From 01428a1383f197ebe2e8c8152e5f0f3d9b4cb6bf Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Sat, 3 May 2025 20:43:03 +0200 Subject: [PATCH] Add host "cirrus" --- .sops.yaml | 6 +++++ flake/hosts.nix | 1 + hosts/cirrus/default.nix | 12 ++++++++++ hosts/cirrus/disko.nix | 36 ++++++++++++++++++++++++++++++ hosts/cirrus/hardware.nix | 42 +++++++++++++++++++++++++++++++++++ hosts/cirrus/secrets.yaml | 31 ++++++++++++++++++++++++++ users/seb/@cirrus/default.nix | 3 +++ 7 files changed, 131 insertions(+) create mode 100644 hosts/cirrus/default.nix create mode 100644 hosts/cirrus/disko.nix create mode 100644 hosts/cirrus/hardware.nix create mode 100644 hosts/cirrus/secrets.yaml create mode 100644 users/seb/@cirrus/default.nix diff --git a/.sops.yaml b/.sops.yaml index f36681a..e369d3f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: # Hosts + - &cirrus age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4 - &alto age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc @@ -16,6 +17,11 @@ creation_rules: - age: - *seb-admin - *alto + - path_regex: hosts/cirrus/secrets.yaml$ + key_groups: + - age: + - *seb-admin + - *cirrus - path_regex: hosts/fern/secrets.yaml$ key_groups: - age: diff --git a/flake/hosts.nix b/flake/hosts.nix index da08542..87a3774 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -35,6 +35,7 @@ in flake = { nixosConfigurations = lib.mkMerge [ (mkHost "alto") + (mkHost "cirrus") (mkHost "fern") (mkHost "north") ]; diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix new file mode 100644 index 0000000..7541b86 --- /dev/null +++ b/hosts/cirrus/default.nix @@ -0,0 +1,12 @@ +_: { + system.stateVersion = "24.11"; + boot.loader.grub.enable = true; + + myConfig = { + sops.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; + }; +} diff --git a/hosts/cirrus/disko.nix b/hosts/cirrus/disko.nix new file mode 100644 index 0000000..f61c8c6 --- /dev/null +++ b/hosts/cirrus/disko.nix @@ -0,0 +1,36 @@ +{ + disko.devices = { + disk.main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + root = { + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg.pool = { + type = "lvm_vg"; + lvs.root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; +} diff --git a/hosts/cirrus/hardware.nix b/hosts/cirrus/hardware.nix new file mode 100644 index 0000000..1926895 --- /dev/null +++ b/hosts/cirrus/hardware.nix @@ -0,0 +1,42 @@ +{ modulesPath, inputs, ... }: +{ + imports = [ + inputs.disko.nixosModules.default + "${modulesPath}/profiles/qemu-guest.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + + zramSwap.enable = true; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks."10-enp1s0" = { + matchConfig.Name = "enp1s0"; + linkConfig.RequiredForOnline = "routable"; + networkConfig.DHCP = "no"; + address = [ + "91.99.70.118/32" + "2a01:4f8:1c1b:ffc7:1/64" + ]; + routes = [ + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } + { Gateway = "fe80::1"; } + ]; + }; + }; + services.resolved.enable = true; +} diff --git a/hosts/cirrus/secrets.yaml b/hosts/cirrus/secrets.yaml new file mode 100644 index 0000000..ddca5d2 --- /dev/null +++ b/hosts/cirrus/secrets.yaml @@ -0,0 +1,31 @@ +seb-password: ENC[AES256_GCM,data:/J83cgpBhjl6VveVZTX0ElEyexn3G3pZp6RKgfbR39QoG/5mExOk2xM999YFb5/vGaivogGQeFhwQ0j5Ij0KdaWCTXkFIQtfBw==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:QTqmyyywH0cV5rGQhPBBGg==,type:str] +tailscale-auth-key: ENC[AES256_GCM,data:u4F4B7cxqX5S+25lsB/X3WUYJFlLrIcqA+pWABDn0j08nL6a1Vg4n94LjkWYlcLIj9Axj9UCRurgPVwNpA0=,iv:iKZzHTD00h9/vwkewo14Ox+9EMuo5GawemRVjn1gLuM=,tag:ikLoAEbMDNlRZ3PGke2OZQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTldDcUk1dGVRMzNmZUhw + bzFRYUdNM3ZQanFIbkpyc2lqeTlLNFJEVzNrCjlnK2pRSnVmUU5WeGo1VW5kVjZp + b1hTZFB3eVZPL2xpU0F0MlBlTVNVTE0KLS0tIGU2YlRhMG9QRi9uYkVCOFlGTVhK + US82UEZXeUZxT2Fub3dRenNSTGVDdnMKJlKpdZdKGGKHcvczYNnzSz6T79mlT67I + QxNZvBQI+rZ6bNxDu4LqbtwCqRVu1uJLdedGY1VPF3ZIwfuzewyVDA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dnpwfwh0h95r63e5qfjc2gvffw2tr2tx4new7sq2h3qs90kx9fmq322mx4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc1E4VFJWUTl0Nkhjc1VL + amRLN3pLcVUvc1diWmhHTVdTYjd5SmxYS2hBCkpQSXFnQlVqcndtejNoL2xQQlRh + cG1uNlQxSUpJc0tRZHZFOVhibnFZOUUKLS0tIE84UGtkdldzM2oyTmF0Y0xPckpZ + aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae + XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-04T19:13:40Z" + mac: ENC[AES256_GCM,data:wTYrJHhjfYxeMEg64bgCI+sn4paLZ5de6eZ2md5VIv/nQkS8U8IznAq22rLp+X9WW5G1tbHlqte/7YCSFzeDOUG6/V7FBWht9QSbFnyBR3bTw5Bp98b0mTdvTWXTXSS7PNgzMhCiHyTVo1jcR+G3rfu4055PJe4wsbzk8nmNiLU=,iv:mgtXxoJT0pnC1f6bsovU1arPIl6jvqEyRS6OHT5ELQo=,tag:1FwWG4UO/KW2mcH3zBFJ9g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/users/seb/@cirrus/default.nix b/users/seb/@cirrus/default.nix new file mode 100644 index 0000000..9f75a8c --- /dev/null +++ b/users/seb/@cirrus/default.nix @@ -0,0 +1,3 @@ +_: { + imports = [ ../user.nix ]; +}