Test
This commit is contained in:
parent
1b5661e22f
commit
1f50fcb028
5 changed files with 247 additions and 0 deletions
64
docs/setup-no-usb.sh
Executable file
64
docs/setup-no-usb.sh
Executable file
|
@ -0,0 +1,64 @@
|
|||
#!/usr/bin/env bash
|
||||
pushd /etc/nixos/git
|
||||
|
||||
# Home-Manager Setup
|
||||
echo ">>> Setting up Home Manager..... "
|
||||
sudo mkdir /nix/var/nix/profiles/per-user/albert
|
||||
|
||||
# For some reason the syncthing folder takes this over and makes it owned by root
|
||||
sudo mkdir /home/albert/.config
|
||||
sudo chown albert:albert /home/albert/.config
|
||||
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
|
||||
home-manager switch -b backup --flake /etc/nixos/git
|
||||
source ~/.bashrc
|
||||
|
||||
# Import and trust the GPG key
|
||||
echo ">>> Setting up user GPG key..... "
|
||||
gpg --import ~/privkey.asc
|
||||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
|
||||
|
||||
# Setup SOPS
|
||||
echo "Setting up SOPS keys..... "
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!! Copy this signature to .sops.yaml: "
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
|
||||
# Currently only RSA keys are allowed
|
||||
sudo ssh-to-pgp \
|
||||
-comment "Generated `date +%Y.%m.%d`" \
|
||||
-email "root@`hostname`" \
|
||||
-i /etc/ssh/ssh_host_rsa_key \
|
||||
-o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||
|
||||
# Set up ssh keys
|
||||
echo ">>> Setting up SSH Keys..... "
|
||||
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
||||
echo "" >> ./keys/ssh/keys.txt
|
||||
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
||||
|
||||
# echo ">>> Setting up Distributed Build SSH Keys..... "
|
||||
# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
||||
# echo "" >> ./keys/ssh/builder-keys.txt
|
||||
# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||
# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
||||
|
||||
# Add all changes to git and and push
|
||||
echo ">>> Pushing to git..... "
|
||||
git add keys/hosts/`hostname`.asc
|
||||
git commit -am "Setup: `hostname`"
|
||||
git push
|
||||
|
||||
echo
|
||||
echo
|
||||
echo ">>> Complete. Once '.sops.yaml' is updated, "
|
||||
echo ">>> run 'update-secrets' and reboot."
|
||||
echo
|
||||
echo
|
||||
echo ">>> Reminder: Upload these changes to git"
|
||||
|
||||
popd
|
42
nixos/hosts/milan-linode-01/default.nix
Normal file
42
nixos/hosts/milan-linode-01/default.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ lib, modulesPath, ... }: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
../../common/services/tailscale-autoconnect.nix
|
||||
../../common/services/podman.nix
|
||||
./firewall.nix
|
||||
./podman/derp.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enable LISH
|
||||
boot.kernelParams = [ "console=ttyS0,19200n8" ];
|
||||
boot.loader.grub.extraConfig = ''
|
||||
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
|
||||
terminal_input serial;
|
||||
terminal_output serial
|
||||
'';
|
||||
|
||||
boot.loader.grub.forceInstall = true;
|
||||
boot.loader.grub.device = "nodev";
|
||||
boot.loader.timeout = 10;
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ];
|
||||
|
||||
# Distributed Builds
|
||||
nix.distributedBuilds = true;
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
time.timeZone = "Europe/Rome";
|
||||
networking.hostName = "milan-linode-01";
|
||||
|
||||
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
|
||||
}
|
13
nixos/hosts/milan-linode-01/firewall.nix
Normal file
13
nixos/hosts/milan-linode-01/firewall.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ ... }: {
|
||||
networking = {
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
1443 # Headscale DERP (tcp)
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
3478 # Headscale DERP (udp)
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
76
nixos/hosts/milan-linode-01/podman/derp.nix
Normal file
76
nixos/hosts/milan-linode-01/podman/derp.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
# Auto-generated using compose2nix v0.1.7.
|
||||
{ pkgs, lib, ... }: {
|
||||
services.cron = {
|
||||
enable = true;
|
||||
systemCronJobs = [
|
||||
''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
|
||||
];
|
||||
};
|
||||
|
||||
# Containers
|
||||
virtualisation.oci-containers.containers."headscale-derp" = {
|
||||
image = "fredliang/derper";
|
||||
environment = {
|
||||
DERP_ADDR = ":1443";
|
||||
DERP_CERT_DIR = "/app/certs";
|
||||
DERP_CERT_MODE = "manual";
|
||||
DERP_DOMAIN = "milan.sysctl.io";
|
||||
DERP_STUN = "true";
|
||||
};
|
||||
volumes = [
|
||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
|
||||
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
|
||||
];
|
||||
ports = [
|
||||
"3478:3478/udp"
|
||||
"1443:1443/tcp"
|
||||
];
|
||||
log-driver = "journald";
|
||||
extraOptions = [
|
||||
"--network-alias=headscale-derp"
|
||||
"--network=headscale-default"
|
||||
];
|
||||
};
|
||||
systemd.services."podman-headscale-derp" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "always";
|
||||
};
|
||||
after = [
|
||||
"podman-network-headscale-default.service"
|
||||
];
|
||||
requires = [
|
||||
"podman-network-headscale-default.service"
|
||||
];
|
||||
partOf = [
|
||||
"podman-compose-headscale-root.target"
|
||||
];
|
||||
wantedBy = [
|
||||
"podman-compose-headscale-root.target"
|
||||
];
|
||||
};
|
||||
|
||||
# Networks
|
||||
systemd.services."podman-network-headscale-default" = {
|
||||
path = [ pkgs.podman ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default";
|
||||
};
|
||||
script = ''
|
||||
podman network inspect headscale-default || podman network create headscale-default --opt isolate=true
|
||||
'';
|
||||
partOf = [ "podman-compose-headscale-root.target" ];
|
||||
wantedBy = [ "podman-compose-headscale-root.target" ];
|
||||
};
|
||||
|
||||
# Root service
|
||||
# When started, this will automatically create all resources and start
|
||||
# the containers. When stopped, this will teardown all resources.
|
||||
systemd.targets."podman-compose-headscale-root" = {
|
||||
unitConfig = {
|
||||
Description = "Root target generated by compose2nix.";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
52
secrets/hosts/milan-linode-01.yaml
Normal file
52
secrets/hosts/milan-linode-01.yaml
Normal file
|
@ -0,0 +1,52 @@
|
|||
tailscale_key: ENC[AES256_GCM,data:lLkJCQNwwxU/WjxoGU7ct+g7LZAQO8qqb0hyZ0FjxT4xxqQ3yEsoIdyQyHSdJCr1,iv:swAusP1KOcTiygdsFMhWN0F7GBTpnYEXbPJz2a57L+A=,tag:7266P5Cg8/6z+9QRYs4EWg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-03-15T01:25:40Z"
