy
o4VlogFPTTIeeDP9hexX8p6jHC/lXPcT65B8Puj5NbTbitK9pP2RCQnvBG5vm2bB
g+d4xiVfhtkt6Wv+m3oBdXO6mLn2tsakBEfseGJuovNpFd469ym9pqP0UpMEWtMy
ezODZEbKsxvdUA+pa0wbTo5cQ+G5Pe2BjxNjfO2i4QgEPW5bCkeYDjN5uN9OgnxG
zCMrr/PGrLDfebxU0YJqqkfLtmwgJpYKFNuwa6eLG7aOi3ahEsS9WUzLF/7nuTky
p1+tOa6VRtQ1nTO0cV3XX9F6Pq/mtp5oozQUBhTzRndpO6Ju7luqzjNEvlS9ILzf
w+3lxn/1nvwklBt9S9b2OOhf12iGPfoVye3lhXCSo6cNyk6uIs2fW/n7UXTJgG0W
M5Zv5ygXbJwL3SyVaO9moL4ZSvllbwigI4MfSOoAH8P1Tzt/eyrfb3lL282b1N4c
7KuTrWju3ml69QbulcN3Fae8ID+U8plcbpVv5f/v4zW4KPJBIN33D9InFzzwaBDF
m2ESR/nsRMeLpR1StPz3SoPERLQ9PdLIuDp449O+EPgOK26yAvGiO+E4vfGQMpzS
XAEdM3mNnGT8BTgChbPK+Khx0U0kJc2s9OjmW2aGEHNLeiPWcaj02EQ13rtH5q3c
YFXzo8Ymlg3YEemwBY9LNVfGXmNUEgI8FYlh2mFwAwv3IdCjW7JsCwwsPE8C
=KfCh
-----END PGP MESSAGE-----
fp: 5F6B7A8A92A260A437049BEB6F133A0C1C2848D7
unencrypted_suffix: _unencrypted
version: 3.7.3

View File

@ -33,5 +33,4 @@
boot.loader.grub.devices = [
"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_9233346"
];
users.users.root.initialHashedPassword = "$6$oXLEcliXQJloPkrW$Or3O2tLdpLMs4s4gyn2hJlvMjm0S7zLlFlQCOx.S3fdLKxyFjQFaLhPZXJPluZ7iYrB65JSdT0ESluFwgJwLi.";
}

View File

@ -9,11 +9,9 @@ in {
mj = {
stateVersion = "23.05";
timeZone = "UTC";
stubPasswords = true;
};
users.users.vm.isSystemUser = true;
users.users.vm.initialPassword = "test";
environment = {
systemPackages = with pkgs; [
tmux
@ -24,6 +22,7 @@ in {
services = {
nsd = {
enable = true;
interfaces = [ "0.0.0.0" "::" ];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};

View File

@ -1,27 +0,0 @@
let
krops = builtins.fetchGit {
url = "https://cgit.krebsco.de/krops/";
};
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {};
source = lib.evalSource [
{
nixpkgs.symlink = "/root/.nix-defexpr/channels/nixos";
nixos-config.file = toString ./configuration.nix;
secrets.pass = {
dir = toString ./secrets;
name = "hel1-a";
};
}
];
in {
hel1a = pkgs.krops.writeDeploy "deploy-hel1a" {
source = source;
target =
lib.mkTarget "motiejus@hel1-a.jakstys.lt"
// {
sudo = true;
};
};
}

135
modules/base/default.nix Normal file
View File

@ -0,0 +1,135 @@
{
config,
myData,
lib,
pkgs,
...
}: {
imports = [
./sshd
./initrd
];
options.mj = {
stateVersion = lib.mkOption {
type = lib.types.str;
example = "22.11";
description = "The NixOS state version to use for this system";
};
timeZone = lib.mkOption {
type = lib.types.str;
example = "Europe/Vilnius";
description = "Time zone for this system";
};
stubPasswords = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
config = {
time.timeZone = config.mj.timeZone;
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"lt_LT.UTF-8/UTF-8"
];
};
nix.settings.experimental-features = ["nix-command" "flakes"];
system.stateVersion = config.mj.stateVersion;
security = {
sudo = {
wheelNeedsPassword = false;
execWheelOnly = true;
};
};
users = let
withPasswordFile = file: attrs: (if config.mj.stubPasswords then {
initialPassword = "live";
} else {
passwordFile = file;
}) // attrs;
in {
mutableUsers = false;
users = {
motiejus = withPasswordFile config.age.secrets.motiejus-passwd-hash.path {
isNormalUser = true;
extraGroups = ["wheel"];
uid = 1000;
openssh.authorizedKeys.keys = [myData.ssh_pubkeys.motiejus];
};
root = withPasswordFile config.age.secrets.root-passwd-hash.path { };
};
};
environment = {
systemPackages = with pkgs; [
jc # parse different formats and command outputs to json
jq # parse, format and query json documents
pv # pipe viewer for progressbars in pipes
bat # "bat - cat with wings", cat|less with language highlight
duf # nice disk usage output
file # file duh
host # look up host info
tree # tree duh
lsof # lsof yay
rage # encrypt-decrypt
#ncdu # disk usage navigator
pwgen
sqlite
direnv
ripgrep
vimv-rs
nix-top # nix-top is a top for what nix is doing
binutils
moreutils
unixtools.xxd
# networking
dig
nmap
wget
curl
whois
ipset
testssl
dnsutils
speedtest-cli
prettyping
(runCommand "prettyping-pp" {} ''
mkdir -p $out/bin
ln -s ${prettyping}/bin/prettyping $out/bin/pp
'')
# compression/decompression
xz
pigz
zstd
p7zip
brotli
zopfli
];
variables = {
EDITOR = "nvim";
};
};
programs = {
mtr.enable = true;
neovim = {
enable = true;
defaultEditor = true;
};
};
};
}

View File

@ -0,0 +1,31 @@
{
config,
lib,
...
}: {
options.mj.base.initrd = {
enable = lib.mkEnableOption "Enable base initrd settings";
hostKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "ssh private key for use in initrd.";
};
authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = lib.mdDoc "Authorized keys for the root user on initrd.";
};
};
config = lib.mkIf config.mj.base.initrd.enable {
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 22;
authorizedKeys = config.mj.base.initrd.authorizedKeys;
hostKeys = config.mj.base.initrd.hostKeys;
};
};
};
}

View File

@ -0,0 +1,18 @@
{
config,
lib,
myData,
...
}: {
config = {
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
programs.mosh.enable = true;
programs.ssh.knownHosts = myData.systems;
};
}

6
modules/default.nix Normal file
View File

@ -0,0 +1,6 @@
{...}: {
imports = [
./base
./services
];
}

View File

@ -0,0 +1,9 @@
{
config,
lib,
pkgs,
...
}: {
imports = [
];
}

18
secrets.nix Normal file
View File

@ -0,0 +1,18 @@
let
motiejus_yk1 = "age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg";
motiejus_bk1 = "age1kyehn8yr9tfu3w0z4d9p9qrj0tjjh92ljxmz2nyr6xnm7y8kpv5spwwc9n";
motiejus = [motiejus_yk1 motiejus_bk1];
hel1-a = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
systems = [hel1-a];
in {
"secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/postfix/sasl_passwd.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/hel1-a/synapse/macaroon_secret_key.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a] ++ motiejus;
"secrets/root_passwd_hash.age".publicKeys = [hel1-a] ++ motiejus;
}

