From 295a2e9b3ba6a71df77967dca6803148d1b63b08 Mon Sep 17 00:00:00 2001 From: dadada Date: Sat, 3 Jun 2023 17:54:55 +0200 Subject: [PATCH] Update ninurta config --- nixos/ninurta/configuration.nix | 164 +++++++++++++----- nixos/ninurta/hardware-configuration.nix | 58 ++++--- .../ninurta-initrd_ssh_host_ed25519_key.age | 12 ++ secrets/secrets.nix | 2 + 4 files changed, 174 insertions(+), 62 deletions(-) create mode 100644 secrets/ninurta-initrd_ssh_host_ed25519_key.age diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index 406e371..e74d6a7 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -10,6 +10,7 @@ let wgHydraPrivKey = "${config.networking.hostName}-wg-hydra-key"; wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key"; hydraGitHubAuth = "hydra-github-authorization"; + initrdPrivateKey = "${config.networking.hostName}-initrd_ssh_host_ed25519_key.age"; in { imports = [ @@ -19,9 +20,6 @@ in networking.hostName = "ninurta"; - networking.useDHCP = false; - networking.interfaces.enp86s0.useDHCP = true; - networking.hosts = { "127.0.0.1" = hostAliases; "::1" = hostAliases; @@ -30,13 +28,43 @@ in boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # TODO enable - # fileSystems."/mnt/storage" = { - # device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7"; - # mountPoint = "/mnt/storage"; - # neededForBoot = false; - # options = [ "nofail" ]; - # }; + assertions = lib.singleton { + assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true; + message = "Refusing to store private keys in store"; + }; + + boot.initrd = let initrdKeyPath = "/etc/ssh/a_initrd_ssh_host_ed25519_key"; in { + network = { + enable = true; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 2222; + authorizedKeys = config.dadada.admin.users.dadada.keys; + hostKeys = [ config.age.secrets.${initrdPrivateKey}.path ]; + }; + }; + systemd = { + enable = true; + network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "enp*"; + networkConfig.DHCP = "ipv4"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + }; + }; + + fileSystems."/mnt/storage" = { + device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7"; + mountPoint = "/mnt/storage"; + neededForBoot = false; + options = [ "nofail" ]; + }; # TODO enable # dadada.borgServer = { @@ -113,35 +141,90 @@ in age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age"; age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age"; age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age"; + age.secrets.${initrdPrivateKey}.file = "${secretsPath}/${initrdPrivateKey}.age"; - networking.wireguard = { - enable = true; - interfaces.uwupn = { - allowedIPsAsRoutes = true; - privateKeyFile = config.age.secrets.${wg0PrivKey}.path; - ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ]; - peers = [ - { - publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; - allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ]; - endpoint = "53c70r.de:51820"; - persistentKeepalive = 25; - presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path; - } - ]; + services.snapper = { + cleanupInterval = "1d"; + snapshotInterval = "hourly"; + configs.var = { + SUBVOLUME = "/var"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_LIMIT_HOURLY = 24; + TIMELINE_LIMIT_DAILY = 13; + TIMELINE_LIMIT_WEEKLY = 6; + TIMELINE_LIMIT_MONTHLY = 3; }; - interfaces.hydra = { - allowedIPsAsRoutes = true; - privateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; - ips = [ "10.3.3.3/32" ]; - peers = [ - { - publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - allowedIPs = [ "10.3.3.1/32" ]; - endpoint = "hydra.dadada.li:51235"; - persistentKeepalive = 25; - } - ]; + }; + + services.smartd.enable = true; + + systemd.network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "enp*"; + networkConfig.DHCP = "ipv4"; + linkConfig.RequiredForOnline = "routable"; + }; + "10-hydra" = { + matchConfig.Name = "hydra"; + address = [ "10.3.3.1/24" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = "no"; + routes = [ + { routeConfig = { Gateway = "10.3.3.3"; Destination = "10.3.3.3/32"; }; } + ]; + }; + "10-uwu" = { + matchConfig.Name = "uwu"; + address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = "no"; + routes = [ + { routeConfig = { Destination = "10.11.0.0/22"; }; } + { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; } + ]; + }; + }; + netdevs = { + "10-hydra" = { + netdevConfig = { + Kind = "wireguard"; + Name = "hydra"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path; + ListenPort = 51235; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; + AllowedIPs = [ "10.3.3.1/32" ]; + PersistentKeepalive = 25; + }; + }]; + }; + "10-uwu" = { + netdevConfig = { + Kind = "wireguard"; + Name = "uwu"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; + AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ]; + PersistentKeepalive = 25; + PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path; + Endpoint = "53c70r.de:51820"; + }; + }]; + }; }; }; @@ -160,12 +243,9 @@ in ]; }; + services.resolved.enable = true; networking.networkmanager.enable = false; - dadada.networking.localResolver.enable = true; - dadada.networking.localResolver.uwu = true; - dadada.networking.localResolver.s0 = true; - # Desktop things for media playback services.xserver.enable = true; @@ -196,5 +276,5 @@ in documentation.enable = true; documentation.nixos.enable = true; - system.stateVersion = "22.11"; + system.stateVersion = "23.05"; } diff --git a/nixos/ninurta/hardware-configuration.nix b/nixos/ninurta/hardware-configuration.nix index 0561294..902d33f 100644 --- a/nixos/ninurta/hardware-configuration.nix +++ b/nixos/ninurta/hardware-configuration.nix @@ -2,63 +2,81 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: + { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - boot.initrd.luks.devices."dm-ninurta".device = "/dev/disk/by-uuid/a64f1e3f-ea13-43b6-83de-2ba4e45e8a3f"; fileSystems."/" = { - device = "/dev/disk/by-label/ninurta"; + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; fsType = "btrfs"; - options = [ "compress=zstd,subvol=root" ]; + options = [ "compress=zstd" ]; }; - fileSystems."/home" = - { - device = "/dev/disk/by-label/ninurta"; - fsType = "btrfs"; - options = [ "compress=zstd,subvol=home" ]; - }; + boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae"; - fileSystems."/var" = + fileSystems."/swap" = { - device = "/dev/disk/by-label/ninurta"; + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; fsType = "btrfs"; - options = [ "subvol=var" ]; + options = [ "subvol=swap" "noatime" ]; }; fileSystems."/nix" = { - device = "/dev/disk/by-label/ninurta"; + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; fsType = "btrfs"; - options = [ "compress=zstd,noatime,subvol=nix" ]; + options = [ "subvol=nix" "noatime" "compress=zstd" ]; + }; + + fileSystems."/var" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=var" "compress=zstd" ]; + }; + + fileSystems."/home" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" ]; + }; + + fileSystems."/root" = + { + device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; }; fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; + device = "/dev/disk/by-uuid/2E20-49CB"; fsType = "vfat"; }; - swapDevices = [ - { device = "/var/swapfile"; size = 65536; } - ]; + swapDevices = [{ + device = "/swap/swapfile"; + size = 32 * 1024; # 32 GByte + }]; + # TODO systemd networkd # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/secrets/ninurta-initrd_ssh_host_ed25519_key.age b/secrets/ninurta-initrd_ssh_host_ed25519_key.age new file mode 100644 index 0000000..ede305d --- /dev/null +++ b/secrets/ninurta-initrd_ssh_host_ed25519_key.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 J6ROvw 9g8A25DusoNFdNBRMiVXi99j+P2G/ZAoHq2kFD6tKEA +pS5yrQhW8IvNG/v1z0JKOROaJmdQGCRXHGHci/BrrhI +-> ssh-ed25519 Otklkw 9heLCSrhZs0PzOSX2C+RufrQML5QVMFXpeE2raTrQ24 +Pks8xA8BI89Cb9PzCyPKYwOfGfITX14ZTbcyQbcT3oA +-> E`3VAEs-grease Jkxdo0~ +WhLwTnCoplc8L5WegLX2A37lppw/De0alZgOuGPv9JYqFIS1DPNPBYz5aVNWUk7z +FYGtHrYTbg0ylTZ+e4mcSA +--- c3gW3L9HNYcqdnz7IptzALRR4YtjWJvXo9/0MEmcXn4 +5xXG,pA~\ʜ@CXo{7{ ECC~|pw3mܰ.pIL~N䊺:p`fq3KI6GF@1eX |'Ou -SBRSECs1[Y +0nXlgacJP']qmBkc%{5:>y ;wKǯ!ڥP`%&Ut+8qйQg»`Z(=;ަ 5靎vrL9~G(s.ljί}PL-^VBJ)HWēK `)I/U_CT~u1滍?5h`~ +u_b;_e}Az_dݚi,&^bH<jR \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c340b8b..bf98808 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,6 +4,7 @@ let agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos"; gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon"; ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos"; + ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas"; surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat"; }; @@ -21,6 +22,7 @@ in "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ]; "paperless.age".publicKeys = [ systems.gorgon dadada ]; "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ]; + "ninurta-initrd_ssh_host_ed25519_key.age".publicKeys = [ systems.ninurta dadada ]; } // backupSecrets "gorgon" // backupSecrets "ifrit" //