|
||||
mac: ENC[AES256_GCM,data:lQZb0Z3mtaft4rP1R+qkYZhwGQLTfbWne8+OEUA46aCX6/5YBkhX3spmwnVDBTyLp6gRQg1Hq2Z2+2pmdO9O6Y4rk3b/sqiCEMIcwdunsJW+LgEYJbiu/paPAAgqfzdbQHRuSWaKW4V3NAU6DyJU4jds7AHHKzu/xqifE+Mwo2g=,iv:g6HE9jeRad5GPueNDF99///L4JTjOi0GC5M4DvYHqug=,tag:XhefHm8CWlUybKYa7jAepw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-12T07:55:15Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAx+imH9kwOLOAQ//SM6c03A1jj5DzlULOz4aJmTn5pSY7KSaYcWq5sCHDDJH
|
||||
oVPVzCqCGCPNeWArjMn5O5UCGTcryMWPiJRoN30picZylClVbzWgJlzZA8zxtLV+
|
||||
jGSr0M4vjKtukq+OyoW5xTzLGEaV1iAiltrPOrMVapZFlCJD2thMeQzR7RjTBQsQ
|
||||
dwbuqoAWG5lXVusvHZTAmZUKee4IKWXxvt4apLC3mPITaZTKdEBY4eJnlWe3rbKp
|
||||
1m+nGLgLmt+sU+nOkKJnx0lL7A5E4mdBC926YV75Rpi8a+bBbveVrqp3gxZY+7tM
|
||||
aI8mXwPs4OH+Om8ZzKG9UZ4RuqepPzIvY5frB+py8I7sIq73qCeWVC4WWyG3nOaW
|
||||
pAjGnilODoisxQp+SivxEZRw7mWTxsATin27eB676sFDGutfE9WdOw9AGvTArxTU
|
||||
1gK31mRg9+GTAOFKBly1t1LsZWbNVdwFN9JVwdRZC1MEwRAsc0LMPS0SVLlM+FZP
|
||||
pWIn03Bzd5B5Ey/IkJOpQWZagVi/rPSQqa5yGowWCMR1bjwhO1dYdp2eqSf3PVks
|
||||
nkhnokqxHVx68yWWA+8gjZq4tIgZ5xx0TL/+PgiqoziEY13M21POV4/ktpUfGjTp
|
||||
RGiZaIqHV97GEugzRges39RPhfnvjCzLpz4k0Bs+1PiXSiz1MeBgbFPh5fT7M9TS
|
||||
WAG2s6kvu9M5F0qsLuep88/9CuoSgQR08jWRXSBw2Y1sqS12Zhq1oXdB5N+tg9Aa
|
||||
MlDB+No1kKdeD+0jLAzvJpKSg+5oZAvXl25rb0vuv9bHeptHyQ5FwUo=
|
||||
=77Xf
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A
|
||||
- created_at: "2024-01-12T07:55:15Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/L/g1KZjaf6AQ//R84Jf7oh77tFtbq+7wMRXnYNyPcDKztkOYxhUITgtvYc
|
||||
yV44ZGpJSA1miG5bXfVMqNh2Qmz/pn/ACNLmdEoK8L6y/7LRj2FUWcWUGiII+tJn
|
||||
LgBhcKu8cbJnya5Mma1F1trAdhUcOmpB50RqMXxo8aaAr/tWNC82aQQmj+kLfHoz
|
||||
rfkCMBC0/9ZE9An9A6wNdCPchiPY/m91eM9U7Zy+Ig3O0UG4oQJc7aJtWUy2lAL1
|
||||
Cq87prhJKjOG8mYZoTJuOD2e8l2by91Pf2j5zInHnRtIfkAa5urJDq+YbCEX9fRV
|
||||
z7tOw51wEOMgLN9CvJX2O4nCKj+WsHlwPQan5bRv8oNKEZc0Mooy3YFEbcW3uNrJ
|
||||
1HXfyfCDKe/XEUwveAwuwWn5udCbBrSMs/idT1INzDrN9J7icAlIh98m0fCvVqzK
|
||||
VjiDwI1EEAPV7JSstC/Ncg3nErLBsWSntWDlZ4+IYl6SZKkDG0FXGzNzhi3tzGP2
|
||||
LprK6S1h4x5XtX2Rrh0aecg8XFgphjmijkh6X/gOOi4b9PBus7aTQAqgvCx9ZkcZ
|
||||
GbGUzQ5t2LPZftZe+L6VLNXu628URyGrF+h8sk7sVmEfz4lAVe2zpud7Zu1sf+VE
|
||||
ZhoNAVhW8dKfVLK9/ylkPrFmZsFgHK800UcbnDVWat+pkhQtRJzkG7VLZ14lRgzS
|
||||
WAH4oLimWabMHvNobkRPnXOytU99IbnaPskdPbUuJAv5BvWWmOpzfImbYG8LwdbH
|
||||
SHCxRI+uz3+BRO2mQrRDyVmOy4VaEE1/21mevnUQHj9XLgAS3HiOdFA=
|
||||
=5dIp
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5f548d87ab2b8a4d48d80da3f2ff8352998da7fa
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in a new issue