View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg yV3BxKKBmsDJJDpTbTpW8ZQBEw1dzsAZcEhlcr1efwA
WPG4olU+AEQOPOXCGVYyN9J/h5jItJkQilUr5x/3UqQ
-> X25519 k28YknTZR1ETWY1PhXwmRv/rAmvsL0YVzV5/x2qHGX0
ooqcWrdQ4gBxq6Y0WNVr41NJFarC5g+3xZDdo1NKooo
-> piv-p256 +y2G/w AlBGJoImuKrcEvQCLwk8NJX+YwzpaTSX7rT01NAbYp6f
ihlhk5+itPJ3skH/4Rkx+Taq+JboQ0s+6My86WSaCmg
-> c-grease
1P4Pqguo6ZtYcXzdDQVm26RGywukVnkR0Mnk/lzXkjtr4Sk
--- xMODuPBdbFKgzh1mWly/CGFwUFA/10L1z3EQiDDNYD0
ïP8<EFBFBD><J]q¤í­§“5ZÅ9 tÐÈ©Ä€<C384>ÇÐO„Î<<E28093> (à{ØÐ-àÚaÇ6{«ª‡Æê

View File

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg b1Zx1w3fzcOwPX6PPgXEGP9fNMu2G+9GP21ozLAdpFw
H9WBB2lD83ZaU7EeNBjH3FmAMcArO/58IvMltFCI+R0
-> X25519 eHDSOyattfnleSYopf54sbh0ZBsJkBYHTwKiIrAIoHo
Zq3Ic+MuhT8apWBXFSvipCGMIpgi0VD3cogXSqXUKQA
-> piv-p256 +y2G/w Ay1FiQ7KMDPuGVc1JM0IQGf5Nuf+veaeO2V9TnxGE0Zt
agLLHpBgOM+hQSci8S/nKlMa5EMsAQhQaOc2XET7dx4
-> pI8`h-grease Y}P!N p[
7ecvACao/g
--- udtUjLi1oDBLTDbEm/jD2T43Vd8uCPXIVBDhVaL0CVU
b•ô5Î/íbÏ ¶Ó½¬ŽïØÿÁ±×Õã< ¿Ü‚Z_“´Éô5,Ú=J^ÑNÉ<4E>£;B—ÃÄãaıùðQñåkÒͧû—¶wOÂN8\̘°Žn¼(w:ó*>¬8¸€§3«ð0VÓôA¾'P<>~ÌšœblÒ,רÔ
7

View File

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg FDCOq/6TT4MiTydElRtbJYGQkf5Dp9Rz+pGJbGNyEUk
w3FZziEXQZdhesTjJ1klAHoIOSKdgXBwBoLys60BjJE
-> X25519 RzOTSjA6boL+kwZ4F7TZkuzhP8HIXNDzIfM3tgLAURw
ThbibWPRI3F1PwlXls96SDeTMLpUau/freOw/rCdadE
-> piv-p256 +y2G/w ArbH4qK3h6v1FmARFCMivDuJ8zeA85sP6NrpPDuiI8se
zskm+i/Ox8DlhZplggvBBN3Nb9mEIsgcLsNR1/hejoY
-> n.bS-grease .8*'{}4t
/QdO2N7yjPjur3KSMV/Se/hASwhzjPXbz+wlI6UbJnxkbmSer+wdg9nYMbBtINU7
aHsmE/Sm1fWeLKP7T4RvftqJtLZWDkn6BG4PA6sxqzQV
--- IU8CbpKKUO1yxNKrOSwKDZ7thZ3D4CKjA1H6N/Fw+fs
<*qL3â,ý@øOô<4F>AM‡b‡ÿâ=jn1âQبizn†¨ž3áeñmQ!:oÀÙó1ä­¹\=mnªG „æ×ÊaçM>TÍ¥å¤Áð fNŒSÕäy

