From e8385810668628b16f0fb4bc690c7233cffccd4d Mon Sep 17 00:00:00 2001 From: self Date: Sun, 2 Jul 2023 00:24:38 -0700 Subject: [PATCH] add "more" host to awful.systems cluster --- .sops.yaml | 2 ++ hardware/hetzner-cloud/cpx31.nix | 28 ++++++++++++++++++ .../cx21.nix} | 4 +-- hardware/hostnames.nix | 8 +++++ hardware/shared.nix | 11 +++++-- hosts/more/configuration.nix | 11 +++++++ secrets/keys/default.nix | 1 - secrets/keys/git.nix | 7 +++++ secrets/secrets.yaml | 29 ++++++++++++------- 9 files changed, 84 insertions(+), 17 deletions(-) create mode 100644 hardware/hetzner-cloud/cpx31.nix rename hardware/{hetzner-cloud.nix => hetzner-cloud/cx21.nix} (84%) create mode 100644 hardware/hostnames.nix create mode 100644 hosts/more/configuration.nix create mode 100644 secrets/keys/git.nix diff --git a/.sops.yaml b/.sops.yaml index f900e95..4aba98f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,11 @@ keys: - &admin_self age1ykfwuq666clqzxk4vjyjhtk29h7s3ztcu4ewfwgrq9kaxrmeapdqw0ec85 - &host_these age1qwdxl2jdwu2feee4ttlhr06682026gftt9n6cw9n6yxjsr2vzy7se389re + - &host_more age19us4npj5aw2wcfglxzt5l2aemc8n79k6chfflmfjk2h40y37p9aspwmumc creation_rules: - path_regex: secrets/[^/]+.yaml$ key_groups: - age: - *admin_self - *host_these + - *host_more diff --git a/hardware/hetzner-cloud/cpx31.nix b/hardware/hetzner-cloud/cpx31.nix new file mode 100644 index 0000000..ce00fc0 --- /dev/null +++ b/hardware/hetzner-cloud/cpx31.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ../shared.nix ]; + + boot.initrd.availableKernelModules = + [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub.enable = true; + boot.loader.grub.devices = [ "/dev/sda" ]; + + # boot off an LVM pool named NixOS and lv named System + fileSystems."/" = { + device = "/dev/NixOS/System"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + networking.useDHCP = false; + networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; # public IP + networking.interfaces.enp7s0.useDHCP = + lib.mkDefault true; # first internal network + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hardware/hetzner-cloud.nix b/hardware/hetzner-cloud/cx21.nix similarity index 84% rename from hardware/hetzner-cloud.nix rename to hardware/hetzner-cloud/cx21.nix index e4c3bd3..a777c08 100644 --- a/hardware/hetzner-cloud.nix +++ b/hardware/hetzner-cloud/cx21.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./shared.nix ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ../shared.nix ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; @@ -15,8 +15,6 @@ swapDevices = [ ]; - time.timeZone = "America/Los_Angeles"; - networking.useDHCP = false; networking.interfaces.ens3.useDHCP = true; # public IP networking.interfaces.ens10.useDHCP = true; # first internal network diff --git a/hardware/hostnames.nix b/hardware/hostnames.nix new file mode 100644 index 0000000..8acc5de --- /dev/null +++ b/hardware/hostnames.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + networking.hosts = { + "10.0.0.2" = [ "these" ]; + "10.0.0.4" = [ "more" ]; + }; +} diff --git a/hardware/shared.nix b/hardware/shared.nix index ecf8de3..96bd48f 100644 --- a/hardware/shared.nix +++ b/hardware/shared.nix @@ -1,20 +1,25 @@ { config, lib, pkgs, ... }: { - imports = [ - ../secrets/keys - ]; + imports = [ ../secrets/keys ./hostnames.nix ]; # Initial empty root password for easy login: users.users.root.initialHashedPassword = ""; services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.enable = true; + time.timeZone = "America/Los_Angeles"; + nix.gc = { automatic = true; options = "--delete-older-than 5d"; }; + swapDevices = [{ + device = "/var/lib/swapfile"; + size = 4 * 1024; + }]; + environment.systemPackages = [ pkgs.ssh-to-age ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/hosts/more/configuration.nix b/hosts/more/configuration.nix new file mode 100644 index 0000000..9913903 --- /dev/null +++ b/hosts/more/configuration.