diff --git a/.sops.yaml b/.sops.yaml index d8d7190..c02802a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,6 +7,7 @@ keys: - &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh - &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya - &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh + - &host_sphinx_lewd_wtf age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h creation_rules: # kinda.sus.lol - path_regex: hosts/kinda.sus.lol/secrets/.* @@ -26,3 +27,9 @@ creation_rules: - age: - *admin_ecchi - *host_phoenix_lewd_wtf + # sphinx.lewd.wtf + - path_regex: hosts/sphinx.lewd.wtf/secrets/.* + key_groups: + - age: + - *admin_ecchi + - *host_sphinx_lewd_wtf diff --git a/flake.nix b/flake.nix index bbcef69..b8e793e 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,16 @@ ]; }; + "sphinx.lewd.wtf" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs self; }; + modules = [ + sops-nix.nixosModules.sops + ./default.nix + ./hosts/sphinx.lewd.wtf/configuration.nix + ]; + }; + "aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs self; }; @@ -75,7 +85,18 @@ user = "root"; }; }; - + "sphinx.lewd.wtf" = { + sshOpts = [ "-p" "222" "-o" "StrictHostKeyChecking=no" ]; + hostname = "sphinx.lewd.wtf"; + fastConnection = true; + + profiles.system = { + sshUser = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."sphinx.lewd.wtf"; + user = "root"; + }; + }; "aztul.elmosco.lewd.wtf" = { sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ]; hostname = "aztul.elmosco.lewd.wtf"; diff --git a/hosts/sphinx.lewd.wtf/configuration.nix b/hosts/sphinx.lewd.wtf/configuration.nix new file mode 100644 index 0000000..41601c0 --- /dev/null +++ b/hosts/sphinx.lewd.wtf/configuration.nix @@ -0,0 +1,25 @@ +{ self, config, pkgs, lib, ... }: +let + utils = import ../../util/include.nix { lib = lib; }; + imports = + (utils.includeDir ./services) ++ + [ + ./hardware-configuration.nix + ./networking.nix + ./secrets.nix + ]; +in +{ + inherit imports; + + networking.hostName = "sphinx"; + networking.domain = "lewd.wtf"; + + boot.loader.grub = { + enable = true; + efiSupport = false; + devices = [ "/dev/sda" ]; + }; + + system.stateVersion = "24.05"; +} diff --git a/hosts/sphinx.lewd.wtf/hardware-configuration.nix b/hosts/sphinx.lewd.wtf/hardware-configuration.nix new file mode 100644 index 0000000..03503e5 --- /dev/null +++ b/hosts/sphinx.lewd.wtf/hardware-configuration.nix @@ -0,0 +1,11 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.kernelModules = [ "nvme" ]; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/hosts/sphinx.lewd.wtf/networking.nix b/hosts/sphinx.lewd.wtf/networking.nix new file mode 100644 index 0000000..5b122e8 --- /dev/null +++ b/hosts/sphinx.lewd.wtf/networking.nix @@ -0,0 +1,32 @@ +{ lib, ... }: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ "8.8.8.8" ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { address="116.203.182.240"; prefixLength=32; } + ]; + ipv6.addresses = [ + { address="2a01:4f8:1c1b:7a9b::1"; prefixLength=64; } + { address="fe80::9400:3ff:fe62:dffe"; prefixLength=64; } + ]; + ipv4.routes = [ { address = "172.31.1.1"; prefixLength = 32; } ]; + ipv6.routes = [ { address = "fe80::1"; prefixLength = 128; } ]; + }; + + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:03:62:df:fe", NAME="eth0" + + ''; +} diff --git a/hosts/sphinx.lewd.wtf/secrets.nix b/hosts/sphinx.lewd.wtf/secrets.nix new file mode 100644 index 0000000..05598dc --- /dev/null +++ b/hosts/sphinx.lewd.wtf/secrets.