Update ninurta config

2023-06-03 17:54:55 +02:00 · 2023-06-03 17:54:55 +02:00 · 295a2e9b3b
commit 295a2e9b3b
parent 4587a39620
4 changed files with 174 additions and 62 deletions
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@ -10,6 +10,7 @@ let
  wgHydraPrivKey = "${config.networking.hostName}-wg-hydra-key";
  wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key";
  hydraGitHubAuth = "hydra-github-authorization";
+  initrdPrivateKey = "${config.networking.hostName}-initrd_ssh_host_ed25519_key.age";
 in
 {
  imports = [
@ -19,9 +20,6 @@ in

  networking.hostName = "ninurta";

-  networking.useDHCP = false;
-  networking.interfaces.enp86s0.useDHCP = true;
-
  networking.hosts = {
    "127.0.0.1" = hostAliases;
    "::1" = hostAliases;
@ -30,13 +28,43 @@ in
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

-  # TODO enable
-  # fileSystems."/mnt/storage" = {
-  #   device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
-  #   mountPoint = "/mnt/storage";
-  #   neededForBoot = false;
-  #   options = [ "nofail" ];
-  # };
+  assertions = lib.singleton {
+    assertion = (config.boot.initrd.network.ssh.hostKeys != [ ]) -> config.boot.loader.supportsInitrdSecrets == true;
+    message = "Refusing to store private keys in store";
+  };
+
+  boot.initrd = let initrdKeyPath = "/etc/ssh/a_initrd_ssh_host_ed25519_key"; in {
+    network = {
+      enable = true;
+      flushBeforeStage2 = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        authorizedKeys = config.dadada.admin.users.dadada.keys;
+        hostKeys = [ config.age.secrets.${initrdPrivateKey}.path ];
+      };
+    };
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        networks = {
+          "10-lan" = {
+            matchConfig.Name = "enp*";
+            networkConfig.DHCP = "ipv4";
+            linkConfig.RequiredForOnline = "routable";
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-uuid/a34e36fc-d7dd-4ceb-93c4-48f9c2727cb7";
+    mountPoint = "/mnt/storage";
+    neededForBoot = false;
+    options = [ "nofail" ];
+  };

  # TODO enable
  # dadada.borgServer = {
@ -113,37 +141,92 @@ in
  age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
  age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
  age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age";
+  age.secrets.${initrdPrivateKey}.file = "${secretsPath}/${initrdPrivateKey}.age";

-  networking.wireguard = {
+  services.snapper = {
+    cleanupInterval = "1d";
+    snapshotInterval = "hourly";
+    configs.var = {
+      SUBVOLUME = "/var";
+      TIMELINE_CREATE = true;
+      TIMELINE_CLEANUP = true;
+      TIMELINE_LIMIT_HOURLY = 24;
+      TIMELINE_LIMIT_DAILY = 13;
+      TIMELINE_LIMIT_WEEKLY = 6;
+      TIMELINE_LIMIT_MONTHLY = 3;
+    };
+  };
+
+  services.smartd.enable = true;
+
+  systemd.network = {
    enable = true;
-    interfaces.uwupn = {
-      allowedIPsAsRoutes = true;
-      privateKeyFile = config.age.secrets.${wg0PrivKey}.path;
-      ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ];
-      peers = [
-        {
-          publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
-          allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
-          endpoint = "53c70r.de:51820";
-          persistentKeepalive = 25;
-          presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
-        }
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "enp*";
+        networkConfig.DHCP = "ipv4";
+        linkConfig.RequiredForOnline = "routable";
+      };
+      "10-hydra" = {
+        matchConfig.Name = "hydra";
+        address = [ "10.3.3.1/24" ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = "no";
+        routes = [
+          { routeConfig = { Gateway = "10.3.3.3"; Destination = "10.3.3.3/32"; }; }
        ];
      };
-    interfaces.hydra = {
-      allowedIPsAsRoutes = true;
-      privateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
-      ips = [ "10.3.3.3/32" ];
-      peers = [
-        {
-          publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
-          allowedIPs = [ "10.3.3.1/32" ];
-          endpoint = "hydra.dadada.li:51235";
-          persistentKeepalive = 25;
-        }
+      "10-uwu" = {
+        matchConfig.Name = "uwu";
+        address = [ "10.11.0.39/24" "fc00:1337:dead:beef::10.11.0.39/128" ];
+        DHCP = "no";
+        networkConfig.IPv6AcceptRA = false;
+        linkConfig.RequiredForOnline = "no";
+        routes = [
+          { routeConfig = { Destination = "10.11.0.0/22"; }; }
+          { routeConfig = { Destination = "fc00:1337:dead:beef::10.11.0.0/118"; }; }
        ];
      };
    };
+    netdevs = {
+      "10-hydra" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "hydra";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
+          ListenPort = 51235;
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
+            AllowedIPs = [ "10.3.3.1/32" ];
+            PersistentKeepalive = 25;
+          };
+        }];
+      };
+      "10-uwu" = {
+        netdevConfig = {
+          Kind = "wireguard";
+          Name = "uwu";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.age.secrets.${wg0PrivKey}.path;
+        };
+        wireguardPeers = [{
+          wireguardPeerConfig = {
+            PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
+            AllowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+            PersistentKeepalive = 25;
+            PresharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
+            Endpoint = "53c70r.de:51820";
+          };
+        }];
+      };
+    };
+  };

  networking.firewall = {
    enable = true;
@ -160,12 +243,9 @@ in
    ];
  };

+  services.resolved.enable = true;
  networking.networkmanager.enable = false;

