Test
This commit is contained in:
parent
1b5661e22f
commit
1f50fcb028
5 changed files with 247 additions and 0 deletions
64
docs/setup-no-usb.sh
Executable file
64
docs/setup-no-usb.sh
Executable file
|
@ -0,0 +1,64 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
pushd /etc/nixos/git
|
||||||
|
|
||||||
|
# Home-Manager Setup
|
||||||
|
echo ">>> Setting up Home Manager..... "
|
||||||
|
sudo mkdir /nix/var/nix/profiles/per-user/albert
|
||||||
|
|
||||||
|
# For some reason the syncthing folder takes this over and makes it owned by root
|
||||||
|
sudo mkdir /home/albert/.config
|
||||||
|
sudo chown albert:albert /home/albert/.config
|
||||||
|
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
|
||||||
|
home-manager switch -b backup --flake /etc/nixos/git
|
||||||
|
source ~/.bashrc
|
||||||
|
|
||||||
|
# Import and trust the GPG key
|
||||||
|
echo ">>> Setting up user GPG key..... "
|
||||||
|
gpg --import ~/privkey.asc
|
||||||
|
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
|
||||||
|
|
||||||
|
# Setup SOPS
|
||||||
|
echo "Setting up SOPS keys..... "
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
echo ">>> !!!!! Copy this signature to .sops.yaml: "
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
echo ">>> !!!!!"
|
||||||
|
|
||||||
|
# Currently only RSA keys are allowed
|
||||||
|
sudo ssh-to-pgp \
|
||||||
|
-comment "Generated `date +%Y.%m.%d`" \
|
||||||
|
-email "root@`hostname`" \
|
||||||
|
-i /etc/ssh/ssh_host_rsa_key \
|
||||||
|
-o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||||
|
|
||||||
|
# Set up ssh keys
|
||||||
|
echo ">>> Setting up SSH Keys..... "
|
||||||
|
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
||||||
|
echo "" >> ./keys/ssh/keys.txt
|
||||||
|
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||||
|
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
||||||
|
|
||||||
|
# echo ">>> Setting up Distributed Build SSH Keys..... "
|
||||||
|
# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
||||||
|
# echo "" >> ./keys/ssh/builder-keys.txt
|
||||||
|
# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||||
|
# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
||||||
|
|
||||||
|
# Add all changes to git and and push
|
||||||
|
echo ">>> Pushing to git..... "
|
||||||
|
git add keys/hosts/`hostname`.asc
|
||||||
|
git commit -am "Setup: `hostname`"
|
||||||
|
git push
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo
|
||||||
|
echo ">>> Complete. Once '.sops.yaml' is updated, "
|
||||||
|
echo ">>> run 'update-secrets' and reboot."
|
||||||
|
echo
|
||||||
|
echo
|
||||||
|
echo ">>> Reminder: Upload these changes to git"
|
||||||
|
|
||||||
|
popd
|
42
nixos/hosts/milan-linode-01/default.nix
Normal file
42
nixos/hosts/milan-linode-01/default.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{ lib, modulesPath, ... }: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
../../common/services/tailscale-autoconnect.nix
|
||||||
|
../../common/services/podman.nix
|
||||||
|
./firewall.nix
|
||||||
|
./podman/derp.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
# Enable LISH
|
||||||
|
boot.kernelParams = [ "console=ttyS0,19200n8" ];
|
||||||
|
boot.loader.grub.extraConfig = ''
|
||||||
|
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
|
||||||
|
terminal_input serial;
|
||||||
|
terminal_output serial
|
||||||
|
'';
|
||||||
|
|
||||||
|
boot.loader.grub.forceInstall = true;
|
||||||
|
boot.loader.grub.device = "nodev";
|
||||||
|
boot.loader.timeout = 10;
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ];
|
||||||
|
|
||||||
|
# Distributed Builds
|
||||||
|
nix.distributedBuilds = true;
|
||||||
|
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
time.timeZone = "Europe/Rome";
|
||||||
|
networking.hostName = "milan-linode-01";
|
||||||
|
|
||||||
|
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
|
||||||
|
}
|
13
nixos/hosts/milan-linode-01/firewall.nix
Normal file
13
nixos/hosts/milan-linode-01/firewall.nix
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{ ... }: {
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
1443 # Headscale DERP (tcp)
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
3478 # Headscale DERP (udp)
