Add basic config for Phoenix
This commit is contained in:
parent
1ee82e6ce1
commit
67c082e335
|
@ -6,6 +6,7 @@ keys:
|
||||||
# Hosts
|
# Hosts
|
||||||
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
|
||||||
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
||||||
|
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# kinda.sus.lol
|
# kinda.sus.lol
|
||||||
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
- path_regex: hosts/kinda.sus.lol/secrets/.*
|
||||||
|
@ -19,3 +20,9 @@ creation_rules:
|
||||||
- age:
|
- age:
|
||||||
- *admin_ecchi
|
- *admin_ecchi
|
||||||
- *host_nyx_lewd_wtf
|
- *host_nyx_lewd_wtf
|
||||||
|
# phoenix.lewd.wtf
|
||||||
|
- path_regex: hosts/phoenix.lewd.wtf/secrets/.*
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin_ecchi
|
||||||
|
- *host_phoenix_lewd_wtf
|
||||||
|
|
23
flake.nix
23
flake.nix
|
@ -50,6 +50,16 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
specialArgs = { inherit inputs self; };
|
||||||
|
modules = [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
./default.nix
|
||||||
|
./hosts/phoenix.lewd.wtf/configuration.nix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
specialArgs = { inherit inputs self; };
|
specialArgs = { inherit inputs self; };
|
||||||
|
@ -131,6 +141,19 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"phoenix.lewd.wtf" = {
|
||||||
|
sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" ];
|
||||||
|
hostname = "lewdathome.duckdns.org";
|
||||||
|
fastConnection = true;
|
||||||
|
|
||||||
|
profiles.system = {
|
||||||
|
sshUser = "root";
|
||||||
|
path =
|
||||||
|
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."phoenix.lewd.wtf";
|
||||||
|
user = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
"aztul.elmosco.lewd.wtf" = {
|
"aztul.elmosco.lewd.wtf" = {
|
||||||
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
|
||||||
hostname = "aztul.elmosco.lewd.wtf";
|
hostname = "aztul.elmosco.lewd.wtf";
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
{ self, config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
utils = import ../../util/include.nix { lib = lib; };
|
||||||
|
imports =
|
||||||
|
(utils.includeDir ./services) ++
|
||||||
|
[
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./networking.nix
|
||||||
|
./secrets.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
in {
|
||||||
|
inherit imports;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = false;
|
||||||
|
boot.loader.grub = {
|
||||||
|
enable = true;
|
||||||
|
efiSupport = false;
|
||||||
|
copyKernels = true;
|
||||||
|
mirroredBoots = [
|
||||||
|
{ path = "/boot-1"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0M558343V" ]; }
|
||||||
|
{ path = "/boot-2"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0N633130M" ]; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "phoenix";
|
||||||
|
networking.domain = "lewd.wtf";
|
||||||
|
|
||||||
|
system.stateVersion = "24.05"; # Did you read the comment?
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "zroot/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot-1" = {
|
||||||
|
device = "/dev/disk/by-uuid/6CA4-1FB2";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot-2" = {
|
||||||
|
device = "/dev/disk/by-uuid/6CA5-F5A2";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/mnt/zvault/desktop" = {
|
||||||
|
device = "zvault/desktop";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/mnt/zbigdata/media" = {
|
||||||
|
device = "zbigdata/media";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
networking.useDHCP = false;
|
||||||
|
networking.bridges = {
|
||||||
|
"br0" = {
|
||||||
|
interfaces = [
|
||||||
|
"eno2"
|
||||||
|
"enp23s0"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.interfaces.br0.ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "192.168.0.42";
|
||||||
|
prefixLength = 22;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.defaultGateway = "192.168.0.1";
|
||||||
|
networking.nameservers = [ "192.168.0.1" ];
|
||||||
|
}
|
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
# Vaultwarden
|
||||||
|
sops.secrets."services/msmtp/password" = {
|
||||||
|
mode = "0777";
|
||||||
|
sopsFile = ./secrets/msmtp.yaml;
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
services:
|
||||||
|
msmtp:
|
||||||
|
password: ENC[AES256_GCM,data:k4pMmcPrv0jQkr2Odd4elg==,iv:/gNqUPgd480v/C8+BOuFUNdjkEXWNjMqzwQ4HxftnC4=,tag:8/HVE/aHCbyHRMlNB2mT8A==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYamhaWEhNNVZBUXMvU1dx
|
||||||
|
cVppQVpNcjFXRzgvTmRXYTk0SFZkbWFWWFNvCndnZnkxd1F0Y3VjVW1FZGhJWGR3
|
||||||
|
N29zM0ltT2wyUjg0UU9VdU1mY3htMmcKLS0tIDhpclNJT09pUGI2TnpaSEpwZGNk
|
||||||
|
WWxHUEYxZTkxcktnSXl0YXl6elJ6eTQKit0pzEYgg3hc08swMg1mh17DLbVAXBu9
|
||||||
|
TaDZYCsH+nYzIVYG8Sp2IZVxENUbr6P5spDJs1dVSvWsRPLj0SXC/Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0U4Ujk5dUhOL3ZFRFA0
|
||||||
|
Ny9UMG9ISmNRbDdCQThKNWtlTjVCLy9aNms4CmtxeXNhU2FmQkJzaDdBY1J4UWsv
|
||||||
|
MFF1dEdURFJXaDdiRkVaeFNVUXFJSm8KLS0tIFl6bnd3aGk4ZDlIMEdaaGRJUHA3
|
||||||
|
bFh4ZHF0S1Y4N2srS3dTUUxPRDRyZVkKlJJHMJ7nBcZqZXC893YIh3CDeWwew24n
|
||||||
|
lm2h3RzTQ993wnD6434FJF6MEKbOAfeunKf2K1GrKjfDO58n7I0edg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-02-04T00:02:21Z"
|
||||||
|
mac: ENC[AES256_GCM,data:ULRJMKr3fvp9wDKuj1P62POxY43ZgtA60uhd2MLhTbPtYKM2r1bJbiLpwYi8pXKIC7I6Fl/og/fL2fyEx5ZRA7jME8PRQvmWlTytZnsOa8RCDYot5JxhwGwJ3keIZFAAnUxX3Vc0+Ch4u3qr1+EbffEh6m1Vt9fJiujI9aWdrt8=,iv:qjnWcu9wvnQ4H1Q6zu8edHYHjniJqz80Bx4XOkZ3+l8=,tag:eQk73teW1pBVszamlDdaFQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -0,0 +1,21 @@
|
||||||
|
{
|
||||||
|
programs.msmtp = {
|
||||||
|
enable = true;
|
||||||
|
setSendmail = true;
|
||||||
|
defaults = {
|
||||||
|
aliases = builtins.toFile "aliases" ''
|
||||||
|
default: ciapa@lewd.wtf
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
accounts.default = {
|
||||||
|
auth = "plain";
|
||||||
|
host = "mail.your-server.de";
|
||||||
|
port = "587";
|
||||||
|
from = "phoenix@lewd.wtf";
|
||||||
|
user = "phoenix@lewd.wtf";
|
||||||
|
passwordeval = "cat /run/secrets/services/msmtp/password";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
{
|
||||||
|
fileSystems."/export/desktop" = {
|
||||||
|
device = "/mnt/zvault/desktop";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nfs.server.enable = true;
|
||||||
|
services.nfs.server.exports = ''
|
||||||
|
/export 192.168.0.20(rw,fsid=0,no_subtree_check)
|
||||||
|
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check)
|
||||||
|
'';
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 2049 ];
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
{
|
||||||
|
services.smartd.enable = true;
|
||||||
|
services.smartd.notifications.mail.enable = true;
|
||||||
|
services.smartd.notifications.mail.sender = "phoenix@lewd.wtf";
|
||||||
|
services.smartd.notifications.mail.recipient = "ciapa@lewd.wtf";
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
sendEmailEvent = { event }: ''
|
||||||
|
printf "Subject: phoenix ${event} ''$(${pkgs.coreutils}/bin/date --iso-8601=seconds)\n\nzpool status:\n\n''$(${pkgs.zfs}/bin/zpool status)" | ${pkgs.msmtp}/bin/msmtp -a default ciapa@lewd.wtf
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# ZFS remote unlocking
|
||||||
|
boot.initrd.availableKernelModules = [ "igb" ];
|
||||||
|
boot.kernelParams = [
|
||||||
|
"ip=192.168.0.42::192.168.0.1:255.255.252.0:phoenix-initrd:eno2:off:192.168.0.1"
|
||||||
|
];
|
||||||
|
boot.initrd.network = {
|
||||||
|
enable = true;
|
||||||
|
ssh = {
|
||||||
|
enable = true;
|
||||||
|
port = 2222;
|
||||||
|
hostKeys = [
|
||||||
|
/boot-1/initrd-ssh-key
|
||||||
|
/boot-2/initrd-ssh-key
|
||||||
|
];
|
||||||
|
authorizedKeys = [ config.users.users.root.openssh.authorizedKeys.keys ];
|
||||||
|
};
|
||||||
|
postCommands = ''
|
||||||
|
cat <<EOF > /root/.profile
|
||||||
|
if pgrep -x "zfs" > /dev/null
|
||||||
|
then
|
||||||
|
zfs load-key zroot
|
||||||
|
zpool import -f zbigdata
|
||||||
|
zfs load-key zbigdata
|
||||||
|
zpool import -f zvault
|
||||||
|
zfs load-key zvault
|
||||||
|
killall zfs
|
||||||
|
else
|
||||||
|
echo "zfs not running -- maybe the pool is taking some time to load for some unforseen reason."
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# ZFS options from https://nixos.wiki/wiki/NixOS_on_ZFS
|
||||||
|
networking.hostId = "42069420";
|
||||||
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
||||||
|
# ZFS notifications
|
||||||
|
services.zfs.zed.enableMail = true;
|
||||||
|
services.zfs.zed.settings = {
|
||||||
|
ZED_EMAIL_ADDR = [ "ciapa@lewd.wtf" ];
|
||||||
|
ZED_EMAIL_OPTS = "-a 'FROM:phoenix@lewd.wtf' -s '@SUBJECT@' @ADDRESS@";
|
||||||
|
ZED_NOTIFY_VERBOSE = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Timed status mails (Boot, Shutdown, Weekly)
|
||||||
|
systemd.services."boot-mail-alert" = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
script = sendEmailEvent { event = "just booted"; };
|
||||||
|
};
|
||||||
|
systemd.services."shutdown-mail-alert" = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
script = "true";
|
||||||
|
preStop = sendEmailEvent { event = "is shutting down"; };
|
||||||
|
};
|
||||||
|
systemd.services."weekly-mail-alert" = {
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
script = sendEmailEvent { event = "is still alive"; };
|
||||||
|
};
|
||||||
|
systemd.timers."weekly-mail-alert" = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
partOf = [ "weekly-mail-alert.service" ];
|
||||||
|
timerConfig.OnCalendar = "weekly";
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue