From 220dbc9ffe54986c41c8c4e36bbd30d40a3752ad Mon Sep 17 00:00:00 2001 From: Ciapa Date: Sun, 4 Feb 2024 01:11:26 +0100 Subject: [PATCH] Add basic config for Phoenix --- .sops.yaml | 7 ++ flake.nix | 23 ++++++ hosts/phoenix.lewd.wtf/configuration.nix | 31 +++++++ .../hardware-configuration.nix | 42 ++++++++++ hosts/phoenix.lewd.wtf/networking.nix | 22 +++++ hosts/phoenix.lewd.wtf/secrets.nix | 10 +++ hosts/phoenix.lewd.wtf/secrets/msmtp.yaml | 32 ++++++++ hosts/phoenix.lewd.wtf/services/msmtp.nix | 21 +++++ hosts/phoenix.lewd.wtf/services/nfs.nix | 16 ++++ hosts/phoenix.lewd.wtf/services/smartd.nix | 6 ++ hosts/phoenix.lewd.wtf/services/zfs.nix | 81 +++++++++++++++++++ 11 files changed, 291 insertions(+) create mode 100644 hosts/phoenix.lewd.wtf/configuration.nix create mode 100644 hosts/phoenix.lewd.wtf/hardware-configuration.nix create mode 100644 hosts/phoenix.lewd.wtf/networking.nix create mode 100644 hosts/phoenix.lewd.wtf/secrets.nix create mode 100644 hosts/phoenix.lewd.wtf/secrets/msmtp.yaml create mode 100644 hosts/phoenix.lewd.wtf/services/msmtp.nix create mode 100644 hosts/phoenix.lewd.wtf/services/nfs.nix create mode 100644 hosts/phoenix.lewd.wtf/services/smartd.nix create mode 100644 hosts/phoenix.lewd.wtf/services/zfs.nix diff --git a/.sops.yaml b/.sops.yaml index 9e8cefa..d8d7190 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: # Hosts - &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh - &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya + - &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh creation_rules: # kinda.sus.lol - path_regex: hosts/kinda.sus.lol/secrets/.* @@ -19,3 +20,9 @@ creation_rules: - age: - *admin_ecchi - *host_nyx_lewd_wtf + # phoenix.lewd.wtf + - path_regex: hosts/phoenix.lewd.wtf/secrets/.* + key_groups: + - age: + - *admin_ecchi + - *host_phoenix_lewd_wtf diff --git a/flake.nix b/flake.nix index 3ffdde6..de7dbd3 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,16 @@ ]; }; + "phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs self; }; + modules = [ + sops-nix.nixosModules.sops + ./default.nix + ./hosts/phoenix.lewd.wtf/configuration.nix + ]; + }; + "aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs self; }; @@ -131,6 +141,19 @@ }; }; + "phoenix.lewd.wtf" = { + sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" ]; + hostname = "lewdathome.duckdns.org"; + fastConnection = true; + + profiles.system = { + sshUser = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."phoenix.lewd.wtf"; + user = "root"; + }; + }; + "aztul.elmosco.lewd.wtf" = { sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ]; hostname = "aztul.elmosco.lewd.wtf"; diff --git a/hosts/phoenix.lewd.wtf/configuration.nix b/hosts/phoenix.lewd.wtf/configuration.nix new file mode 100644 index 0000000..d6fe0fb --- /dev/null +++ b/hosts/phoenix.lewd.wtf/configuration.nix @@ -0,0 +1,31 @@ +{ self, config, pkgs, lib, ... }: +let + utils = import ../../util/include.nix { lib = lib; }; + imports = + (utils.includeDir ./services) ++ + [ + ./hardware-configuration.nix + ./networking.nix + ./secrets.nix + ]; + +in { + inherit imports; + + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + efiSupport = false; + copyKernels = true; + mirroredBoots = [ + { path = "/boot-1"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0M558343V" ]; } + { path = "/boot-2"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0N633130M" ]; } + ]; + }; + + networking.hostName = "phoenix"; + networking.domain = "lewd.wtf"; + + system.stateVersion = "24.05"; # Did you read the comment? +} + diff --git a/hosts/phoenix.lewd.wtf/hardware-configuration.nix b/hosts/phoenix.lewd.wtf/hardware-configuration.nix new file mode 100644 index 0000000..75c77a4 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/hardware-configuration.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot-1" = { + device = "/dev/disk/by-uuid/6CA4-1FB2"; + fsType = "vfat"; + }; + + fileSystems."/boot-2" = { + device = "/dev/disk/by-uuid/6CA5-F5A2"; + fsType = "vfat"; + }; + + fileSystems."/mnt/zvault/desktop" = { + device = "zvault/desktop"; + fsType = "zfs"; + }; + + fileSystems."/mnt/zbigdata/media" = { + device = "zbigdata/media"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/phoenix.lewd.wtf/networking.nix b/hosts/phoenix.lewd.wtf/networking.nix new file mode 100644 index 0000000..0a835c5 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/networking.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + networking.useDHCP = false; + networking.bridges = { + "br0" = { + interfaces = [ + "eno2" + "enp23s0" + ]; + }; + }; + + networking.interfaces.br0.ipv4.addresses = [ + { + address = "192.168.0.42"; + prefixLength = 22; + } + ]; + + networking.defaultGateway = "192.168.0.1"; + networking.nameservers = [ "192.168.0.1" ]; +} diff --git a/hosts/phoenix.lewd.wtf/secrets.nix b/hosts/phoenix.lewd.wtf/secrets.nix new file mode 100644 index 0000000..16c6c96 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + # Vaultwarden + sops.secrets."services/msmtp/password" = { + mode = "0777"; + sopsFile = ./secrets/msmtp.yaml; + }; +} diff --git a/hosts/phoenix.lewd.wtf/secrets/msmtp.yaml b/hosts/phoenix.lewd.wtf/secrets/msmtp.yaml new file mode 100644 index 0000000..4209782 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets/msmtp.yaml @@ -0,0 +1,32 @@ +services: + msmtp: + password: ENC[AES256_GCM,data:k4pMmcPrv0jQkr2Odd4elg==,iv:/gNqUPgd480v/C8+BOuFUNdjkEXWNjMqzwQ4HxftnC4=,tag:8/HVE/aHCbyHRMlNB2mT8A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYamhaWEhNNVZBUXMvU1dx + cVppQVpNcjFXRzgvTmRXYTk0SFZkbWFWWFNvCndnZnkxd1F0Y3VjVW1FZGhJWGR3 + N29zM0ltT2wyUjg0UU9VdU1mY3htMmcKLS0tIDhpclNJT09pUGI2TnpaSEpwZGNk + WWxHUEYxZTkxcktnSXl0YXl6elJ6eTQKit0pzEYgg3hc08swMg1mh17DLbVAXBu9 + TaDZYCsH+nYzIVYG8Sp2IZVxENUbr6P5spDJs1dVSvWsRPLj0SXC/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0U4Ujk5dUhOL3ZFRFA0 + Ny9UMG9ISmNRbDdCQThKNWtlTjVCLy9aNms4CmtxeXNhU2FmQkJzaDdBY1J4UWsv + MFF1dEdURFJXaDdiRkVaeFNVUXFJSm8KLS0tIFl6bnd3aGk4ZDlIMEdaaGRJUHA3 + bFh4ZHF0S1Y4N2srS3dTUUxPRDRyZVkKlJJHMJ7nBcZqZXC893YIh3CDeWwew24n + lm2h3RzTQ993wnD6434FJF6MEKbOAfeunKf2K1GrKjfDO58n7I0edg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-04T00:02:21Z" + mac: ENC[AES256_GCM,data:ULRJMKr3fvp9wDKuj1P62POxY43ZgtA60uhd2MLhTbPtYKM2r1bJbiLpwYi8pXKIC7I6Fl/og/fL2fyEx5ZRA7jME8PRQvmWlTytZnsOa8RCDYot5JxhwGwJ3keIZFAAnUxX3Vc0+Ch4u3qr1+EbffEh6m1Vt9fJiujI9aWdrt8=,iv:qjnWcu9wvnQ4H1Q6zu8edHYHjniJqz80Bx4XOkZ3+l8=,tag:eQk73teW1pBVszamlDdaFQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/phoenix.lewd.wtf/services/msmtp.nix b/hosts/phoenix.lewd.wtf/services/msmtp.nix new file mode 100644 index 0000000..1c787ef --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/msmtp.nix @@ -0,0 +1,21 @@ +{ + programs.msmtp = { + enable = true; + setSendmail = true; + defaults = { + aliases = builtins.toFile "aliases" '' + default: ciapa@lewd.wtf + ''; + }; + accounts.default = { + auth = "plain"; + host = "mail.your-server.de"; + port = "587"; + from = "phoenix@lewd.wtf"; + user = "phoenix@lewd.wtf"; + passwordeval = "cat /run/secrets/services/msmtp/password"; + }; + + }; + +} diff --git a/hosts/phoenix.lewd.wtf/services/nfs.nix b/hosts/phoenix.lewd.wtf/services/nfs.nix new file mode 100644 index 0000000..0f3bdc2 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/nfs.