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
76
nixos/hosts/milan-linode-01/podman/derp.nix
Normal file
76
nixos/hosts/milan-linode-01/podman/derp.nix
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
# Auto-generated using compose2nix v0.1.7.
|
||||||
|
{ pkgs, lib, ... }: {
|
||||||
|
services.cron = {
|
||||||
|
enable = true;
|
||||||
|
systemCronJobs = [
|
||||||
|
''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Containers
|
||||||
|
virtualisation.oci-containers.containers."headscale-derp" = {
|
||||||
|
image = "fredliang/derper";
|
||||||
|
environment = {
|
||||||
|
DERP_ADDR = ":1443";
|
||||||
|
DERP_CERT_DIR = "/app/certs";
|
||||||
|
DERP_CERT_MODE = "manual";
|
||||||
|
DERP_DOMAIN = "milan.sysctl.io";
|
||||||
|
DERP_STUN = "true";
|
||||||
|
};
|
||||||
|
volumes = [
|
||||||
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
|
||||||
|
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
|
||||||
|
];
|
||||||
|
ports = [
|
||||||
|
"3478:3478/udp"
|
||||||
|
"1443:1443/tcp"
|
||||||
|
];
|
||||||
|
log-driver = "journald";
|
||||||
|
extraOptions = [
|
||||||
|
"--network-alias=headscale-derp"
|
||||||
|
"--network=headscale-default"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
systemd.services."podman-headscale-derp" = {
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = lib.mkOverride 500 "always";
|
||||||
|
};
|
||||||
|
after = [
|
||||||
|
"podman-network-headscale-default.service"
|
||||||
|
];
|
||||||
|
requires = [
|
||||||
|
"podman-network-headscale-default.service"
|
||||||
|
];
|
||||||
|
partOf = [
|
||||||
|
"podman-compose-headscale-root.target"
|
||||||
|
];
|
||||||
|
wantedBy = [
|
||||||
|
"podman-compose-headscale-root.target"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Networks
|
||||||
|
systemd.services."podman-network-headscale-default" = {
|
||||||
|
path = [ pkgs.podman ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
podman network inspect headscale-default || podman network create headscale-default --opt isolate=true
|
||||||
|
'';
|
||||||
|
partOf = [ "podman-compose-headscale-root.target" ];
|
||||||
|
wantedBy = [ "podman-compose-headscale-root.target" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Root service
|
||||||
|
# When started, this will automatically create all resources and start
|
||||||
|
# the containers. When stopped, this will teardown all resources.
|
||||||
|
systemd.targets."podman-compose-headscale-root" = {
|
||||||
|
unitConfig = {
|
||||||
|
Description = "Root target generated by compose2nix.";
|
||||||
|
};
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
};
|
||||||
|
}
|
52
secrets/hosts/milan-linode-01.yaml
Normal file
52
secrets/hosts/milan-linode-01.yaml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
tailscale_key: ENC[AES256_GCM,data:lLkJCQNwwxU/WjxoGU7ct+g7LZAQO8qqb0hyZ0FjxT4xxqQ3yEsoIdyQyHSdJCr1,iv:swAusP1KOcTiygdsFMhWN0F7GBTpnYEXbPJz2a57L+A=,tag:7266P5Cg8/6z+9QRYs4EWg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age: []
|
||||||
|
lastmodified: "2024-03-15T01:25:40Z"
|
||||||
|
mac: ENC[AES256_GCM,data:lQZb0Z3mtaft4rP1R+qkYZhwGQLTfbWne8+OEUA46aCX6/5YBkhX3spmwnVDBTyLp6gRQg1Hq2Z2+2pmdO9O6Y4rk3b/sqiCEMIcwdunsJW+LgEYJbiu/paPAAgqfzdbQHRuSWaKW4V3NAU6DyJU4jds7AHHKzu/xqifE+Mwo2g=,iv:g6HE9jeRad5GPueNDF99///L4JTjOi0GC5M4DvYHqug=,tag:XhefHm8CWlUybKYa7jAepw==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-01-12T07:55:15Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAx+imH9kwOLOAQ//SM6c03A1jj5DzlULOz4aJmTn5pSY7KSaYcWq5sCHDDJH
|
||||||
|
oVPVzCqCGCPNeWArjMn5O5UCGTcryMWPiJRoN30picZylClVbzWgJlzZA8zxtLV+
|
||||||
|
jGSr0M4vjKtukq+OyoW5xTzLGEaV1iAiltrPOrMVapZFlCJD2thMeQzR7RjTBQsQ
|
||||||
|
dwbuqoAWG5lXVusvHZTAmZUKee4IKWXxvt4apLC3mPITaZTKdEBY4eJnlWe3rbKp
|
||||||
|
1m+nGLgLmt+sU+nOkKJnx0lL7A5E4mdBC926YV75Rpi8a+bBbveVrqp3gxZY+7tM
|
||||||
|
aI8mXwPs4OH+Om8ZzKG9UZ4RuqepPzIvY5frB+py8I7sIq73qCeWVC4WWyG3nOaW
|
||||||
|
pAjGnilODoisxQp+SivxEZRw7mWTxsATin27eB676sFDGutfE9WdOw9AGvTArxTU
|
||||||
|
1gK31mRg9+GTAOFKBly1t1LsZWbNVdwFN9JVwdRZC1MEwRAsc0LMPS0SVLlM+FZP
|
||||||
|
pWIn03Bzd5B5Ey/IkJOpQWZagVi/rPSQqa5yGowWCMR1bjwhO1dYdp2eqSf3PVks
|
||||||
|
nkhnokqxHVx68yWWA+8gjZq4tIgZ5xx0TL/+PgiqoziEY13M21POV4/ktpUfGjTp
|
||||||
|
RGiZaIqHV97GEugzRges39RPhfnvjCzLpz4k0Bs+1PiXSiz1MeBgbFPh5fT7M9TS
|
||||||
|
WAG2s6kvu9M5F0qsLuep88/9CuoSgQR08jWRXSBw2Y1sqS12Zhq1oXdB5N+tg9Aa
|
||||||
|
MlDB+No1kKdeD+0jLAzvJpKSg+5oZAvXl25rb0vuv9bHeptHyQ5FwUo=
|
||||||
|
=77Xf
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A
|
||||||
|
- created_at: "2024-01-12T07:55:15Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA/L/g1KZjaf6AQ//R84Jf7oh77tFtbq+7wMRXnYNyPcDKztkOYxhUITgtvYc
|
||||||
|
yV44ZGpJSA1miG5bXfVMqNh2Qmz/pn/ACNLmdEoK8L6y/7LRj2FUWcWUGiII+tJn
|
||||||
|
LgBhcKu8cbJnya5Mma1F1trAdhUcOmpB50RqMXxo8aaAr/tWNC82aQQmj+kLfHoz
|
||||||
|
rfkCMBC0/9ZE9An9A6wNdCPchiPY/m91eM9U7Zy+Ig3O0UG4oQJc7aJtWUy2lAL1
|
||||||
|
Cq87prhJKjOG8mYZoTJuOD2e8l2by91Pf2j5zInHnRtIfkAa5urJDq+YbCEX9fRV
|
||||||
|
z7tOw51wEOMgLN9CvJX2O4nCKj+WsHlwPQan5bRv8oNKEZc0Mooy3YFEbcW3uNrJ
|
||||||
|
1HXfyfCDKe/XEUwveAwuwWn5udCbBrSMs/idT1INzDrN9J7icAlIh98m0fCvVqzK
|
||||||
|
VjiDwI1EEAPV7JSstC/Ncg3nErLBsWSntWDlZ4+IYl6SZKkDG0FXGzNzhi3tzGP2
|
||||||
|
LprK6S1h4x5XtX2Rrh0aecg8XFgphjmijkh6X/gOOi4b9PBus7aTQAqgvCx9ZkcZ
|
||||||
|
GbGUzQ5t2LPZftZe+L6VLNXu628URyGrF+h8sk7sVmEfz4lAVe2zpud7Zu1sf+VE
|
||||||
|
ZhoNAVhW8dKfVLK9/ylkPrFmZsFgHK800UcbnDVWat+pkhQtRJzkG7VLZ14lRgzS
|
||||||
|
WAH4oLimWabMHvNobkRPnXOytU99IbnaPskdPbUuJAv5BvWWmOpzfImbYG8LwdbH
|
||||||
|
SHCxRI+uz3+BRO2mQrRDyVmOy4VaEE1/21mevnUQHj9XLgAS3HiOdFA=
|
||||||
|
=5dIp
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 5f548d87ab2b8a4d48d80da3f2ff8352998da7fa
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue