Add basic config for Phoenix
This commit is contained in:
parent
1ee82e6ce1
commit
2d14658dcd
|
@ -6,6 +6,7 @@ keys:
|
|||
# Hosts
|
||||
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
||||
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
||||
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||
creation_rules:
|
||||
# kinda.sus.lol
|
||||
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
||||
|
@ -19,3 +20,9 @@ creation_rules:
|
|||
- age:
|
||||
- *admin_ecchi
|
||||
- *host_nyx_lewd_wtf
|
||||
# phoenix.lewd.wtf
|
||||
- path_regex: hosts/phoenix.lewd.wtf/secrets/.*
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_ecchi
|
||||
- *host_phoenix_lewd_wtf
|
||||
|
|
23
flake.nix
23
flake.nix
|
@ -50,6 +50,16 @@
|
|||
];
|
||||
};
|
||||
|
||||
"phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs self; };
|
||||
modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
./default.nix
|
||||
./hosts/phoenix.lewd.wtf/configuration.nix
|
||||
];
|
||||
};
|
||||
|
||||
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs self; };
|
||||
|
@ -131,6 +141,19 @@
|
|||
};
|
||||
};
|
||||
|
||||
"phoenix.lewd.wtf" = {
|
||||
sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" ];
|
||||
hostname = "lewdathome.duckdns.org";
|
||||
fastConnection = true;
|
||||
|
||||
profiles.system = {
|
||||
sshUser = "root";
|
||||
path =
|
||||
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."phoenix.lewd.wtf";
|
||||
user = "root";
|
||||
};
|
||||
};
|
||||
|
||||
"aztul.elmosco.lewd.wtf" = {
|
||||
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
||||
hostname = "aztul.elmosco.lewd.wtf";
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
{ self, config, pkgs, lib, ... }:
|
||||
let
|
||||
utils = import ../../util/include.nix { lib = lib; };
|
||||
imports =
|
||||
(utils.includeDir ./services) ++
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
./networking.nix
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
in {
|
||||
inherit imports;
|
||||
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
efiSupport = false;
|
||||
copyKernels = true;
|
||||
mirroredBoots = [
|
||||
{ path = "/boot-1"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0M558343V" ]; }
|
||||
{ path = "/boot-2"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0N633130M" ]; }
|
||||
];
|
||||
};
|
||||
|
||||
networking.hostName = "phoenix";
|
||||
networking.domain = "lewd.wtf";
|
||||
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot-1" = {
|
||||
device = "/dev/disk/by-uuid/6CA4-1FB2";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/boot-2" = {
|
||||
device = "/dev/disk/by-uuid/6CA5-F5A2";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/zvault/desktop" = {
|
||||
device = "zvault/desktop";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/mnt/zbigdata/media" = {
|
||||
device = "zbigdata/media";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
{ ... }:
|
||||
{
|
||||
networking.useDHCP = false;
|
||||
networking.bridges = {
|
||||
"br0" = {
|
||||
interfaces = [
|
||||
"eno2"
|
||||
"enp23s0"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.interfaces.br0.ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.0.42";
|
||||
prefixLength = 22;
|
||||
}
|
||||
];
|
||||
|
||||
networking.defaultGateway = "192.168.0.1";
|
||||
networking.nameservers = [ "192.168.0.1" ];
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
# Vaultwarden
|
||||
sops.secrets."services/msmtp/password" = {
|
||||
mode = "0777";
|
||||
sopsFile = ./secrets/msmtp.yaml;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
services:
|
||||
msmtp:
|
||||
password: ENC[AES256_GCM,data:k4pMmcPrv0jQkr2Odd4elg==,iv:/gNqUPgd480v/C8+BOuFUNdjkEXWNjMqzwQ4HxftnC4=,tag:8/HVE/aHCbyHRMlNB2mT8A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYamhaWEhNNVZBUXMvU1dx
|
||||
cVppQVpNcjFXRzgvTmRXYTk0SFZkbWFWWFNvCndnZnkxd1F0Y3VjVW1FZGhJWGR3
|
||||
N29zM0ltT2wyUjg0UU9VdU1mY3htMmcKLS0tIDhpclNJT09pUGI2TnpaSEpwZGNk
|
||||
WWxHUEYxZTkxcktnSXl0YXl6elJ6eTQKit0pzEYgg3hc08swMg1mh17DLbVAXBu9
|
||||
TaDZYCsH+nYzIVYG8Sp2IZVxENUbr6P5spDJs1dVSvWsRPLj0SXC/Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0U4Ujk5dUhOL3ZFRFA0
|
||||