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +{ + imports = [ + ../../hardware/hetzner-cloud/cpx31.nix + ../../secrets + ../../maint-mode + ]; + + networking.hostName = "more"; +} diff --git a/secrets/keys/default.nix b/secrets/keys/default.nix index e8d6c33..a0adb78 100644 --- a/secrets/keys/default.nix +++ b/secrets/keys/default.nix @@ -3,6 +3,5 @@ { users.users = { root.openssh.authorizedKeys.keyFiles = [ ./self_id_ed25519.pub ]; - git.openssh.authorizedKeys.keyFiles = [ ./self_id_ed25519.pub ]; }; } diff --git a/secrets/keys/git.nix b/secrets/keys/git.nix new file mode 100644 index 0000000..93190b5 --- /dev/null +++ b/secrets/keys/git.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +{ + users.users = { + git.openssh.authorizedKeys.keyFiles = [ ./self_id_ed25519.pub ]; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 043dc8d..4e2432e 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -13,20 +13,29 @@ sops: - recipient: age1ykfwuq666clqzxk4vjyjhtk29h7s3ztcu4ewfwgrq9kaxrmeapdqw0ec85 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYnNxSFMwUFY5ZmtYSk1k - ZVFLcVNQYXZYbFl0VDhBam1aeGtVTzUrdkhBCjFlTHpQU2ZiRjVhU2dTRmZJZVZL - Z094ZEFzTEFyYlA0eU9GSXFCYWdRckEKLS0tIFpjdHlBMlFYLzZzTVdoekE5eXdU - L3RYL0ZRKzdOMjJLVnJUTVlHaDBEUUkKyvlJ3mcJZ3U9iWIL4YLJDEtUCkz2Kmh2 - 2SF8Tz0gshOL8xBXeaoleXN2sHvnC5PqePvzu6Q8hs8iX81WxY+Nyw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbmdEeEJUakRzY1dLSEFB + Nlh5QlRTdzlCamhLNDZ4bUl4Wm9kUEVrbkNZCmhPSTBsUTk0SHJ5bWhpZktNb2NF + bE83d2UvSk1BZ1JaemlCVkx1UFdTbkEKLS0tIDZMOTZDSWwzWlROWDdhM1hJUE41 + QnVWQUFyVDhNWG5zZUV2Zmg3OHFBSm8Kv//fBjk+O5kH9FlYSB5Sk8nx7rFtcSqN + MSTATQzF+ZqXhS2Ssi6u2eeZDU0INr5u6QoOQO8dD8u98288z0XxXQ== -----END AGE ENCRYPTED FILE----- - recipient: age1qwdxl2jdwu2feee4ttlhr06682026gftt9n6cw9n6yxjsr2vzy7se389re enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhenJvaCszWHpoeUdJWWtY - bTFSY2kxU0dCL2JvMXJQWHdpMGdaT0J4Z0hFCkJUNHVSd1A3MytJb1p3aVE2T0JF - MkgzaDluVXdJV2ZJb2pITVBGTFlNOUkKLS0tIFdCU0V4MFh1elN0ZWEzVS9OcVNI - NlNKT3g5dWlZckM0MTVwNVAzajU0YkEKyY98VzxcSz9NqaBsKV89Wegr+d0ZuzJH - Yt5R1uCjeBHBNW3++qVRf2koWouPpMYa69eDrlRUkL0SkJXVC4QzqQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eXZLOWgvL1daK1hMMTl2 + ZUxrb1RzRlhNU2tUcEN5NDlwLzArRVFZalVjClEybkZaNmlDVS93TG1HN0o3Szdh + ODJFWVd0MjZISFd6TEhsU1NwY283NzAKLS0tIGxhczE1aEtPcFFleHA2aDBKSVdM + OFJWQUJ0bFJ2dEdaK0c1Mkl0Si9RbzAK9uFXgbK1kVTPUP3LcTa0C6oAjHe22HeO + +ng7/moK/4cp+RZojBUl/s7auQ3E9pcj7qp8BFpdplM0ur7+qT/Xcw== + -----END AGE ENCRYPTED FILE----- + - recipient: age19us4npj5aw2wcfglxzt5l2aemc8n79k6chfflmfjk2h40y37p9aspwmumc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWUtpMGtPVUJZZEQ0bEpX + OCtycmlIYWlhOHByR2pvdzNORFpQVGNqd1dVCnhhdEtKWlJrTGNvR3UzZTIyVUZr + WW5jdUVLaUJFdTFPU3pvdTMvcytxckUKLS0tIHAxdTEyZXNOY0dqQWhYYVl2RzJ5 + RW13UEl1NEtza2NnTXY4YnFOY1d1QmsKxs+hTpa+s1jaG8T1tPo7FUtkEQA0WZpj + qjgrYGhFpg6dicovfkY6Ksyx4WXgw52GTMQZjyEo6FJObUvSF6TmGg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-06-29T10:57:55Z" mac: ENC[AES256_GCM,data:cV3/ptlgCPM0G62bfxVJCW5xgx0rBsiaClifdFhPdqLbaJ2MpMCbujgw8RbX7RSKpq7tNMIrPaCvAmp5RQETd08FWnQbMjaKy2dDoQefYFspaDrv0atXU5ObXM37EEc2NMUgg/7U/JJPoeqUIBAOTyPA/Uf77HrY02LTxpW2Pwk=,iv:2C3RpLOo1ghkpygw9bWWX3JuSMJy2YHJZbLYJ1yLrmw=,tag:ZoLdrFEmM/ZFXLH1lV9vJA==,type:str] -- 2.44.1