From e39747ae2e9f4032b234f1f8d9a399b240f66539 Mon Sep 17 00:00:00 2001 From: andromeda Date: Tue, 30 Dec 2025 13:47:08 +0100 Subject: andromeda: add agenix; machines: start to add box --- machines/173-249-5-230/configuration.nix | 73 +++++++++++++++++++++++ machines/173-249-5-230/hardware-configuration.nix | 69 +++++++++++++++++++++ machines/173-249-5-230/machine.nix | 10 ++++ 3 files changed, 152 insertions(+) create mode 100644 machines/173-249-5-230/configuration.nix create mode 100644 machines/173-249-5-230/hardware-configuration.nix create mode 100644 machines/173-249-5-230/machine.nix (limited to 'machines/173-249-5-230') diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix new file mode 100644 index 0000000..b8b403e --- /dev/null +++ b/machines/173-249-5-230/configuration.nix @@ -0,0 +1,73 @@ +{machine, ...}: { + boot.tmp.cleanOnBoot = true; + boot.loader.grub.devices = ["nodev"]; + environment.persistence."/nix/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/var/log" + "/var/lib/nixos" + "/var/lib/systemd/coredump" + "/etc/NetworkManager/system-connections" + ]; + files = [ + "/etc/machine-id" + "/etc/ly/save.txt" + ]; + users."mtgmonkey" = { + directories = [ + ".local/share/zoxide" + ".ssh" + ]; + files = [ + ".bash_history" + ".brush_history" + ]; + }; + }; + i18n.defaultLocale = "de_DE.UTF-8"; + networking = { + dhcpcd.enable = true; + firewall = { + enable = true; + allowedTCPPorts = [80 443]; + allowedUDPPorts = [80 443]; + }; + hostName = machine.hostname; + domain = ""; + }; + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + allow-import-from-derivation = true; + }; + programs.noshell.enable = true; + services.openssh = { + enable = true; + allowSFTP = false; + ports = [5522]; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = true; + }; + extraConfig = '' + AllowTcpForwarding no + AllowAgentForwarding no + MaxAuthTries 3 + MaxSessions 4 + TCPKeepAlive no + ''; + }; + system.stateVersion = "26.05"; + time.timeZone = "Europe/Berlin"; + users.users."mtgmonkey" = { + isNormalUser = true; + description = "mtgmonkey"; + initialPassword = "password"; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = machine.pub-keys.ssh; + }; +} diff --git a/machines/173-249-5-230/hardware-configuration.nix b/machines/173-249-5-230/hardware-configuration.nix new file mode 100644 index 0000000..bde1c83 --- /dev/null +++ b/machines/173-249-5-230/hardware-configuration.nix @@ -0,0 +1,69 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + #device = "none"; + #fsType = "tmpfs"; + #options = ["defaults" "size=60%" "mode=755"]; + device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + boot.initrd.postResumeCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount ${config.fileSystems."/".device} /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:$M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/0e586651-36f4-42b0-99b3-3f0704a894d6"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/F425-55BA"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = []; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/173-249-5-230/machine.nix b/machines/173-249-5-230/machine.nix new file mode 100644 index 0000000..672d46b --- /dev/null +++ b/machines/173-249-5-230/machine.nix @@ -0,0 +1,10 @@ +{ + hostname = "173-249-5-230"; + usernames = ["mtgmonkey"]; + system = "x86_64-linux"; + configuration = ./configuration.nix; + hardware-configuration = ./hardware-configuration.nix; + pub-keys = { + ssh = []; + }; +} -- cgit v1.3 From 0468cf2621e8ef812f774bbf2eed396b4c0d4602 Mon Sep 17 00:00:00 2001 From: andromeda Date: Tue, 30 Dec 2025 17:45:01 +0100 Subject: use agenix --- flake.nix | 1 + machines/173-249-5-230/configuration.nix | 9 +++++++-- machines/laptop/configuration.nix | 11 +++++++++-- machines/laptop/hardware-configuration.nix | 8 +++++++- secrets/secret0.age | Bin 0 -> 396 bytes secrets/secret1.age | Bin 0 -> 396 bytes secrets/secrets.nix | 7 +++++++ 7 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 secrets/secret0.age create mode 100644 secrets/secret1.age create mode 100644 secrets/secrets.nix (limited to 'machines/173-249-5-230') diff --git a/flake.nix b/flake.nix index 69b6cff..d8682d5 100644 --- a/flake.nix +++ b/flake.nix @@ -53,6 +53,7 @@ }; configurationWithHomeManager = machine: (configuration machine [ + agenix.nixosModules.default home-manager.nixosModules.home-manager { nixpkgs.overlays = [ diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix index b8b403e..853a5db 100644 --- a/machines/173-249-5-230/configuration.nix +++ b/machines/173-249-5-230/configuration.nix @@ -1,4 +1,9 @@ -{machine, ...}: { +{ + config, + machine, + ... +}: { + age.secrets.secret1.file = ../../secrets/secret1.age; boot.tmp.cleanOnBoot = true; boot.loader.grub.devices = ["nodev"]; environment.persistence."/nix/persist" = { @@ -66,7 +71,7 @@ users.users."mtgmonkey" = { isNormalUser = true; description = "mtgmonkey"; - initialPassword = "password"; + passwordFile = builtins.toString config.age.secrets.secret1.path; extraGroups = ["wheel"]; openssh.authorizedKeys.keys = machine.pub-keys.ssh; }; diff --git a/machines/laptop/configuration.nix b/machines/laptop/configuration.nix index 1b07935..58b019e 100644 --- a/machines/laptop/configuration.nix +++ b/machines/laptop/configuration.nix @@ -1,8 +1,13 @@ { + config, lib, machine, ... }: { + age.secrets = { + secret0.file = ../../secrets/secret0.age; + secret1.file = ../../secrets/secret1.age; + }; boot.loader = { efi.canTouchEfiVariables = true; systemd-boot.enable = true; @@ -16,6 +21,7 @@ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" + "/etc/ssh" ]; files = [ "/etc/machine-id" @@ -82,6 +88,7 @@ ly.enable = true; }; libinput.enable = true; + openssh.enable = true; printing.enable = true; }; system.stateVersion = "26.05"; @@ -89,7 +96,7 @@ users.users."andromeda" = { isNormalUser = true; description = "andromeda"; - initialPassword = "password"; + hashedPasswordFile = builtins.toString config.age.secrets.secret0.path; extraGroups = [ "networkmanager" "wheel" @@ -98,7 +105,7 @@ users.users."mtgmonkey" = { isNormalUser = true; description = "mtgmonkey"; - initialPassword = "password"; + hashedPasswordFile = builtins.toString config.age.secrets.secret1.path; extraGroups = [ "networkmanager" "wheel" diff --git a/machines/laptop/hardware-configuration.nix b/machines/laptop/hardware-configuration.nix index bde1c83..8ebef80 100644 --- a/machines/laptop/hardware-configuration.nix +++ b/machines/laptop/hardware-configuration.nix @@ -21,7 +21,7 @@ #device = "none"; #fsType = "tmpfs"; #options = ["defaults" "size=60%" "mode=755"]; - device = "/dev/disk/by-uuid/16c93673-4f0e-4010-a7f4-7ccffb20edb7"; + device = "/dev/disk/by-uuid/5455cfb4-0efd-4f55-b496-d2cab3f419b7"; fsType = "btrfs"; options = ["subvol=root"]; }; @@ -48,6 +48,12 @@ done btrfs subvolume create /btrfs_tmp/root + mkdir /btrfs_tmp/root/nix + mkdir /btrfs_tmp/root/etc + mount ${config.fileSystems."/nix".device} /btrfs_tmp/root/nix + cp /btrfs_tmp/root/nix/persist/etc/ssh /btrfs_tmp/root/etc/ssh -r + umount /btrfs_tmp/root/nix + rm -r /btrfs_tmp/root/nix umount /btrfs_tmp ''; diff --git a/secrets/secret0.age b/secrets/secret0.age new file mode 100644 index 0000000..4fd14de Binary files /dev/null and b/secrets/secret0.age differ diff --git a/secrets/secret1.age b/secrets/secret1.age new file mode 100644 index 0000000..3a172d3 Binary files /dev/null and b/secrets/secret1.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..43b72b3 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo"; + lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo"; +in { + "secret0.age".publicKeys = [andromeda lenovo]; + "secret1.age".publicKeys = [andromeda lenovo]; +} -- cgit v1.3 From 9e402fdfa3f967e6b7497507f6d8eefbad6a71a9 Mon Sep 17 00:00:00 2001 From: andromeda Date: Tue, 30 Dec 2025 19:45:43 +0100 Subject: add server user password --- machines/173-249-5-230/configuration.nix | 4 ++-- secrets/secret2.age | 7 +++++++ secrets/secrets.nix | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 secrets/secret2.age (limited to 'machines/173-249-5-230') diff --git a/machines/173-249-5-230/configuration.nix b/machines/173-249-5-230/configuration.nix index 853a5db..570d428 100644 --- a/machines/173-249-5-230/configuration.nix +++ b/machines/173-249-5-230/configuration.nix @@ -3,7 +3,7 @@ machine, ... }: { - age.secrets.secret1.file = ../../secrets/secret1.age; + age.secrets.secret2.file = ../../secrets/secret2.age; boot.tmp.cleanOnBoot = true; boot.loader.grub.devices = ["nodev"]; environment.persistence."/nix/persist" = { @@ -71,7 +71,7 @@ users.users."mtgmonkey" = { isNormalUser = true; description = "mtgmonkey"; - passwordFile = builtins.toString config.age.secrets.secret1.path; + hashedPasswordFile = builtins.toString config.age.secrets.secret2.path; extraGroups = ["wheel"]; openssh.authorizedKeys.keys = machine.pub-keys.ssh; }; diff --git a/secrets/secret2.age b/secrets/secret2.age new file mode 100644 index 0000000..de8612d --- /dev/null +++ b/secrets/secret2.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 mT2fyg DSrFJv1cg7XUWGT8H60d+IdbQJKIGVc0FznYD3ScHxY +x75LtCRBWRH+Y541dDKE2vLk9kOZNxbFI68cDvaeJ4c +-> ssh-ed25519 UHxfvA 2jLPahOP6AKIn66RM4vUWAl4eUhNgZblKB2z/Wa6ghw +IPFBVfk+c1lO43jc58TmdUM9+pOBad8M7v5lxpNJLOE +--- Bv3SJdghwzga9GD5Fz1/62gelkFqjjgRxoiv4S7x1Nc +[ DYbƇiK_7zqh,Ocw(2^\[0-A8 =n'ZRN1JZol \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 43b72b3..5b14f22 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,4 +4,5 @@ let in { "secret0.age".publicKeys = [andromeda lenovo]; "secret1.age".publicKeys = [andromeda lenovo]; + "secret2.age".publicKeys = [andromeda lenovo]; } -- cgit v1.3