-  dadada.networking.localResolver.enable = true;
-  dadada.networking.localResolver.uwu = true;
-  dadada.networking.localResolver.s0 = true;
-
  # Desktop things for media playback

  services.xserver.enable = true;
@ -196,5 +276,5 @@ in
  documentation.enable = true;
  documentation.nixos.enable = true;

-  system.stateVersion = "22.11";
+  system.stateVersion = "23.05";
 }
--- a/nixos/ninurta/hardware-configuration.nix
+++ b/nixos/ninurta/hardware-configuration.nix
@ -2,63 +2,81 @@
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
+
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "igc" "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  boot.initrd.luks.devices."dm-ninurta".device = "/dev/disk/by-uuid/a64f1e3f-ea13-43b6-83de-2ba4e45e8a3f";

  fileSystems."/" =
    {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
      fsType = "btrfs";
-      options = [ "compress=zstd,subvol=root" ];
+      options = [ "compress=zstd" ];
    };

-  fileSystems."/home" =
-    {
-      device = "/dev/disk/by-label/ninurta";
-      fsType = "btrfs";
-      options = [ "compress=zstd,subvol=home" ];
-    };
+  boot.initrd.luks.devices."luks".device = "/dev/disk/by-uuid/bac4ee0e-e393-414f-ac3e-1ec20739abae";

-  fileSystems."/var" =
+  fileSystems."/swap" =
    {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
      fsType = "btrfs";
-      options = [ "subvol=var" ];
+      options = [ "subvol=swap" "noatime" ];
    };

  fileSystems."/nix" =
    {
-      device = "/dev/disk/by-label/ninurta";
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
      fsType = "btrfs";
-      options = [ "compress=zstd,noatime,subvol=nix" ];
+      options = [ "subvol=nix" "noatime" "compress=zstd" ];
+    };
+
+  fileSystems."/var" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=var" "compress=zstd" ];
+    };
+
+  fileSystems."/home" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=home" "compress=zstd" ];
+    };
+
+  fileSystems."/root" =
+    {
+      device = "/dev/disk/by-uuid/7ca5fd2a-2a56-48fe-bd48-1e51b6a66714";
+      fsType = "btrfs";
+      options = [ "subvol=root" "compress=zstd" ];
    };

  fileSystems."/boot" =
    {
-      device = "/dev/disk/by-label/boot";
+      device = "/dev/disk/by-uuid/2E20-49CB";
      fsType = "vfat";
    };

-  swapDevices = [
-    { device = "/var/swapfile"; size = 65536; }
-  ];
+  swapDevices = [{
+    device = "/swap/swapfile";
+    size = 32 * 1024; # 32 GByte
+  }];

+  # TODO systemd networkd
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
--- a/secrets/ninurta-initrd_ssh_host_ed25519_key.age
+++ b/secrets/ninurta-initrd_ssh_host_ed25519_key.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 J6ROvw 9g8A25DusoNFdNBRMiVXi99j+P2G/ZAoHq2kFD6tKEA
+pS5yrQhW8IvNG/v1z0JKOROaJmdQGCRXHGHci/BrrhI
+-> ssh-ed25519 Otklkw 9heLCSrhZs0PzOSX2C+RufrQML5QVMFXpeE2raTrQ24
+Pks8xA8BI89Cb9PzCyPKYwOfGfITX14ZTbcyQbcT3oA
+-> E`3VAEs-grease Jkxdo0~
+WhLwTnCoplc8L5WegLX2A37lppw/De0alZgOuGPv9JYqFIS1DPNPBYz5aVNWUk7z
+FYGtHrYTbg0ylTZ+e4mcSA
+--- c3gW3L9HNYcqdnz7IptzALRR4YtjWJvXo9/0MEmcXn4
+5xXG,»©òp<C3B2>AøÀ~á\¨‚•Êœ×æìâüº@CXo{7Ö<0E>˜{
ÎEÙCC´×~Ë|Žpêw3‘mÜ°.°p»ÖIL<1D>~ø<>°†NäŠº:ˆ“p`fˆþ<CB86>q3‰KIŸ6ˆGF@1—íeXó„…ú¿¾|×'O<>ŠïuØö…´	-SÊBàRÄS„<1D>EÃCs‘ä1[·¯YÍ
+0nXlgacJ¿P Ž']¬qmBµkàÊc¬%Œ{5Ÿ:>¼y
;æ¿wKïÇ¯!‹Ú¥¸‡Pû`%ë&Ut+Ô8qœÐ¹Qš¸gÂ»û`ÿ¶Z¬(=®ÿ´Á;Þ¦§˜èŸþù5é<35>Žv£rL²<4C><C2B2>9Ž~»þ·åËGÝ(s.Ç‰Î¯ò}PL¶-ïð^VóBíJ)íÈHWÄ“ÝK‘ 	`è)I/ÃðÝU_<1A>C™T~u†1æ»<C3A6>û’¿Í™Ÿ·þÙü§Å?â5h®`~
+u_…Êb¯Ë;Ä_ÎÎeÍï”â}´§°ÅAÊz_ª¯d‘ÖâÝši,&Ž˜ªª¹¨^ÌbH<›jR
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,6 +4,7 @@ let
    agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos";
    gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon";
    ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos";
+    ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
    pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
    surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
  };
@ -21,6 +22,7 @@ in
  "gorgon-backup-passphrase-gs.age".publicKeys = [ systems.gorgon dadada ];
  "paperless.age".publicKeys = [ systems.gorgon dadada ];
  "surgat-ssh_host_ed25519_key.age".publicKeys = [ systems.surgat dadada ];
+  "ninurta-initrd_ssh_host_ed25519_key.age".publicKeys = [ systems.ninurta dadada ];
 } //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //