1
0

Compare commits

..

4 Commits

Author SHA1 Message Date
Flake Update Bot
22c2b28168 Update from master 2023-09-21T01:03+00:00 2023-09-21 03:03:02 +02:00
2f22810091 hosts/gatekeeper: add wg-clerie zinc 2023-09-20 21:03:12 +02:00
ef3c2c0174 hosts/zinc: enable wg-clerie 2023-09-20 21:01:40 +02:00
eef227d45a hosts/zinc: add host 2023-09-20 20:35:47 +02:00
6 changed files with 101 additions and 0 deletions

View File

@ -69,6 +69,7 @@
schule = { name = "schule"; };
storage-2 = { name = "storage-2"; };
web-2 = { name = "web-2"; };
zinc = { name = "zinc"; };
_iso = { name = "_iso"; };
};

View File

@ -97,6 +97,11 @@
allowedIPs = [ "2a01:4f8:c0c:15f1::8108/128" "10.20.30.108/32" ];
publicKey = "4b4M+we+476AV/fQ3lOmDbHFA0vvb3LwOEPVvNpuGm0=";
}
{
# zinc
allowedIPs = [ "2a01:4f8:c0c:15f1::8109/128" "10.20.30.109/32" ];
publicKey = "syHX6PO1N3Annv5t2W8bdAo/kMoYenzrcPrUHxkIBEE=";
}
];
listenPort = 51820;
allowedIPsAsRoutes = false;

View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.timeout = 0;
boot.initrd.luks = {
devices.lvm = {
device = "/dev/disk/by-uuid/43275d9a-8fe8-4631-bf9c-a95d692b534f";
bypassWorkqueues = true;
};
};
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 1022;
shell = "/bin/cryptsetup-askpass";
authorizedKeys = config.users.users.clerie.openssh.authorizedKeys.keys;
hostKeys = [
"/var/src/secrets/initrd/ssh_host_ed25519_key"
];
};
boot.initrd.kernelModules = [ "igc" ];
boot.kernelParams = [ "ip=dhcp" ];
networking.hostName = "zinc";
services.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
ipv4s = [ "10.20.30.109/32" ];
};
system.stateVersion = "23.05";
}

View File

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/55d1a555-2c04-4108-beff-f2a93cec124a";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0509-0D2F";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s20f0u1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp89s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 HwR33w GylpkU4Ggva7AOyvfiwH2/lAkSH7T20sQmHlJfOOch0
kzollmoX54CmDyP0WIeI2yEmgdiymf8A8TNEDAPnO8Y
-> ssh-ed25519 bZcGZQ GwcT/xiAoRIN1OfV+uDIcpw+lX+ZC20AmOLg6B2PM3k
YnhZzPHao9tgl1RssSFFWtCb2soWv3XyfKgfIM+brJo
-> +>1#-grease
yEhsdkJvmaW0F1hgD6zkMgmUE0Rc7zFQ9jz/dJ0RC/MOFGDt0g
--- zLB+ok+CDy2k2PhSlyDTfVTSkiM9ht2YjohIwKVaMis
ìr#þ¢Þ]¸<>ˈp'ÉøX;íq»ÈQÅkÿ%ÅW4¦†W±+<02>±™îš5Yª2åÌ•b“Ã(¡a=˜Ètéc<*ö^r

1
hosts/zinc/ssh.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMhwaD2nyIUiR3lP6tasd4Rx6XCoSpdebjlETfuENai root@zinc