add alpha
This commit is contained in:
parent
9241fe5e5c
commit
f4f6933ec3
|
@ -61,6 +61,12 @@
|
||||||
specialArgs = inputs; # pass flake inputs to modules
|
specialArgs = inputs; # pass flake inputs to modules
|
||||||
modules = [ ./hosts/mu ];
|
modules = [ ./hosts/mu ];
|
||||||
};
|
};
|
||||||
|
# Hetzner VPS
|
||||||
|
alpha = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "aarch64-linux";
|
||||||
|
specialArgs = inputs; # pass flake inputs to modules
|
||||||
|
modules = [ ./hosts/alpha ];
|
||||||
|
};
|
||||||
# Tor relay
|
# Tor relay
|
||||||
tor = nixpkgs.lib.nixosSystem {
|
tor = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
|
47
hosts/alpha/default.nix
Normal file
47
hosts/alpha/default.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
{ ... }: {
|
||||||
|
imports = [
|
||||||
|
../../overlays
|
||||||
|
../../modules/base
|
||||||
|
../../modules/server
|
||||||
|
./hardware.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.hostName = "alpha";
|
||||||
|
systemd.network.networks = {
|
||||||
|
"10-lan" = {
|
||||||
|
name = "enp1s0";
|
||||||
|
networkConfig.DHCP = "ipv4";
|
||||||
|
address = [
|
||||||
|
"2a01:4f8:c2c:71c0::/64"
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{ routeConfig = { Gateway = "fe80::1"; }; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
loader = {
|
||||||
|
efi.canTouchEfiVariables = true;
|
||||||
|
systemd-boot.enable = true;
|
||||||
|
};
|
||||||
|
initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted";
|
||||||
|
};
|
||||||
|
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It's perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "23.11"; # Did you read the comment?
|
||||||
|
|
||||||
|
# This value determines the Home Manager release that your
|
||||||
|
# configuration is compatible with. This helps avoid breakage
|
||||||
|
# when a new Home Manager release introduces backwards
|
||||||
|
# incompatible changes.
|
||||||
|
# You can update Home Manager without changing this value. See
|
||||||
|
# the Home Manager release notes for a list of state version
|
||||||
|
# changes in each release.
|
||||||
|
home-manager.users.caspervk.home.stateVersion = "23.11"; # Did you read the comment?
|
||||||
|
}
|
41
hosts/alpha/hardware.nix
Normal file
41
hosts/alpha/hardware.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }: {
|
||||||
|
# https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Cloud
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ "dm-snapshot" "virtio_gpu" ];
|
||||||
|
boot.kernelParams = [ "console=tty" ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
# https://elis.nu/blog/2020/05/nixos-tmpfs-as-root/
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "none";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = [ "defaults" "size=2G" "mode=755" ]; # mode=755 so only root can write to those files
|
||||||
|
};
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-label/BOOT";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
fileSystems."/nix" = {
|
||||||
|
device = "/dev/disk/by-label/nix";
|
||||||
|
neededForBoot = true;
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/nix/persist/swapfile";
|
||||||
|
size = 4 * 1024; # 4 GiB
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on all ethernet and wireless LAN interfaces.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||||
|
}
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
|
|
||||||
# ssh-keyscan -t ed25519 -p 222 alpha.caspervk.net
|
# ssh-keyscan -t ed25519 -p 222 alpha.caspervk.net
|
||||||
programs.ssh.knownHosts = {
|
programs.ssh.knownHosts = {
|
||||||
|
"alpha.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0OmbNKuMGIOEUxqNDgUN9lz1LSw7xvZ6Tu/BkQyRoy";
|
||||||
"delta.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0x9oImZjIhoPEwLlHVixIh7y1Kwn+SX17xffrdRzvv";
|
"delta.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0x9oImZjIhoPEwLlHVixIh7y1Kwn+SX17xffrdRzvv";
|
||||||
"git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
|
"git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
|
||||||
"lambda.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
|
"lambda.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd";
|
||||||
|
|
|
@ -10,6 +10,10 @@
|
||||||
# one. This is especially useful when using SCP.
|
# one. This is especially useful when using SCP.
|
||||||
controlMaster = "yes";
|
controlMaster = "yes";
|
||||||
matchBlocks = {
|
matchBlocks = {
|
||||||
|
"alpha" = {
|
||||||
|
hostname = "alpha.caspervk.net";
|
||||||
|
port = 222;
|
||||||
|
};
|
||||||
"delta" = {
|
"delta" = {
|
||||||
hostname = "delta.caspervk.net";
|
hostname = "delta.caspervk.net";
|
||||||
port = 222;
|
port = 222;
|
||||||
|
|
|
@ -7,6 +7,7 @@ let
|
||||||
# Get a system's public key using:
|
# Get a system's public key using:
|
||||||
# > cat /etc/ssh/ssh_host_ed25519_key.pub
|
# > cat /etc/ssh/ssh_host_ed25519_key.pub
|
||||||
# If you change or add a key, all secrets need to be `agenix --rekey`'ed.
|
# If you change or add a key, all secrets need to be `agenix --rekey`'ed.
|
||||||
|
alpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0OmbNKuMGIOEUxqNDgUN9lz1LSw7xvZ6Tu/BkQyRoy root@alpha";
|
||||||
mu = "todo";
|
mu = "todo";
|
||||||
omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
|
omega = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvFN4vnqPX31+4/ZJxOJ7/bSUEu2xB6ovezPQjLm13H root@omega";
|
||||||
tor = "todo";
|
tor = "todo";
|
||||||
|
@ -16,7 +17,7 @@ let
|
||||||
# > agenix -i $AGE_KEY_FILE -e foo.age
|
# > agenix -i $AGE_KEY_FILE -e foo.age
|
||||||
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
|
recovery = "age1rd6hhd724s3r9xe4gfuy38rl0xfu8c7pkuefsrdwqfcknujzecyqz7ldyj";
|
||||||
|
|
||||||
all = [ omega recovery ];
|
all = [ alpha omega recovery ];
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"users-hashed-password-file.age".publicKeys = all;
|
"users-hashed-password-file.age".publicKeys = all;
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 fY+XUg ThWnidSUv20sqdMebPW0aV512ascEV4WyDia72vhTnI
|
-> ssh-ed25519 VPTtjA n8925Pjsx9niaBYV/VGNXjFA6JvyKqSnMS2KIGRmyFI
|
||||||
fbFAnyqqqpp9fEct2EiLG1wWw//U8kWcpf0QnbSh33Y
|
1lexU/9gXg7E0m8M4gQvN/UkiLydIf+v++aWwpZ4Dus
|
||||||
-> X25519 ZbC+v0St7P+W/AHq1Afst7ylmZUFA7OIhiElfexTHgg
|
-> ssh-ed25519 fY+XUg A5VnCLLJpMWZO6zf4E97+R0G5ZcLmxEdPnswrYMFXzk
|
||||||
2DbCqyjULhmDji3E1HrPuO8WW74dIia1GFOSCaeGliU
|
oho1CsNawBTo2Zm9o75z5++kW/HP8jnuZkgY/F46zh8
|
||||||
--- 6W7LaM4dc6tJONcmtVAwhI/NcOE8EUYPrg75K6Qpynw
|
-> X25519 wRjzI510elgd0prOeWifJ7qgxNF+vADU1ghY4CKsxls
|
||||||
%?ó4k=/ýä_ƒ<5F>½a#]Éào>Ÿ¬¨tVÆ°EªW“õµŽåRþ÷~¾8Ñ;më¬"˜€&˹ÏGŠ]ïsAN¦pÀŸõW²ƒŽÅNKø„Ɖ˜™p¿ƒªóP$8e
|
KtUd3pONn9P2muRRf8BPN9h9Z3lQCHM3YyZCHYZHVlE
|
||||||
|
--- +Phw1BDecOqiTKuNXuA4xIvPxUWeZspB2C8Fk1FkWDQ
|
||||||
|
TgVÓ´ňRŃŘĺčI÷ż¬<11>¨łđlÖĄ~ş‘âý\ďÂ๦ľRúfŔŁ™^rŚ QÔ´@PNÎ-Ţ9&Ş,Ě’¨Äű…ĄŠâ2Üzôtq*"kGXúqţ “j:mK,4 <20>ŇeŹ—
|
Loading…
Reference in a new issue