This commit is contained in:
albert 2024-03-15 10:28:10 +09:00
parent 1b5661e22f
commit 1f50fcb028
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
5 changed files with 247 additions and 0 deletions

64
docs/setup-no-usb.sh Executable file
View file

@ -0,0 +1,64 @@
#!/usr/bin/env bash
pushd /etc/nixos/git
# Home-Manager Setup
echo ">>> Setting up Home Manager..... "
sudo mkdir /nix/var/nix/profiles/per-user/albert
# For some reason the syncthing folder takes this over and makes it owned by root
sudo mkdir /home/albert/.config
sudo chown albert:albert /home/albert/.config
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
home-manager switch -b backup --flake /etc/nixos/git
source ~/.bashrc
# Import and trust the GPG key
echo ">>> Setting up user GPG key..... "
gpg --import ~/privkey.asc
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
# Setup SOPS
echo "Setting up SOPS keys..... "
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!! Copy this signature to .sops.yaml: "
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!!"
# Currently only RSA keys are allowed
sudo ssh-to-pgp \
-comment "Generated `date +%Y.%m.%d`" \
-email "root@`hostname`" \
-i /etc/ssh/ssh_host_rsa_key \
-o /etc/nixos/git/keys/hosts/$(hostname).asc
# Set up ssh keys
echo ">>> Setting up SSH Keys..... "
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
echo "" >> ./keys/ssh/keys.txt
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
# echo ">>> Setting up Distributed Build SSH Keys..... "
# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
# echo "" >> ./keys/ssh/builder-keys.txt
# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
# Add all changes to git and and push
echo ">>> Pushing to git..... "
git add keys/hosts/`hostname`.asc
git commit -am "Setup: `hostname`"
git push
echo
echo
echo ">>> Complete. Once '.sops.yaml' is updated, "
echo ">>> run 'update-secrets' and reboot."
echo
echo
echo ">>> Reminder: Upload these changes to git"
popd

View file

@ -0,0 +1,42 @@
{ lib, modulesPath, ... }: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
../../common/services/tailscale-autoconnect.nix
../../common/services/podman.nix
./firewall.nix
./podman/derp.nix
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enable LISH
boot.kernelParams = [ "console=ttyS0,19200n8" ];
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
boot.loader.grub.forceInstall = true;
boot.loader.grub.device = "nodev";
boot.loader.timeout = 10;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
swapDevices = [ { device = "/dev/disk/by-label/linode-swap"; } ];
# Distributed Builds
nix.distributedBuilds = true;
networking.useDHCP = lib.mkDefault true;
time.timeZone = "Europe/Rome";
networking.hostName = "milan-linode-01";
services.tailscale.extraUpFlags = [ "--advertise-exit-node" ];
}

View file

@ -0,0 +1,13 @@
{ ... }: {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
1443 # Headscale DERP (tcp)
];
allowedUDPPorts = [
3478 # Headscale DERP (udp)
];
};
};
}

View file

@ -0,0 +1,76 @@
# Auto-generated using compose2nix v0.1.7.
{ pkgs, lib, ... }: {
services.cron = {
enable = true;
systemCronJobs = [
''0 0 * * * root rsync -avr root@framework-server:/Storage/Data/Docker/sysctl.io/letsencrypt/ /Storage/Data/Docker/sysctl.io/letsencrypt/''
];
};
# Containers
virtualisation.oci-containers.containers."headscale-derp" = {
image = "fredliang/derper";
environment = {
DERP_ADDR = ":1443";
DERP_CERT_DIR = "/app/certs";
DERP_CERT_MODE = "manual";
DERP_DOMAIN = "milan.sysctl.io";
DERP_STUN = "true";
};
volumes = [
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/certs/*.sysctl.io.crt:/app/certs/sysctl.io.crt:ro"
"/Storage/Data/Docker/sysctl.io/letsencrypt/external/certificates/private/*.sysctl.io.key:/app/certs/sysctl.io.key:ro"
];
ports = [
"3478:3478/udp"
"1443:1443/tcp"
];
log-driver = "journald";
extraOptions = [
"--network-alias=headscale-derp"
"--network=headscale-default"
];
};
systemd.services."podman-headscale-derp" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-headscale-default.service"
];
requires = [
"podman-network-headscale-default.service"
];
partOf = [
"podman-compose-headscale-root.target"
];
wantedBy = [
"podman-compose-headscale-root.target"
];
};
# Networks
systemd.services."podman-network-headscale-default" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.podman}/bin/podman network rm -f headscale-default";
};
script = ''
podman network inspect headscale-default || podman network create headscale-default --opt isolate=true
'';
partOf = [ "podman-compose-headscale-root.target" ];
wantedBy = [ "podman-compose-headscale-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."podman-compose-headscale-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}