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + # Vaultwarden + sops.secrets."services/vaultwarden/.env" = { + mode = "0400"; + owner = config.users.users.vaultwarden.name; + group = config.users.users.vaultwarden.group; + sopsFile = ./secrets/vaultwarden.env; + format = "dotenv"; + }; +} diff --git a/hosts/sphinx.lewd.wtf/secrets/vaultwarden.env b/hosts/sphinx.lewd.wtf/secrets/vaultwarden.env new file mode 100644 index 0000000..0dd78b2 --- /dev/null +++ b/hosts/sphinx.lewd.wtf/secrets/vaultwarden.env @@ -0,0 +1,11 @@ +ADMIN_TOKEN=ENC[AES256_GCM,data:xAMhqj/wAqmDPUEo+IUMsaY9+/dTOmdwm5NKu7LC9PGgyORRVjowI5Fu/3j47u9JKLXPyGvQM33s+S3VqNhspQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:QRsgnB9K1DcEcHlGrUA2EQ==,type:str] +SMTP_PASSWORD=ENC[AES256_GCM,data:JvSxXTTPQmox2O7n28018A==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:v3Rkhp4HpjZE8Z45N3jcxQ==,type:str] +YUBICO_SECRET_KEY=ENC[AES256_GCM,data:oUXZDR5F1eXNKFYYiK9BQfeuves36PdqfKE1Yb7Z,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:F5kb5XqY0JPeBGYOFrQC8g==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcWZxL3Q4dElaV0hjWm9J\nN1ViOEZkS3Z1RlAvRHFKZjdhU2drNWFZT3dBClY3Rm1lK1FaR1hmSTZ5dUJSNktK\ndGhneVdXS2R3MXB4N01yaTBlaGxjSEUKLS0tIHY3ejBnUzNlRWs3L0c3bkpBRFk5\ndHJNdG9ESHZ3ZzlPMExwNmpZSHpYZVUK9d6xS6ji8N3rZS1OmXJU7VZd6jZNETPK\nZTozNHhcvQiXTdlc23cSUZOHeJyugV+IjRpkDUBjh/0f/YzBNH7gsA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTEdOT3RaQWNzQkhzd0ds\ncS9tVWZJbDNMUmNCcWpRSDJwbDV4cUpHZ0ZJCkdBUGRxOUp2QnpYSnRpdzFxK2Fj\nSW9lRUIxbFBoWDFYVEhDK3FvOGk0VzgKLS0tIENBVkpTa0ZpTFFpVG4yR1p2c1lT\nZExSWmdUTXR5SS8yZzQ1VExGdkk0alkKIebJqoBgEv9KK8Nmtyo4xYAd8UA7czBC\noRHZv9cduFhA55iDvEQIdfrDJGMTCAbnuXEGlh0hee0KFFrsar7FEg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1myz28jqex5kpcsjqg2a0la8cyuutzj4cxf53vs3v8ey6fqzvk3ws8z8k3h +sops_lastmodified=2024-06-06T10:12:52Z +sops_mac=ENC[AES256_GCM,data:KRi4A7W8/SWaSdX6kz1r00u0s0e+H9T1DlNlWXjbL5ZqUiACBGvmnlU0Ylqter7JBnP6hM3y34wuTH3XzqpAmcPLSCg6bhLqV24AIzTxb/xJJUj0G2uTle//LUipVVem19ECVS0refj36nDd4Lzuyy6fe6uowQMkt2vzLlmr6t8=,iv:1DTq4KQLJwyByoFP6inLp4DmrFra+ca1EEAGgUJ5NMs=,tag:oovcb4hGB1dyOzR5GV5wog==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.7.3 diff --git a/hosts/sphinx.lewd.wtf/services/nginx.nix b/hosts/sphinx.lewd.wtf/services/nginx.nix new file mode 100644 index 0000000..6449182 --- /dev/null +++ b/hosts/sphinx.lewd.wtf/services/nginx.nix @@ -0,0 +1,7 @@ +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + }; +} diff --git a/hosts/sphinx.lewd.wtf/services/vaultwarden.nix b/hosts/sphinx.lewd.wtf/services/vaultwarden.nix new file mode 100644 index 0000000..4a7d94a --- /dev/null +++ b/hosts/sphinx.lewd.wtf/services/vaultwarden.nix @@ -0,0 +1,60 @@ +{ config, ... }: +{ + users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ]; + + services.vaultwarden = { + enable = true; + environmentFile = "/run/secrets/services/vaultwarden/.env"; + config = { + DOMAIN = "https://vault.lewd.wtf"; + SIGNUPS_ALLOWED = false; + SIGNUPS_VERIFY = true; + INVITATIONS_ALLOWED = false; + WEBSOCKET_ENABLED = true; + WEBSOCKET_PORT = 3012; + ROCKET_PORT = 8222; + SMTP_HOST = "mail.your-server.de"; + SMTP_FROM = "vaultwarden@lewd.wtf"; + SMTP_FROM_NAME = "Vaultwarden"; + SMTP_USERNAME = "vaultwarden@lewd.wtf"; + YUBICO_CLIENT_ID = 88022; + }; + }; + + services.nginx.clientMaxBodySize = "128M"; + + services.nginx.virtualHosts."vault.lewd.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + locations."/notifications/hub" = { + proxyPass = "http://127.0.0.1:3012"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + }; +}