diff --git a/.sops.yaml b/.sops.yaml index b096d21..7af8a1a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: # Hosts + - &alto age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t - &fern age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e - &north age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp @@ -11,6 +12,11 @@ keys: creation_rules: # Hosts + - path_regex: hosts/alto/secrets.yaml$ + key_groups: + - age: + - *seb-admin + - *alto - path_regex: hosts/fern/secrets.yaml$ key_groups: - age: diff --git a/flake/hosts.nix b/flake/hosts.nix index 8927c30..cb95349 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -24,16 +24,25 @@ in { flake = { nixosConfigurations = lib.mkMerge [ + (mkHost "alto") (mkHost "fern") (mkHost "north") (mkHost "stratus") ]; - deploy.nodes.stratus = { - hostname = "stratus"; - sshUser = "root"; - remoteBuild = true; - profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.stratus; + deploy.nodes = { + stratus = { + hostname = "stratus"; + sshUser = "root"; + remoteBuild = true; + profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.stratus; + }; + alto = { + hostname = "alto"; + sshUser = "root"; + remoteBuild = true; + profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alto; + }; }; }; } diff --git a/hosts/alto/default.nix b/hosts/alto/default.nix new file mode 100644 index 0000000..17a8126 --- /dev/null +++ b/hosts/alto/default.nix @@ -0,0 +1,19 @@ +{ + imports = [ + ../shared.nix + ./hardware.nix + ./disko.nix + ]; + + system.stateVersion = "24.11"; + + myConfig = { + boot.loader.systemdBoot.enable = true; + sops.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + exitNode.enable = true; + }; + }; +} diff --git a/hosts/alto/disko.nix b/hosts/alto/disko.nix new file mode 100644 index 0000000..67f34e6 --- /dev/null +++ b/hosts/alto/disko.nix @@ -0,0 +1,41 @@ +{ + disko.devices = { + disk.disk1 = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "500M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg.pool = { + type = "lvm_vg"; + lvs.root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; +} diff --git a/hosts/alto/hardware.nix b/hosts/alto/hardware.nix new file mode 100644 index 0000000..4569cfe --- /dev/null +++ b/hosts/alto/hardware.nix @@ -0,0 +1,43 @@ +{ modulesPath, inputs, ... }: +{ + imports = [ + inputs.disko.nixosModules.default + "${modulesPath}/profiles/qemu-guest.nix" + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + + zramSwap.enable = true; + + networking.useDHCP = false; + systemd.network = { + enable = true; + networks."10-ens3" = { + matchConfig.Name = "ens3"; + address = [ + "152.53.85.193/22" + "2a0a:4cc0:c0:23bd::/64" + ]; + routes = [ + { Gateway = "152.53.84.1"; } + { Gateway = "fe80::1"; } + ]; + dns = [ + "46.38.225.230" + "46.38.252.230" + "2a03:4000:0:1::e1e6" + "2a03:4000:8000::fce6" + ]; + linkConfig.RequiredForOnline = "routable"; + }; + }; + services.resolved.enable = true; +} diff --git a/hosts/alto/secrets.yaml b/hosts/alto/secrets.yaml new file mode 100644 index 0000000..44cb920 --- /dev/null +++ b/hosts/alto/secrets.yaml @@ -0,0 +1,31 @@ +seb-password: ENC[AES256_GCM,data:oGrXukkbK9qYYo0ci+F4RwiwlRyme/+ypJozgiqH2DFd33SyjYnzX6u2f6a0+rIfwxO45dUrXCJyidWE2Fw26xE/uH9nPmDzuw==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag://NpB2SnxWlJPHNp92hdVA==,type:str] +tailscale-auth-key: ENC[AES256_GCM,data:lGXbnNHnlKSv2Po4J7yTVOdCxwgxENBglp/MLZnIpdqVxEkO3D2Risi4iPkVPnPyKBuI4hog4xtGyiUH5L4=,iv:Cvc8+VPRpPrNYTcWjBYBPzYAwy80hJv1VCR8hrMh4AM=,tag:+qt5Caaxfig6TqoJm/uCwg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cVR4NThpT1FmWWR0NVl5 + djFPYWM1MTFtNTc0R05vRzdHYURYcnc3V2lFCmg1MDNDaWJNNmdXb3FxVmV4UHkr + MnB4U09PMDVadHFZQ0VwQjFsL3hVQmcKLS0tIG9pemROZFhweiticzExdUVyK3NG + SDR6cXhBTmNTa1BTeEhlSXRwSmVEOWcKcL/594j/dbbUJTeE4REtMRbNZwIElYEq + vmkKTEvvqyWWeOhu6e2zN2OSY7FJIstirbzU0S7MSJhUOe4LwvXOOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBac0VBTXZVdmpjc29oMkJT + VXhoZnJaWkFjVEVtelphMzlBM1BaNjM3VjBNCjV3U2JwUnRjeEhWWVlMbmZHcjJP + T1VNUDlNUTM1UjlVdkNGN1BrWHNpVTQKLS0tIDkyWGZVTWFIQzJrVDQ2U0ErQXRm + dEhnSkQ5SDlnbmhGSVdYaDNuc3ZkM00K7WPEZRYWAd7uGY0IcDwGgQVPrpkF/tnz + ncj03JXM4BXwvEQOmD/i6wS4U4WCwkh9EauGJljVFTeu6TciomDULQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-27T20:51:15Z" + mac: ENC[AES256_GCM,data:e0DDr/JHEdceS1ZZBRwdiG783MN5UulCz5GIEhvy3psqMirVBSsnXYGavEwg6E550Dby6wGdaqpFPjorBhj2Qb441gFf6IVGDPGSQg1JVzKpkMVhYBiW9vlshG2dSONcKe2J92O0uIA05Cp7uiv48bUBj13MovvCqvS0O17QCns=,iv:tNC4gk4ardfK01t/LKY73Uzdvn/R5BPdtIaPXR6g1x4=,tag:vygO6ZeQiIySEXREYPprbw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/users/seb/@alto/default.nix b/users/seb/@alto/default.nix new file mode 100644 index 0000000..9f612c7 --- /dev/null +++ b/users/seb/@alto/default.nix @@ -0,0 +1 @@ +{ imports = [ ../user.nix ]; }