diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix
index 406e371..e74d6a7 100644
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@@ -10,6 +10,7 @@ let
wgHydraPrivKey = "${config.networking.hostName}-wg-hydra-key";
wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key";
hydraGitHubAuth = "hydra-github-authorization";
+ initrdPrivateKey = "${config.networking.hostName}-initrd_ssh_host_ed25519_key.age";
in
{
imports = [
@@ -19,9 +20,6 @@ in
networking.hostName = "ninurta";
- networking.useDHCP = false;
- networking.interfaces.enp86s0.useDHCP = true;
-
networking.hosts = {
"127.0.0.1" = hostAliases;
"::1" = hostAliases;
@@ -30,13 +28,43 @@ in
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
- # TODO enable
- # fileSystems."/mnt/storage" = {
- # device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
- # mountPoint = "/mnt/storage";
- # neededForBoot = false;
- # options = [ "nofail" ];
- # };
+ assertions = lib.singleton {
+ assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
+ message = "Refusing to store private keys in store";
+ };
+
+ boot.initrd = let initrdKeyPath = "/etc/ssh/a_initrd_ssh_host_ed25519_key"; in {
+ network = {
+ enable = true;
+ flushBeforeStage2 = true;
+ ssh = {
+ enable = true;
+ port = 2222;
+ authorizedKeys = config.dadada.admin.users.dadada.keys;
+ hostKeys = [ config.age.secrets.${initrdPrivateKey}.path ];
+ };
+ };
+ systemd = {
+ enable = true;
+ network = {
+ enable = true;
+ networks = {
+ "10-lan" = {
+ matchConfig.Name = "enp*";
+ networkConfig.DHCP = "ipv4";
+ linkConfig.RequiredForOnline = "routable";
+ };
+ };
+ };
+ };
+ };
+
+ fileSystems."/mnt/storage" = {
+ device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+ mountPoint = "/mnt/storage";
+ neededForBoot = false;
+ options = [ "nofail" ];
+ };
# TODO enable
# dadada.borgServer = {
@@ -113,35 +141,90 @@ in
age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age";
+ age.secrets.${initrdPrivateKey}.file = "${secretsPath}/${initrdPrivateKey}.age";
- networking.wireguard = {
- enable = true;
- interfaces.uwupn = {
- allowedIPsAsRoutes = true;
- privateKeyFile = config.age.secrets.${wg0PrivKey}.path;
- ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ];
- peers = [
- {
- publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
- allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
- endpoint = "53c70r.de:51820";
- persistentKeepalive = 25;
- presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
- }
- ];
+ services.snapper = {
+ cleanupInterval = "1d";
+ snapshotInterval = "hourly";
+ configs.var = {
+ SUBVOLUME = "/var";
+ TIMELINE_CREATE = true;
+ TIMELINE_CLEANUP = true;
+ TIMELINE_LIMIT_HOURLY = 24;
+ TIMELINE_LIMIT_DAILY = 13;
+ TIMELINE_LIMIT_WEEKLY = 6;
+ TIMELINE_LIMIT_MONTHLY = 3;
};
- interfaces.hydra = {
- allowedIPsAsRoutes = true;
- privateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
- ips = [ "10.3.3.3/32" ];
- peers = [
- {
- publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
- allowedIPs = [ "10.3.3.1/32" ];
- endpoint = "hydra.dadada.li:51235";
- persistentKeepalive = 25;
- }
- ];
+ };
+
+ services.smartd.enable = true;
+
+ systemd.network = {
+ enable = true;
+ networks = {
+ "10-lan" = {
+ matchConfig.Name = "enp*";
+ networkConfig.DHCP = "ipv4";
+ linkConfig.RequiredForOnline = "routable";
+ };
+ "10-hydra" = {
+ matchConfig.Name = "hydra";
+ address = [ "10.3.3.1/24" ];
+ DHCP = "no";
+ networkConfig.IPv6AcceptRA = false;
+ linkConfig.RequiredForOnline = "no";
+ routes = [
+ { routeConfig = { Gateway = "10.3.3.3"; Destination = "10.3.3.3/32"; }; }
+ ];
+ };
+ "10-uwu" = {
+ matchConfig.Name = "uwu";
+ address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ];
+ DHCP = "no";
+ networkConfig.IPv6AcceptRA = false;
+ linkConfig.RequiredForOnline = "no";
+ routes = [
+ { routeConfig = { Destination = "10.11.0.0/22"; }; }
+ { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; }
+ ];
+ };
+ };
+ netdevs = {
+ "10-hydra" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "hydra";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
+ ListenPort = 51235;
+ };
+ wireguardPeers = [{
+ wireguardPeerConfig = {
+ PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
+ AllowedIPs = [ "10.3.3.1/32" ];
+ PersistentKeepalive = 25;
+ };
+ }];
+ };
+ "10-uwu" = {
+ netdevConfig = {
+ Kind = "wireguard";
+ Name = "uwu";
+ };
+ wireguardConfig = {
+ PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path;
+ };
+ wireguardPeers = [{
+ wireguardPeerConfig = {
+ PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
+ AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+ PersistentKeepalive = 25;
+ PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
+ Endpoint = "53c70r.de:51820";
+ };
+ }];
+ };
};
};
@@ -160,12 +243,9 @@ in
];
};
+ services.resolved.enable = true;
networking.networkmanager.enable = false;
- dadada.networking.localResolver.enable = true;
- dadada.networking.localResolver.uwu = true;
- dadada.networking.localResolver.s0 = true;
-
# Desktop things for media playback
services.xserver.enable = true;
@@ -196,5 +276,5 @@ in
documentation.enable = true;
documentation.nixos.enable = true;
- system.stateVersion = "22.11";
+ system.stateVersion = "23.05";
}
diff --git a/nixos/ninurta/hardware-configuration.nix b/nixos/ninurta/hardware-configuration.nix
index 0561294..902d33f 100644
--- a/nixos/ninurta/hardware-configuration.nix
+++ b/nixos/ninurta/hardware-configuration.nix
@@ -2,63 +2,81 @@
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
+
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
- boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+ boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- boot.initrd.luks.devices."dm-ninurta".device = "/dev/disk/by-uuid/a64f1e3f-ea13-43b6-83de-2ba4e45e8a3f";
fileSystems."/" =
{
- device = "/dev/disk/by-label/ninurta";
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
fsType = "btrfs";
- options = [ "compress=zstd,subvol=root" ];
+ options = [ "compress=zstd" ];
};
- fileSystems."/home" =
- {
- device = "/dev/disk/by-label/ninurta";
- fsType = "btrfs";
- options = [ "compress=zstd,subvol=home" ];
- };
+ boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae";
- fileSystems."/var" =
+ fileSystems."/swap" =
{
- device = "/dev/disk/by-label/ninurta";
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
fsType = "btrfs";
- options = [ "subvol=var" ];
+ options = [ "subvol=swap" "noatime" ];
};
fileSystems."/nix" =
{
- device = "/dev/disk/by-label/ninurta";
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
fsType = "btrfs";
- options = [ "compress=zstd,noatime,subvol=nix" ];
+ options = [ "subvol=nix" "noatime" "compress=zstd" ];
+ };
+
+ fileSystems."/var" =
+ {
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+ fsType = "btrfs";
+ options = [ "subvol=var" "compress=zstd" ];
+ };
+
+ fileSystems."/home" =
+ {
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+ fsType = "btrfs";
+ options = [ "subvol=home" "compress=zstd" ];
+ };
+
+ fileSystems."/root" =
+ {
+ device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+ fsType = "btrfs";
+ options = [ "subvol=root" "compress=zstd" ];
};
fileSystems."/boot" =
{
- device = "/dev/disk/by-label/boot";
+ device = "/dev/disk/by-uuid/2E20-49CB";
fsType = "vfat";
};
- swapDevices = [
- { device = "/var/swapfile"; size = 65536; }
- ];
+ swapDevices = [{
+ device = "/swap/swapfile";
+ size = 32 * 1024; # 32 GByte
+ }];
+ # TODO systemd networkd
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
- # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+ # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
diff --git a/secrets/ninurta-initrd_ssh_host_ed25519_key.age b/secrets/ninurta-initrd_ssh_host_ed25519_key.age
new file mode 100644
index 0000000..ede305d
--- /dev/null
+++ b/secrets/ninurta-initrd_ssh_host_ed25519_key.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 J6ROvw 9g8A25DusoNFdNBRMiVXi99j+P2G/ZAoHq2kFD6tKEA
+pS5yrQhW8IvNG/v1z0JKOROaJmdQGCRXHGHci/BrrhI
+-> ssh-ed25519 Otklkw 9heLCSrhZs0PzOSX2C+RufrQML5QVMFXpeE2raTrQ24
+Pks8xA8BI89Cb9PzCyPKYwOfGfITX14ZTbcyQbcT3oA
+-> E`3VAEs-grease Jkxdo0~
+WhLwTnCoplc8L5WegLX2A37lppw/De0alZgOuGPv9JYqFIS1DPNPBYz5aVNWUk7z
+FYGtHrYTbg0ylTZ+e4mcSA
+--- c3gW3L9HNYcqdnz7IptzALRR4YtjWJvXo9/0MEmcXn4
+5x�XG,���p��A��~�\����ʜ�������@CXo{7�����{�
�E�CC��~�|�p�w3�mܰ�.���p���IL��~������N䊺:��p`f���q3�K�I�6�GF@1����eX������|�'O���u����� -S�B�R��S���E��Cs��1[��Y��
+0�nXlgacJ�P��']��qmB�k��c�%�{5�:>�y
;�wK�ǯ!��ڥ���P��`%�&Ut+�8�q��йQ��g�»�`��Z�(�=����;ަ������5靎v�rL���9��~�����G�(s.ljί�}PL�-��^V�B�J)���H�Wē�K� `��)I/����U_��C�T~u�1��滍���������������?�5h�`~
+u�_��b��;�_��e����}�����A�z_���d���ݚi,&�������^�bH<��jR
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c340b8b..bf98808 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,6 +4,7 @@ let
agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos";
gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon";
ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos";
+ ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
};
@@ -21,6 +22,7 @@ in
"gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
"paperless.age".publicKeys = [ systems.gorgon dadada ];
"surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
+ "ninurta-initrd_ssh_host_ed25519_key.age".publicKeys = [ systems.ninurta dadada ];
} //
backupSecrets "gorgon" //
backupSecrets "ifrit" //