1
0

Compare commits

...

10 Commits

17 changed files with 297 additions and 129 deletions

View File

@ -0,0 +1,12 @@
{ ... }:
{
clerie.backup = {
targets = {
cyan.serverName = "cyan.backup.clerie.de";
magenta.serverName = "magenta.backup.clerie.de";
};
};
}

View File

@ -4,115 +4,17 @@
imports = [ imports = [
../../modules ../../modules
./backup.nix
./locale.nix
./nix.nix
./programs.nix
./ssh.nix
./user.nix
./web.nix ./web.nix
]; ];
networking.domain = "net.clerie.de";
networking.firewall.logRefusedConnections = lib.mkDefault false;
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
};
console = {
keyMap = "de-latin1";
};
security.sudo.wheelNeedsPassword = lib.mkDefault false;
users.groups.guests = {};
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
environment.systemPackages = with pkgs; [
gptfdisk
htop
parted
tmux
colmena
vim
agenix
];
programs.mtr.enable = true;
programs.git.enable = true;
programs.git.config = {
user = {
name = "clerie";
email = "git@clerie.de";
};
};
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
"repl-flake"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = lib.mkForce {
"nixpkgs" = {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
};
services.fstrim.enable = true; services.fstrim.enable = true;
clerie.nixfiles.enable = true;
clerie.backup = {
targets = {
cyan.serverName = "cyan.backup.clerie.de";
magenta.serverName = "magenta.backup.clerie.de";
};
};
documentation.doc.enable = false;
nixpkgs.overlays = [ nixpkgs.overlays = [
(import ../../pkgs/overlay.nix) (import ../../pkgs/overlay.nix)
]; ];

View File

@ -0,0 +1,15 @@
{ ... }:
{
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_MESSAGES = "en_US.UTF-8";
};
console = {
keyMap = "de-latin1";
};
}

View File

@ -0,0 +1,9 @@
{ ... }:
{
networking.domain = "net.clerie.de";
networking.firewall.logRefusedConnections = lib.mkDefault false;
}

View File

@ -0,0 +1,56 @@
{ lib, pkgs, ... }:
{
clerie.nixfiles.enable = true;
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
"repl-flake"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = lib.mkForce {
"nixpkgs" = {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
};
documentation.doc.enable = false;
}

View File

@ -0,0 +1,26 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
gptfdisk
htop
parted
tmux
colmena
vim
agenix
];
programs.mtr.enable = true;
programs.git.enable = true;
programs.git.config = {
user = {
name = "clerie";
email = "git@clerie.de";
};
};
}

View File

@ -0,0 +1,16 @@
{ lib, ... }:
{
services.openssh.enable = true;
services.openssh.settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
};
services.openssh.hostKeys = lib.mkForce [
# Only create ed25519 host keys
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
}

View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
security.sudo.wheelNeedsPassword = lib.mkDefault false;
users.groups.guests = {};
}

View File

@ -9,11 +9,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695339232, "lastModified": 1695384796,
"narHash": "sha256-6wQHW3uHECpGIBolTccQ6x3/9b8E1SrO+VzTABKe2xM=", "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "7f9dfa309f24dc74450ecab6e74bc3d11c7ce735", "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -102,6 +102,11 @@
allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ]; allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ];
publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE="; publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE=";
} }
{
# zinc-initrd
allowedIPs = [ "2a01:4f8:c0c:15f1::8110/128" "10.20.30.110/32" ];
publicKey = "kn6ZtViagKGSyfQJQW6csQE/5r7uKlbC1rbInlQ33xs=";
}
]; ];
listenPort = 51820; listenPort = 51820;
allowedIPsAsRoutes = false; allowedIPsAsRoutes = false;

View File

@ -12,6 +12,8 @@
element-desktop element-desktop
signal-desktop signal-desktop
dino dino
fractal-next
tio tio
xournalpp xournalpp

View File

@ -4,6 +4,7 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./initrd.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -18,19 +19,6 @@
}; };
}; };
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 1022;
shell = "/bin/cryptsetup-askpass";
authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys;
hostKeys = [
"/var/src/secrets/initrd/ssh_host_ed25519_key"
];
};
boot.initrd.kernelModules = [ "igc" ];
boot.kernelParams = [ "ip=dhcp" ];
networking.hostName = "zinc"; networking.hostName = "zinc";
services.wg-clerie = { services.wg-clerie = {

28
hosts/zinc/initrd.nix Normal file
View File

@ -0,0 +1,28 @@
{ config, ... }:
{
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 1022;
#shell = "/bin/cryptsetup-askpass";
authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys;
hostKeys = [
"/var/src/secrets/initrd/ssh_host_ed25519_key"
];
};
boot.initrd.kernelModules = [
"igc" # integrated rj45 network interface
"cdc_ether" # external 5G modem via usb
];
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.network.wireguard = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8110/128" ];
ipv4s = [ "10.20.30.110/32" ];
privateKeyFile = "/var/src/secrets/wireguard/wg-initrd";
};
}