View file

@ -0,0 +1,52 @@
tailscale_key: ENC[AES256_GCM,data:lLkJCQNwwxU/WjxoGU7ct+g7LZAQO8qqb0hyZ0FjxT4xxqQ3yEsoIdyQyHSdJCr1,iv:swAusP1KOcTiygdsFMhWN0F7GBTpnYEXbPJz2a57L+A=,tag:7266P5Cg8/6z+9QRYs4EWg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-03-15T01:25:40Z"
mac: ENC[AES256_GCM,data:lQZb0Z3mtaft4rP1R+qkYZhwGQLTfbWne8+OEUA46aCX6/5YBkhX3spmwnVDBTyLp6gRQg1Hq2Z2+2pmdO9O6Y4rk3b/sqiCEMIcwdunsJW+LgEYJbiu/paPAAgqfzdbQHRuSWaKW4V3NAU6DyJU4jds7AHHKzu/xqifE+Mwo2g=,iv:g6HE9jeRad5GPueNDF99///L4JTjOi0GC5M4DvYHqug=,tag:XhefHm8CWlUybKYa7jAepw==,type:str]
pgp:
- created_at: "2024-01-12T07:55:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAx+imH9kwOLOAQ//SM6c03A1jj5DzlULOz4aJmTn5pSY7KSaYcWq5sCHDDJH
oVPVzCqCGCPNeWArjMn5O5UCGTcryMWPiJRoN30picZylClVbzWgJlzZA8zxtLV+
jGSr0M4vjKtukq+OyoW5xTzLGEaV1iAiltrPOrMVapZFlCJD2thMeQzR7RjTBQsQ
dwbuqoAWG5lXVusvHZTAmZUKee4IKWXxvt4apLC3mPITaZTKdEBY4eJnlWe3rbKp
1m+nGLgLmt+sU+nOkKJnx0lL7A5E4mdBC926YV75Rpi8a+bBbveVrqp3gxZY+7tM
aI8mXwPs4OH+Om8ZzKG9UZ4RuqepPzIvY5frB+py8I7sIq73qCeWVC4WWyG3nOaW
pAjGnilODoisxQp+SivxEZRw7mWTxsATin27eB676sFDGutfE9WdOw9AGvTArxTU
1gK31mRg9+GTAOFKBly1t1LsZWbNVdwFN9JVwdRZC1MEwRAsc0LMPS0SVLlM+FZP
pWIn03Bzd5B5Ey/IkJOpQWZagVi/rPSQqa5yGowWCMR1bjwhO1dYdp2eqSf3PVks
nkhnokqxHVx68yWWA+8gjZq4tIgZ5xx0TL/+PgiqoziEY13M21POV4/ktpUfGjTp
RGiZaIqHV97GEugzRges39RPhfnvjCzLpz4k0Bs+1PiXSiz1MeBgbFPh5fT7M9TS
WAG2s6kvu9M5F0qsLuep88/9CuoSgQR08jWRXSBw2Y1sqS12Zhq1oXdB5N+tg9Aa
MlDB+No1kKdeD+0jLAzvJpKSg+5oZAvXl25rb0vuv9bHeptHyQ5FwUo=
=77Xf
-----END PGP MESSAGE-----
fp: D98BBC6C9A27324654C2D8C464F6C4EB46C4543A
- created_at: "2024-01-12T07:55:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA/L/g1KZjaf6AQ//R84Jf7oh77tFtbq+7wMRXnYNyPcDKztkOYxhUITgtvYc
yV44ZGpJSA1miG5bXfVMqNh2Qmz/pn/ACNLmdEoK8L6y/7LRj2FUWcWUGiII+tJn
LgBhcKu8cbJnya5Mma1F1trAdhUcOmpB50RqMXxo8aaAr/tWNC82aQQmj+kLfHoz
rfkCMBC0/9ZE9An9A6wNdCPchiPY/m91eM9U7Zy+Ig3O0UG4oQJc7aJtWUy2lAL1
Cq87prhJKjOG8mYZoTJuOD2e8l2by91Pf2j5zInHnRtIfkAa5urJDq+YbCEX9fRV
z7tOw51wEOMgLN9CvJX2O4nCKj+WsHlwPQan5bRv8oNKEZc0Mooy3YFEbcW3uNrJ
1HXfyfCDKe/XEUwveAwuwWn5udCbBrSMs/idT1INzDrN9J7icAlIh98m0fCvVqzK
VjiDwI1EEAPV7JSstC/Ncg3nErLBsWSntWDlZ4+IYl6SZKkDG0FXGzNzhi3tzGP2
LprK6S1h4x5XtX2Rrh0aecg8XFgphjmijkh6X/gOOi4b9PBus7aTQAqgvCx9ZkcZ
GbGUzQ5t2LPZftZe+L6VLNXu628URyGrF+h8sk7sVmEfz4lAVe2zpud7Zu1sf+VE
ZhoNAVhW8dKfVLK9/ylkPrFmZsFgHK800UcbnDVWat+pkhQtRJzkG7VLZ14lRgzS
WAH4oLimWabMHvNobkRPnXOytU99IbnaPskdPbUuJAv5BvWWmOpzfImbYG8LwdbH
SHCxRI+uz3+BRO2mQrRDyVmOy4VaEE1/21mevnUQHj9XLgAS3HiOdFA=
=5dIp
-----END PGP MESSAGE-----
fp: 5f548d87ab2b8a4d48d80da3f2ff8352998da7fa
unencrypted_suffix: _unencrypted
version: 3.8.1