diff --git a/docs/setup-no-usb.sh b/docs/setup-no-usb.sh new file mode 100755 index 00000000..60ff20cc --- /dev/null +++ b/docs/setup-no-usb.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash +pushd /etc/nixos/git + +# Home-Manager Setup +echo ">>> Setting up Home Manager..... " +sudo mkdir /nix/var/nix/profiles/per-user/albert + +# For some reason the syncthing folder takes this over and makes it owned by root +sudo mkdir /home/albert/.config +sudo chown albert:albert /home/albert/.config +sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert +home-manager switch -b backup --flake /etc/nixos/git +source ~/.bashrc + +# Import and trust the GPG key +echo ">>> Setting up user GPG key..... " +gpg --import ~/privkey.asc +echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust + +# Setup SOPS +echo "Setting up SOPS keys..... " +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!! Copy this signature to .sops.yaml: " +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!!" + +# Currently only RSA keys are allowed +sudo ssh-to-pgp \ + -comment "Generated `date +%Y.%m.%d`" \ + -email "root@`hostname`" \ + -i /etc/ssh/ssh_host_rsa_key \ + -o /etc/nixos/git/keys/hosts/$(hostname).asc + +# Set up ssh keys +echo ">>> Setting up SSH Keys..... " +ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" +echo "" >> ./keys/ssh/keys.txt +echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt +cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt + +# echo ">>> Setting up Distributed Build SSH Keys..... " +# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" +# echo "" >> ./keys/ssh/builder-keys.txt +# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt +# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt + +# Add all changes to git and and push +echo ">>> Pushing to git..... " +git add keys/hosts/`hostname`.asc +git commit -am "Setup: `hostname`" +git push + +echo +echo +echo ">>> Complete. Once '.sops.yaml' is updated, " +echo ">>> run 'update-secrets' and reboot." +echo +echo +echo ">>> Reminder: Upload these changes to git" + +popd diff --git a/nixos/hosts/milan-linode-01/default.nix b/nixos/hosts/milan-linode-01/default.nix new file mode 100644 index 00000000..e15899b5 --- /dev/null +++ b/nixos/hosts/milan-linode-01/default.nix @@ -0,0 +1,42 @@ +{ lib, modulesPath, ... }: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ../../common/services/tailscale-autoconnect.nix + ../../common/services/podman.nix + ./firewall.nix + ./podman/derp.nix + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enable LISH + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial + ''; + + boot.loader.grub.forceInstall = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ]; + + # Distributed Builds + nix.distributedBuilds = true; + + networking.useDHCP = lib.mkDefault true; + time.timeZone = "Europe/Rome"; + networking.hostName = "milan-linode-01"; + + services.tailscale.extraUpFlags = [ "--advertise-exit-node" ]; +} diff --git a/nixos/hosts/milan-linode-01/firewall.nix b/nixos/hosts/milan-linode-01/firewall.nix new file mode 100644 index 00000000..6152094c --- /dev/null +++ b/nixos/hosts/milan-linode-01/firewall.nix @@ -0,0 +1,13 @@ +{ ... }: { + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + 1443 # Headscale DERP (tcp) + ]; + allowedUDPPorts = [ + 3478 # Headscale DERP (udp) + ]; + }; + }; +} diff --git a/nixos/hosts/milan-linode-01/podman/derp.nix b/nixos/hosts/milan-linode-01/podman/derp.nix new file mode 100644 index 00000000..02c29a82 --- /dev/null +++ b/nixos/hosts/milan-linode-01/podman/derp.nix @@ -0,0 +1,76 @@ +# Auto-generated using compose2nix v0.1.7. +{ pkgs, lib, ... }: { + services.cron = { + enable = true; + systemCronJobs = [ + ''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/'' + ]; + }; + + # Containers + virtualisation.oci-containers.containers."headscale-derp" = { + image = "fredliang/derper"; + environment = { + DERP_ADDR = ":1443"; + DERP_CERT_DIR = "/app/certs"; + DERP_CERT_MODE = "manual"; + DERP_DOMAIN = "milan.sysctl.io"; + DERP_STUN = "true"; + }; + volumes = [ + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro" + "/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro" + ]; + ports = [ + "3478:3478/udp" + "1443:1443/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=headscale-derp" + "--network=headscale-default" + ]; + }; + systemd.services."podman-headscale-derp" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-headscale-default.service" + ]; + requires = [ + "podman-network-headscale-default.service" + ]; + partOf = [ + "podman-compose-headscale-root.target" + ]; + wantedBy = [ + "podman-compose-headscale-root.target" + ]; + }; + + # Networks + systemd.services."podman-network-headscale-default" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default"; + }; + script = '' + podman network inspect headscale-default || podman network create headscale-default --opt isolate=true + ''; + partOf = [ "podman-compose-headscale-root.target" ]; + wantedBy = [ "podman-compose-headscale-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-headscale-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/secrets/hosts/milan-linode-01.yaml b/secrets/hosts/milan-linode-01.yaml new file mode 100644 index 00000000..9babe2c7 --- /dev/null +++ b/secrets/hosts/milan-linode-01.yaml @@ -0,0 +1,52 @@ +tailscale_key: ENC[AES256_GCM,data:lLkJCQNwwxU/WjxoGU7ct+g7LZAQO8qqb0hyZ0FjxT4xxqQ3yEsoIdyQyHSdJCr1,iv:swAusP1KOcTiygdsFMhWN0F7GBTpnYEXbPJz2a57L+A=,tag:7266P5Cg8/6z+9QRYs4EWg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-15T01:25:40Z" + mac: ENC[AES256_GCM,data:lQZb0Z3mtaft4rP1R+qkYZhwGQLTfbWne8+OEUA46aCX6/5YBkhX3spmwnVDBTyLp6gRQg1Hq2Z2+2pmdO9O6Y4rk3b/sqiCEMIcwdunsJW+LgEYJbiu/paPAAgqfzdbQHRuSWaKW4V3NAU6DyJU4jds7AHHKzu/xqifE+Mwo2g=,iv:g6HE9jeRad5GPueNDF99///L4JTjOi0GC5M4DvYHqug=,tag:XhefHm8CWlUybKYa7jAepw==,type:str] + pgp: + - created_at: "2024-01-12T07:55:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAx+imH9kwOLOAQ//SM6c03A1jj5DzlULOz4aJmTn5pSY7KSaYcWq5sCHDDJH + oVPVzCqCGCPNeWArjMn5O5UCGTcryMWPiJRoN30picZylClVbzWgJlzZA8zxtLV+ + jGSr0M4vjKtukq+OyoW5xTzLGEaV1iAiltrPOrMVapZFlCJD2thMeQzR7RjTBQsQ + dwbuqoAWG5lXVusvHZTAmZUKee4IKWXxvt4apLC3mPITaZTKdEBY4eJnlWe3rbKp + 1m+nGLgLmt+sU+nOkKJnx0lL7A5E4mdBC926YV75Rpi8a+bBbveVrqp3gxZY+7tM + aI8mXwPs4OH+Om8ZzKG9UZ4RuqepPzIvY5frB+py8I7sIq73qCeWVC4WWyG3nOaW + pAjGnilODoisxQp+SivxEZRw7mWTxsATin27eB676sFDGutfE9WdOw9AGvTArxTU + 1gK31mRg9+GTAOFKBly1t1LsZWbNVdwFN9JVwdRZC1MEwRAsc0LMPS0SVLlM+FZP + pWIn03Bzd5B5Ey/IkJOpQWZagVi/rPSQqa5yGowWCMR1bjwhO1dYdp2eqSf3PVks + nkhnokqxHVx68yWWA+8gjZq4tIgZ5xx0TL/+PgiqoziEY13M21POV4/ktpUfGjTp + RGiZaIqHV97GEugzRges39RPhfnvjCzLpz4k0Bs+1PiXSiz1MeBgbFPh5fT7M9TS + WAG2s6kvu9M5F0qsLuep88/9CuoSgQR08jWRXSBw2Y1sqS12Zhq1oXdB5N+tg9Aa + MlDB+No1kKdeD+0jLAzvJpKSg+5oZAvXl25rb0vuv9bHeptHyQ5FwUo= + =77Xf + -----END PGP MESSAGE----- + fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A + - created_at: "2024-01-12T07:55:15Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA/L/g1KZjaf6AQ//R84Jf7oh77tFtbq+7wMRXnYNyPcDKztkOYxhUITgtvYc + yV44ZGpJSA1miG5bXfVMqNh2Qmz/pn/ACNLmdEoK8L6y/7LRj2FUWcWUGiII+tJn + LgBhcKu8cbJnya5Mma1F1trAdhUcOmpB50RqMXxo8aaAr/tWNC82aQQmj+kLfHoz + rfkCMBC0/9ZE9An9A6wNdCPchiPY/m91eM9U7Zy+Ig3O0UG4oQJc7aJtWUy2lAL1 + Cq87prhJKjOG8mYZoTJuOD2e8l2by91Pf2j5zInHnRtIfkAa5urJDq+YbCEX9fRV + z7tOw51wEOMgLN9CvJX2O4nCKj+WsHlwPQan5bRv8oNKEZc0Mooy3YFEbcW3uNrJ + 1HXfyfCDKe/XEUwveAwuwWn5udCbBrSMs/idT1INzDrN9J7icAlIh98m0fCvVqzK + VjiDwI1EEAPV7JSstC/Ncg3nErLBsWSntWDlZ4+IYl6SZKkDG0FXGzNzhi3tzGP2 + LprK6S1h4x5XtX2Rrh0aecg8XFgphjmijkh6X/gOOi4b9PBus7aTQAqgvCx9ZkcZ + GbGUzQ5t2LPZftZe+L6VLNXu628URyGrF+h8sk7sVmEfz4lAVe2zpud7Zu1sf+VE + ZhoNAVhW8dKfVLK9/ylkPrFmZsFgHK800UcbnDVWat+pkhQtRJzkG7VLZ14lRgzS + WAH4oLimWabMHvNobkRPnXOytU99IbnaPskdPbUuJAv5BvWWmOpzfImbYG8LwdbH + SHCxRI+uz3+BRO2mQrRDyVmOy4VaEE1/21mevnUQHj9XLgAS3HiOdFA= + =5dIp + -----END PGP MESSAGE----- + fp: 5f548d87ab2b8a4d48d80da3f2ff8352998da7fa + unencrypted_suffix: _unencrypted + version: 3.8.1