View File

@ -1,9 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 HwR33w GylpkU4Ggva7AOyvfiwH2/lAkSH7T20sQmHlJfOOch0 -> ssh-ed25519 HwR33w RJr/aWAuz9pHJyeiT4VGl24oBL3PW/h2yhMlNKdeH3k
kzollmoX54CmDyP0WIeI2yEmgdiymf8A8TNEDAPnO8Y KsHqO3xKdVMgtgXFYFKD7sapwaQBDX70yUMwFqVSsc4
-> ssh-ed25519 bZcGZQ GwcT/xiAoRIN1OfV+uDIcpw+lX+ZC20AmOLg6B2PM3k -> ssh-ed25519 h49YJA woMEtKliLp92iPq8OFK2okbFbZbqtsH2LIRYyBQEs1U
YnhZzPHao9tgl1RssSFFWtCb2soWv3XyfKgfIM+brJo BJRYOXn4Yg5IzJxOukdzvlrZadralTdJg7FKcz4yV9c
-> +>1#-grease -> 5R?-grease @H*!dd.z qES\G 7JLNzC
yEhsdkJvmaW0F1hgD6zkMgmUE0Rc7zFQ9jz/dJ0RC/MOFGDt0g AzZ7dZCu+BRUNqJ7Qikw8fbSxSlP7IOm1/9DmYNm6KJIQbNLqrdCfMI8i5G7hbEG
--- zLB+ok+CDy2k2PhSlyDTfVTSkiM9ht2YjohIwKVaMis pGVLYCrnZudEPKmEI7WtgGsQ
ìr#þ¢Þ]¸<>ˈp'ÉøX;íq»ÈQÅkÿ%ÅW4¦†W±+<02>±™îš5Yª2åÌ•b“Ã(¡a=˜Ètéc<*ö^r --- DEhkE0BvIaahPO/+T8NzqSCNg2hmbdCwTSF2faMECgk
«ŒÈ߃ïCиáùÝgu«1à"ï Zc1æ À53)Ëb‡¦f]QDF k:óc;ÈiQw<02>nðq­TÁbmÓbšcÜHo¸

View File

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMhwaD2nyIUiR3lP6tasd4Rx6XCoSpdebjlETfuENai root@zinc ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/HUikWFjhmlXkcyx9cQH9YQFqsu38xUt5mFXBjNbYR

View File

@ -15,5 +15,6 @@
./nixfiles ./nixfiles
./update-from-hydra ./update-from-hydra
./wg-clerie ./wg-clerie
./wireguard-initrd
]; ];
} }

View File

@ -0,0 +1,98 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.boot.initrd.network.wireguard;
in
{
options = {
boot.initrd.network.wireguard = {
enable = mkEnableOption "Wireguard in initrd";
privateKeyFile = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to file containing private key for wireguard interface";
};
ipv6s = mkOption {
type = with types; listOf str;
default = [];
description = "IPv6 interface addresses";
};
ipv4s = mkOption {
type = with types; listOf str;
default = [];
description = "IPv4 interface addresses";
};
};
};
config = mkIf cfg.enable {
boot.initrd.kernelModules = [ "wireguard" ];
boot.initrd.extraUtilsCommands = ''
for BIN in ${pkgs.iproute2}/bin/*; do
copy_bin_and_libs $BIN
done
[ -f "$out/bin/wg" ] && rm "$out/bin/wg"
cp -pdv ${pkgs.wireguard-tools}/bin/.wg-wrapped $out/bin/wg
'';
boot.initrd.network.postCommands = ''
ip link add dev "wg-initrd" type wireguard
${concatMapStringsSep "\n" (ip: ''
ip address add "${ip}" dev "wg-initrd"
'') cfg.ipv6s}
${concatMapStringsSep "\n" (ip: ''
ip address add "${ip}" dev "wg-initrd"
'') cfg.ipv4s}
wg set "wg-initrd" private-key "/var/src/secrets/wireguard/wg-initrd"
ip link set up "wg-initrd"
wg set "wg-initrd" peer "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=" \
endpoint "$(ip route get 2a01:4f8:c0c:15f1::1 ipproto udp dport 51820 &>/dev/null && echo '[2a01:4f8:c0c:15f1::1]:51820' || echo '78.47.183.82:51820')" \
persistent-keepalive "25" \
allowed-ips "0.0.0.0/0,::/0,10.20.30.0/24,2a01:4f8:c0c:15f1::/113"
ip route add "::/0" dev "wg-initrd" table 1337
ip route add "0.0.0.0/0" dev "wg-initrd" table 1337
${concatMapStringsSep "\n" (ip: ''
ip -6 rule add from "${ip}" lookup 1337 prio 19000
ip -6 rule add from "${ip}" unreachable prio 19001
'') cfg.ipv6s}
ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 lookup main prio 20000
ip -6 rule add from "2a01:4f8:c0c:15f1::1/128" ipproto udp dport 51820 unreachable prio 20001
ip -6 rule add lookup main prio 21000
ip -6 rule add lookup 1337 prio 21001
ip -6 rule add unreachable prio 21000
${concatMapStringsSep "\n" (ip: ''
ip -4 rule add from "${ip}" lookup 1337 prio 19000
ip -4 rule add from "${ip}" unreachable prio 19001
'') cfg.ipv4s}
ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 lookup main prio 20000
ip -4 rule add from "78.47.183.82/32" ipproto udp dport 51820 unreachable prio 20001
ip -4 rule add lookup main prio 21000
ip -4 rule add lookup 1337 prio 21001
ip -4 rule add unreachable prio 21000
'';
boot.initrd.postMountCommands = ''
ip link del dev "wg-initrd"
ip -6 rule flush
ip -4 rule flush
'';
boot.initrd.secrets = {
"/var/src/secrets/wireguard/wg-initrd" = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile;
};
};
}