View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg 99J07yNSb9UAfoiGi3ABFV6M4xl3iApYRv1HGNdQgT8
LBMxQ+eAizZ2nWVQyD7lOzJfe8+3wPv+vNgxw/WEKk0
-> X25519 FLS0fXs2R32jedMkvavMYoc+pZBfaOPfkm1qCc+RJjY
g9YlhVMu2DZ5GjBXCF51g0VY8STp0wbMI+lS0GQ4k2o
-> piv-p256 +y2G/w A9bUaREVnU6o1QAyqaCs5y5T+jQHbYvQQqOs8NRAe7mQ
8Z3p5ZpyI3O1peY8E6OGUyMUONlMEVDrfOVLMcJhzeY
-> L?a5-grease
A0lbHu5aBHSBIrwMz+QG4Mc6m2sEl/Z5TBmTsf1h
--- Df+ap67pp9N2RGb9OCkd5gVogMfXXqSJPeHMNk98TdU
¿·5åršâÍÍòL÷ó÷Ù(ü<>ä<EFBFBD>uZ¼bœÒ{;ØÚV8Ah˜`íh sPé--µÛuuª¥ÁJ¿ü)XwX6É"ªºüü<C3BC>èTd¨ànm°*bi°<1C>&)Æ<>ÖK

Binary file not shown.

View File

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg DGNmUpEoo4KB2XQG7bOC9m81RHSK19Rg/UKzXVV4oRI
WWrASGb+TwRmVW57v/CjhHvkwbJ8N6JFKuzEgSnujzk
-> X25519 m9VcMyeq72eZJWl9DU6W5Tg/fPthO6mjyevoAgtG4CU
x7rBS+gYeM0vZ/ZBV9O9wpoW3x+RX9D4xkfCJ4ddBfg
-> piv-p256 +y2G/w A+q8rvVRfAP/PjfCtRFhvX7FmtYMeIjucSbQKU0o9Shx
k9uFNzhWZQfaMKUx6nXiKXf9fVFrE4y6ybmnXpeiblk
-> 3">;=-grease
wEXSvaFLu5VvuoelMWG1GMyGnHIEkBo
--- pTNrYbbGlOhK7RhK1VkzaNoCcEMa/e5pYwxSf5/sIj8
W-¼ƒPâH'­<>µ[²À@æèæÄé-“æx<C3A6>ÃÎéWôÄ
`pñÏ tÌ4<™

2
secrets/motiejus_bk1.pub.txt Executable file
View File

@ -0,0 +1,2 @@
# created: 2023-04-08T13:24:01Z
# public key: age1kyehn8yr9tfu3w0z4d9p9qrj0tjjh92ljxmz2nyr6xnm7y8kpv5spwwc9n

Binary file not shown.

View File

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 vDjOfg khtSufKQJkOUzpMxwhDgxqumAGCeFc/n1X3onrS6Gzw
qGIW0wJmOxMqLNzKzm7jOxBXwInU52l63Rsk2q48srw
-> X25519 bsbdwq/bgJJZITDid5cEvLTs6qRBpMhYGREnecMbuTw
YsIPaszuaxNx3hDFkvTR9sNhMBnVrWiaQkig9F/3lS4
-> piv-p256 +y2G/w AuO3mkk1M4svQFyyOVt5JyDJHUKtBmUJVaWQ/fENJ6jA
0A2qkDLeKMS0zCTHRkqrGmDj3GkBeWfeFNd8FZpzviw
-> 3ZriuP-grease nfB3p3"V m
9pCGB1gfXUQwKgGkvSSeai6scEUhso9ibWwALW5b2erPGzB5hmZaHyhFE3tEn68
--- NqN1QH25TJMyVgJn/6iLUrfEMBL3iJzJIemJpH2hOfE
N<>A¸ÿF<C3BF>¡Lâ8Ÿ}–ï³ÂÏÍýON_2NôIj$¨>‡5F³
f4#Šçüp<C3BC>þŒ h´Á{;5@PÔ&E<>¼êÊsZGƒRK<52>õ°Ú“C~?éŽ?:Q¯öd(IS}j@B¦OKy¢í1AØAèôÉ“ÀX‡ýYG—Rô‰òNE¯

Binary file not shown.