Ny9UMG9ISmNRbDdCQThKNWtlTjVCLy9aNms4CmtxeXNhU2FmQkJzaDdBY1J4UWsv
|
||||
MFF1dEdURFJXaDdiRkVaeFNVUXFJSm8KLS0tIFl6bnd3aGk4ZDlIMEdaaGRJUHA3
|
||||
bFh4ZHF0S1Y4N2srS3dTUUxPRDRyZVkKlJJHMJ7nBcZqZXC893YIh3CDeWwew24n
|
||||
lm2h3RzTQ993wnD6434FJF6MEKbOAfeunKf2K1GrKjfDO58n7I0edg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-02-04T00:02:21Z"
|
||||
mac: ENC[AES256_GCM,data:ULRJMKr3fvp9wDKuj1P62POxY43ZgtA60uhd2MLhTbPtYKM2r1bJbiLpwYi8pXKIC7I6Fl/og/fL2fyEx5ZRA7jME8PRQvmWlTytZnsOa8RCDYot5JxhwGwJ3keIZFAAnUxX3Vc0+Ch4u3qr1+EbffEh6m1Vt9fJiujI9aWdrt8=,iv:qjnWcu9wvnQ4H1Q6zu8edHYHjniJqz80Bx4XOkZ3+l8=,tag:eQk73teW1pBVszamlDdaFQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
programs.msmtp = {
|
||||
enable = true;
|
||||
setSendmail = true;
|
||||
defaults = {
|
||||
aliases = builtins.toFile "aliases" ''
|
||||
default: ciapa@lewd.wtf
|
||||
'';
|
||||
};
|
||||
accounts.default = {
|
||||
auth = "plain";
|
||||
host = "mail.your-server.de";
|
||||
port = "587";
|
||||
from = "phoenix@lewd.wtf";
|
||||
user = "phoenix@lewd.wtf";
|
||||
passwordeval = "cat /run/secrets/services/msmtp/password";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
fileSystems."/export/desktop" = {
|
||||
device = "/mnt/zvault/desktop";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
|
||||
services.nfs.server.enable = true;
|
||||
services.nfs.server.exports = ''
|
||||
/export 192.168.0.20(rw,fsid=0,no_subtree_check)
|
||||
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check)
|
||||
'';
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 2049 ];
|
||||
}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
services.smartd.enable = true;
|
||||
services.smartd.notifications.mail.enable = true;
|
||||
services.smartd.notifications.mail.sender = "phoenix@lewd.wtf";
|
||||
services.smartd.notifications.mail.recipient = "ciapa@lewd.wtf";
|
||||
}
|
|
@ -0,0 +1,82 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
sendEmailEvent = { event }: ''
|
||||
printf "Subject: phoenix ${event} ''$(${pkgs.coreutils}/bin/date --iso-8601=seconds)\n\nzpool status:\n\n''$(${pkgs.zfs}/bin/zpool status)" | ${pkgs.msmtp}/bin/msmtp -a default ciapa@lewd.wtf
|
||||
'';
|
||||
in
|
||||
{
|
||||
# ZFS remote unlocking
|
||||
boot.initrd.availableKernelModules = [ "igb" ];
|
||||
boot.kernelParams = [
|
||||
"ip=192.168.0.42::192.168.0.1:255.255.252.0:phoenix-initrd:eno2:off:192.168.0.1"
|
||||
];
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
hostKeys = [
|
||||
/boot-1/initrd-ssh-key
|
||||
/boot-2/initrd-ssh-key
|
||||
];
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
};
|
||||
postCommands = ''
|
||||
cat <<EOF > /root/.profile
|
||||
if pgrep -x "zfs" > /dev/null
|
||||
then
|
||||
zfs load-key zroot
|
||||
zpool import -f zbigdata
|
||||
zfs load-key zbigdata
|
||||
zpool import -f zvault
|
||||
zfs load-key zvault
|
||||
killall zfs
|
||||
else
|
||||
echo "zfs not running -- maybe the pool is taking some time to load for some unforseen reason."
|
||||
fi
|
||||
EOF
|
||||
'';
|
||||
};
|
||||
|
||||
# ZFS options from https://nixos.wiki/wiki/NixOS_on_ZFS
|
||||
networking.hostId = "42069420";
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
# ZFS notifications
|
||||
services.zfs.zed.enableMail = true;
|
||||
services.zfs.zed.settings = {
|
||||
ZED_EMAIL_ADDR = [ "ciapa@lewd.wtf" ];
|
||||
ZED_EMAIL_OPTS = "-a 'FROM:phoenix@lewd.wtf' -s '@SUBJECT@' @ADDRESS@";
|
||||
ZED_NOTIFY_VERBOSE = true;
|
||||
};
|
||||
|
||||
# Timed status mails (Boot, Shutdown, Weekly)
|
||||
systemd.services."boot-mail-alert" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = sendEmailEvent { event = "just booted"; };
|
||||
};
|
||||
systemd.services."shutdown-mail-alert" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = "true";
|
||||
preStop = sendEmailEvent { event = "is shutting down"; };
|
||||
};
|
||||
systemd.services."weekly-mail-alert" = {
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = sendEmailEvent { event = "is still alive"; };
|
||||
};
|
||||
systemd.timers."weekly-mail-alert" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "weekly-mail-alert.service" ];
|
||||
timerConfig.OnCalendar = "weekly";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue