diff --git a/.sops.yaml b/.sops.yaml index 48325a9..e6bbc8c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -171,6 +171,13 @@ creation_rules: - *admin_marenz-2 age: - *tram-borzoi + - path_regex: secrets/tetra-zw/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + - *admin_revol-xut + - *admin_marenz-1 + - *admin_marenz-2 - path_regex: secrets/uranus/[^/]+\.yaml$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index dc596c8..e37970b 100644 --- a/flake.lock +++ b/flake.lock @@ -692,6 +692,26 @@ "type": "github" } }, + "private-flake-overlays": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1701088629, + "narHash": "sha256-Xgb2lX35f+XILc++Y4fmTgZttPTi5MKQBMbOIAjWX4Y=", + "owner": "marenz2569", + "repo": "private-flake-overlays", + "rev": "316f9c9f3d79ccc52f8148b616789c38348cb58e", + "type": "github" + }, + "original": { + "owner": "marenz2569", + "repo": "private-flake-overlays", + "type": "github" + } + }, "root": { "inputs": { "borzoi": "borzoi", @@ -707,6 +727,7 @@ "microvm": "microvm", "naersk": "naersk_4", "nixpkgs": "nixpkgs_6", + "private-flake-overlays": "private-flake-overlays", "sops-nix": "sops-nix", "telegram-decoder": "telegram-decoder", "tlms-rs": "tlms-rs_2", diff --git a/flake.nix b/flake.nix index f6336e2..81719c7 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + private-flake-overlays = { + url = "github:marenz2569/private-flake-overlays"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + ## TLMS stuff below trekkie = { url = "github:tlm-solutions/trekkie"; @@ -109,6 +114,7 @@ outputs = inputs@{ self + , private-flake-overlays , borzoi , data-accumulator , datacare @@ -128,6 +134,7 @@ let pkgs = nixpkgs.legacyPackages."x86_64-linux"; lib = pkgs.lib; + overlayFlake = private-flake-overlays.lib.overlayFlake; registry = import ./registry; @@ -244,6 +251,17 @@ ]; }; + tetra-zw = { + system = "x86_64-linux"; + specialArgs = { inherit inputs self; registry = registry.tetra-zw; }; + modules = [ + sops-nix.nixosModules.sops + + ./modules/TLMS + ./hosts/tetra-zw + ]; + }; + uranus = { system = "x86_64-linux"; specialArgs = { inherit inputs self; registry = registry.uranus; }; @@ -257,7 +275,8 @@ }; }; in - { + # overlays this private flake when in impure mode + overlayFlake "git+ssh://git@github.com/tlm-solutions/nix-config-private.git" { inherit unevaluatedNixosConfigurations; packages."aarch64-linux".box8 = self.nixosConfigurations.traffic-stop-box-8.config.system.build.sdImage; diff --git a/hosts/tetra-zw/configuration.nix b/hosts/tetra-zw/configuration.nix new file mode 100644 index 0000000..d0b9aba --- /dev/null +++ b/hosts/tetra-zw/configuration.nix @@ -0,0 +1,27 @@ +{ self, pkgs, config, registry, ... }: + +{ + imports = [ + "${self}/hardware/dell-wyse-3040.nix" + ]; + + boot.tmp.useTmpfs = true; + + # reboot 60 seconds after kernel panic + boot.kernel.sysctl."kernel.panic" = 60; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + nix = { + settings.build-cores = 1; + gc = { + automatic = true; + dates = "daily"; + }; + }; + + services.resolved.dnssec = "false"; + + system.stateVersion = "23.05"; +} diff --git a/hosts/tetra-zw/default.nix b/hosts/tetra-zw/default.nix new file mode 100644 index 0000000..39edef2 --- /dev/null +++ b/hosts/tetra-zw/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./wireguard-client.nix + ]; +} diff --git a/hosts/tetra-zw/secrets.nix b/hosts/tetra-zw/secrets.nix new file mode 100644 index 0000000..cf9e78d --- /dev/null +++ b/hosts/tetra-zw/secrets.nix @@ -0,0 +1,5 @@ +{ config, self, registry, ... }: +{ + sops.defaultSopsFile = self + /secrets/${registry.hostName}/secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; +} diff --git a/hosts/tetra-zw/wireguard-client.nix b/hosts/tetra-zw/wireguard-client.nix new file mode 100644 index 0000000..aeda3a7 --- /dev/null +++ b/hosts/tetra-zw/wireguard-client.nix @@ -0,0 +1,14 @@ +{ config, lib, registry, ... }: +# pubkey of the box goes to registry/default.nix! +{ + networking.useNetworkd = lib.mkForce true; + + sops.secrets.wg-seckey = { + owner = config.users.users.systemd-network.name; + }; + + deployment-TLMS.net.wg = { + prefix4 = 24; + privateKeyFile = lib.mkDefault config.sops.secrets.wg-seckey.path; + }; +} diff --git a/registry/default.nix b/registry/default.nix index e460383..0e9f1df 100644 --- a/registry/default.nix +++ b/registry/default.nix @@ -45,4 +45,10 @@ port = 8080; }; }; + tetra-zw = { + hostName = "tetra-zw"; + wgAddr4 = "10.13.37.11"; + wireguardPublicKey = "ksztvj780MFau9YH0hBOL+/PzYb/EaARCUqR+EUIL2o="; + publicWireguardEndpoint = null; + }; } diff --git a/secrets/tetra-zw/secrets.yaml b/secrets/tetra-zw/secrets.yaml new file mode 100644 index 0000000..1edb00a --- /dev/null +++ b/secrets/tetra-zw/secrets.yaml @@ -0,0 +1,82 @@ +wg-seckey: ENC[AES256_GCM,data:92b1HSuowJkpYo8WRRACDELB+/ldei7ISNHSRpnIdVnNuhL/b+nBg6AYeSI=,iv:I+xmKBa8p6TF5i2XUkKJitOuaKC82cC6XCTYbevAnEc=,tag:NZM6s9UYwR4YqHiWlMpQcg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-11-27T15:03:10Z" + mac: ENC[AES256_GCM,data:OCLKBHUxUNBZFfOReLa/MRndLTOuFWMhG5f7IiXv/lPwgQbD9Rp97hnlbYmtHeheXO8vhZsiwUe7VO/UEN17G5s2sdRLdQpn/gT1XlvqN2cfZhJ9cPRJl6QQ40cYW0GNDlu8bSPY1WI2V+9nCxoDazJvrv8U4sjTa/jGNnX51pI=,iv:Rbrd9tvodC2ON08BMaJ6IvKPXrO07VcgtkOm3XgHXwE=,tag:GtTJtHoLlTBLfR3RV3UgCw==,type:str] + pgp: + - created_at: "2023-11-27T15:02:48Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ//eU1W4XI5YQH/5LniuIF/W0gBJv3jeKlh3QxEUgnBtBRR + yrf7tzO+4M3qhjhP2JFuyYvipyZ7hM+RFP2hFjEDjBio/GD+PEJgFZn30W7zOkDc + CwK2jRd2t7VnHmy2oQbYMWVtFZkMW6g0nVv+7QXmVlyw+unWV/spgLGI649gvHtK + y2QK1Np8YS11Mj6oaz7oJi5WXTRkZDwuIM8YBPNbynbFsRcyHvsVW4HqFXYd4cC7 + PccEwDIlO3nEsWVsBi5xhzANurzRv1LepBWq2ojaCuB7Mnp7G8SADJ45mbUkMswD + CkxO8VFxembH0x815giUC/S+vB3XV74TThP8t1jUkzWWeFroMY8hqscR42yzeIUS + 5XfaaYU5qqQQyMteiij1jriOxzDiNHQnKPPQPW2spmnQ6njPTmTCmNIC1H9OjF8h + StTKzKHILRYLO3Fn9INZrGI/ntPjKks8IjwPxcTjh6wqNsu6SgKWxXuxZUGvIbRj + 73sQn5r9uI4E/HczGiO3RF/Jcp/btUDHVeWu/nzFseH3H05yJ5ABDllx2VnoHJKT + +9ZCb11psqPX7m0DGWNgREtgybRMJxElm8Ke9QvS6rMXmltlrl5kFbfVngcj0kx5 + zsowKHP119mCTuRfZv+YUPJD2tu1sJAq0H7anB6m6HKOEvYvRdNKk42aw414VZjS + UQEZol48PW3DqJjzlBX9bQH0ZL8v6BfFVk6zflTHyS3WLmrUmZHi3atBl6eMrc+A + vu8yXYvIwWaOxNUozmwbrNdYxWT4LPrCFI+9q52vqMaG3Q== + =JfFt + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2023-11-27T15:02:48Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/YLzOYaRIJJAQ//Tp/AENqZMJjyAyp5IzAgVATmoRpB7expbKSr0JCYfcio + aJepbsSzKyauYu53+brUYa7kj+VjduGiCaXr0DCewMpohZj54gBDDnj8/XNTjesL + R6BgSgCm14abvvs++yR7Q8aIxeua0V+i5jYLM5U/CICFRFhKVJvkHtEabNfyG7Hu + FDCxdqOdm78uKvDW7NMrnu7ixfRsS5my+c+NFuWYFsda8xloM5iTPHMjx0S+7acB + F2LZCff5N6f0QvPtlrxj5nD5aQnMql93maSFsKYoKi/o6MMb75qtSYfWUeVl/fu0 + JFK+pcsJmqsHtrLSv1UniCfqe5MGN6AzS49QGgoTmYZLC2DyNNRbG+ISRs14KJAE + wJ3rfSQuVHKYN/2P+dmAi5w4aRea0pIrLYtQNqLYNBqH45IFVgSslDA7GL56epco + wI3Wc1uxQPWS7EODOBKPebA3u+Hxu49i/8bCYk5Pgkp8w6dTm5Ok2i4tc60pBwIA + Yjp9GPjfF+ld0vgG1NPz+fxx/TH9zzkhg/MvDgtJvYlpG/SnB8F6WxJ7oKZrk4I8 + NuInneZjit2U2Dxk2BCYS2yUI0aitivzIS/41xuCCmCWDC3h/+6Tg/DaXElLH7Oo + sMY4hAXYaB8TxLakHJRs9/Rl2HCi+m9cTN3ygscmVT/aFMCScuO6MkUxIPc+ZBLS + UQFHogD3IiDvySf9Tc8kkBysIA7nUHNwUTr9Q/QKAUXnInxZANuYa5Uqapqn/W+w + GdfL2pry3DF1hz1oBEsc2z+l0hww9hzHscJ1jrE/GwVRXA== + =jk+v + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2023-11-27T15:02:48Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf/UbfrpOO9me+hJTy36IIJUoU90CKRJCf9IRfeFXVKok1F + 4zIFtYkj1ioSVYkm2cJ64pVirIEVgTPeuitc3dATfHsu0Y08hHeCQMs9DiaYzXy2 + /VTau11c87ZBoDm9pLWij/MsCFwi3WGa1UALCunKEtPV3Ljp39+NRu8y3OyOZHjN + ktHY0MEntjCzmD8BXx5bkOQ6pOFoKPFY92150Csl73Nnn232Vsaff4ZwStt2FONP + xcXjWdQKH24WigNG/gLa4MMT6grwGkuy08XTkr3cwPMPpekOboDdH+5GsDBkA8jU + LCQ+bVAo/ChtqdD4OOGpxcECr2CuczWLYsyktJaIb9JeAd6KyTBugKmMEV9WxpKm + 9l33mLVTpg77qFlKf0Y/axo0eIp7EQqxlpbiQuRZu2aM4s/a3uZ3OLnrVexvSQ1X + 5PLZyfkx+TO26/YRCkMxht1Uql08wzWMqZGDglpMTw== + =jhUj + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2023-11-27T15:02:48Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf/ZuCGHKsISv+rSeUfayaYBxCWYAIHbx5vVg0ydtq8tWar + U6T0A3cergkfZfIX/trsWQqI/TVkc6UL8MDBnOZEYy0qd07tDL+OUlwX6UI7IO+K + bth8nkTnVthnjCUh4a6VSt4ZeeiYCKJb+ndLDr9Z6qwCRE5cJXDX7NUOJVC7fkOP + ae/UvFrqppH8JVw/7LZKIu+w6mp7z736cs/o+AhHRuqGnCiNPqF0d7LF8qCpFX07 + hwHCkl6CMc8MCoLQsa3mdzhaNpJWU/qkQ7h1S73W8g3wtv7Dpi9kTNhJ1lT+wZKp + MWBvrHJgHaaSVDCNJq7PLUqoxavL0ul9G0tVYrMLttJeAZ76OKiO1i3JCU1JymOT + sX3pVzE8MBlDcrpRDQJ4c7/LBPX6qAhnxvyZHawARUWNH2UtVA9ceCW11Jqk+Owg + W4FcSvBnXpb0LG0i4qozXvxfAwWm6Hu57Pbqm/YOGw== + =/DPb + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.3