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +{ + fileSystems."/export/desktop" = { + device = "/mnt/zvault/desktop"; + options = [ "bind" ]; + }; + + services.nfs.server.enable = true; + services.nfs.server.exports = '' + /export 192.168.0.20(rw,fsid=0,no_subtree_check) + /export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check) + ''; + + networking.firewall.allowedTCPPorts = [ 2049 ]; +} + diff --git a/hosts/phoenix.lewd.wtf/services/smartd.nix b/hosts/phoenix.lewd.wtf/services/smartd.nix new file mode 100644 index 0000000..b5f3a99 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/smartd.nix @@ -0,0 +1,6 @@ +{ + services.smartd.enable = true; + services.smartd.notifications.mail.enable = true; + services.smartd.notifications.mail.sender = "phoenix@lewd.wtf"; + services.smartd.notifications.mail.recipient = "ciapa@lewd.wtf"; +} diff --git a/hosts/phoenix.lewd.wtf/services/zfs.nix b/hosts/phoenix.lewd.wtf/services/zfs.nix new file mode 100644 index 0000000..fd90c31 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/zfs.nix @@ -0,0 +1,81 @@ +let + sendEmailEvent = { event }: '' + printf "Subject: phoenix ${event} ''$(${pkgs.coreutils}/bin/date --iso-8601=seconds)\n\nzpool status:\n\n''$(${pkgs.zfs}/bin/zpool status)" | ${pkgs.msmtp}/bin/msmtp -a default ${emailTo} + ''; +in: +{ + # ZFS remote unlocking + boot.initrd.availableKernelModules = [ "igb" ]; + boot.kernelParams = [ + "ip=192.168.0.42::192.168.0.1:255.255.252.0:phoenix-initrd:eno2:off:192.168.0.1" + ]; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + hostKeys = [ + /boot-1/initrd-ssh-key + /boot-2/initrd-ssh-key + ]; + authorizedKeys = [ config.users.users.root.openssh.authorizedKeys.keys ]; + }; + postCommands = '' + cat < /root/.profile + if pgrep -x "zfs" > /dev/null + then + zfs load-key zroot + zpool import -f zbigdata + zfs load-key zbigdata + zpool import -f zvault + zfs load-key zvault + killall zfs + else + echo "zfs not running -- maybe the pool is taking some time to load for some unforseen reason." + fi + EOF + ''; + }; + + # ZFS options from https://nixos.wiki/wiki/NixOS_on_ZFS + networking.hostId = "42069420"; + boot.supportedFilesystems = [ "zfs" ]; + + # ZFS notifications + services.zfs.zed.enableMail = true; + services.zfs.zed.settings = { + ZED_EMAIL_ADDR = [ "ciapa@lewd.wtf" ]; + ZED_EMAIL_OPTS = "-a 'FROM:phoenix@lewd.wtf' -s '@SUBJECT@' @ADDRESS@"; + ZED_NOTIFY_VERBOSE = true; + }; + + # Timed status mails (Boot, Shutdown, Weekly) + systemd.services."boot-mail-alert" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = sendEmailEvent { event = "just booted"; }; + }; + systemd.services."shutdown-mail-alert" = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = "true"; + preStop = sendEmailEvent { event = "is shutting down"; }; + }; + systemd.services."weekly-mail-alert" = { + serviceConfig.Type = "oneshot"; + script = sendEmailEvent { event = "is still alive"; }; + }; + systemd.timers."weekly-mail-alert" = { + wantedBy = [ "timers.target" ]; + partOf = [ "weekly-mail-alert.service" ]; + timerConfig.OnCalendar = "weekly"; + }; +}