diff --git a/.sops.yaml b/.sops.yaml index b602e71..173813c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -43,6 +43,12 @@ creation_rules: - *hosting-02 pgp: - *lander + - path_regex: hosts/servers/hosting-02.yaml$ + key_groups: + - age: + - *hosting-02 + pgp: + - *lander - path_regex: hosts/mail-01/secrets.yam?l$ key_groups: - age: diff --git a/flake.nix b/flake.nix index 0d63957..d95e375 100644 --- a/flake.nix +++ b/flake.nix @@ -78,74 +78,74 @@ nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - nixosConfigurations = { - # Workstations - wodan = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; - modules = [ - { - nixpkgs.overlays = [ - tidalcycles.overlays.default - (_: prev: { - tailscale = prev.tailscale.overrideAttrs (old: { - checkFlags = builtins.map ( - flag: - if prev.lib.hasPrefix "-skip=" flag then - flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$" - else - flag - ) old.checkFlags; - }); - }) - ]; - } - { nixpkgs.overlays = [ tidalcycles.overlays.default ]; } - ./hosts/wodan - ]; - }; - widar = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/widar - ]; - }; - heimdall = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/heimdall - ]; - }; + nixosConfigurations = + let + hetzner = import ./lib/hetzner.nix { inherit inputs nixpkgs; }; + in + { + # Workstations + wodan = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + { + nixpkgs.overlays = [ + tidalcycles.overlays.default + (_: prev: { + tailscale = prev.tailscale.overrideAttrs (old: { + checkFlags = builtins.map ( + flag: + if prev.lib.hasPrefix "-skip=" flag then + flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$" + else + flag + ) old.checkFlags; + }); + }) + ]; + } + { nixpkgs.overlays = [ tidalcycles.overlays.default ]; } + ./hosts/wodan + ]; + }; + widar = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/widar + ]; + }; + heimdall = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/heimdall + ]; + }; - # servers - db-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/db-01 - ]; + # servers + db-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/db-01 + ]; + }; + hosting-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/hosting-01 + ]; + }; + hosting-02 = hetzner.mkHetznerMachine "hosting-02" { + ipv6Address = "2a01:4f8:c013:7fc0::/64"; + }; + mail-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/mail-01 + ]; + }; }; - hosting-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/hosting-01 - ]; - }; - hosting-02 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/hosting-02 - ]; - }; - mail-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/mail-01 - ]; - }; - }; }; } diff --git a/hosts/hosting-02/secrets.yaml b/hosts/hosting-02/secrets.yaml deleted file mode 100644 index 7223991..0000000 --- a/hosts/hosting-02/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -wireguardKey: ENC[AES256_GCM,data:0xzdESyIvaMzDe1W7GOddxCmDeQf246m8mfcPVxNRX6jPu222GXSwSywPgU=,iv:5GvluPofwd4SkQWJo7KKen7x0ZkAu5idl6xcyVxdbvQ=,tag:HtzLtergC3wrYFXIeA37PQ==,type:str] -storageboxKey: ENC[AES256_GCM,data:iPqksX0X1FrRgjNkgXiAJjsjEXdOxItHOxCBINsb2+d86INm/KOEyAulXudrnw8s9HF8wxrcLAqxQt1XHzoPYif9sM9jw5lo5f5qKx0QoYQNgxD935eww+WpBJ8HtcgwWYYAN2dbcbUFI6id7QNEaJr4bHjTZ03FkZ0nLRZokoln7nKV9+GeEUbfhlLYwicUY/V1pSLvBrX/htc9jtVJWpLS+mOlDY88oyqvSd4+UFgYT9FjXOU6g/5iIiS2p9FrbRFmrPs3lTlFbLwMb/l6qv4X3ApTjYUNV8C5wnBwQM1i2X8Hixe+raGTcwr+ivkYP5I3MBnvYDSmXtrc63/Lfd4zdBj50r1qus8Z50jXNJD3LkbFtkYuIFNcBZKl6dnnHi7L4u9rmLMhDeFV6dcuHsqethwx5x6kfUkXDNjfavTgGsYMFf6W4pt28EjepzP7vwA6BYMI4mseRO4uszwBJXmc2HDOs5tGRiGfcfzn6JsCe+ipDcsubBk7xWbi20sBF5Fsbje22s6Oss99SoEm,iv:toi832UgHmdoEUTowb/2oAxbioLVxNjBAyC1KcsBPI8=,tag:siNnRQyKeXBcC6Ln8P30Dg==,type:str] -storageboxCryptKey: ENC[AES256_GCM,data:48M3TXFgBnR82K67xfmOk/3CierDXo4WNg==,iv:S+LRyixH/Uaurr51j3UnFPMWAwR2S5dI7Ei+NcmSOeI=,tag:Rv/shtQ9zsp7tCs6f4jBAg==,type:str] -sops: - age: - - recipient: age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdUhmVTFkY2xsVi9uK3Vl - eGRKa1RZMnVpQ21JMnFZRHRPL3I1OGFwTlNBCmxWeHFBdmJ4dmszOFZVTXpjSEt0 - THUvQ3NNTWlZRTZMNVloaEpzQk9YU0UKLS0tIFM3WWtsWERvbkxqb2RDZ01VVStt - eFdmOHNGSlNFckg2emltYU5yWHB2UVkKs5B0CG13bfsJL1mVCUcm8JlFVw4pfqMT - QGl5LOw06WBIOSrmYn5s98scIkiKvLsqQ+OjbyM0RwB0sGYaz3D0Rg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-11T20:17:19Z" - mac: ENC[AES256_GCM,data:wY7twUe+K84BbGGdYf30Zt4lR9FHBjtwHVhebvpdjVw2qL0g3uEOv0ntfZ3oqiibcsBTJWa7MvIDYYTJq6OUhTNH2DiGOaOI2tC4wck0aaQiJJQ19ZmiPqMSLlY0UpFvHJfAcfgcZiZnBWg+QhWA+CeDeKSAb74GHthdqWFOOTg=,iv:WbkD7PqSqnkCawdoF85XzB82jsRv02QGHb+7AjUTBxI=,tag:eEOvjEPRR5nfzrL3+PsTAg==,type:str] - pgp: - - created_at: "2025-09-09T22:56:42Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DARdpY4woM6wSAQdASvzhCErbMVzIY6FCb0HXSKmgpFRO4VbdCphwY0lhxWMw - e0pavui/x399qCaqKNgJ+Nidtw8fQ3CEr4Ddb/qUMCZQS8EpE9IrIvUehebBhorz - 0l4BLBlf2HHgjD2TL2Z9jtehN/UFGnEReM5fKXO8JkWhb9j9jPyswV6tZfyc0Wuy - BKTazZTTZ1kgbFRzPqFiqKMnHBBvMcXQ0El2MT7xJCkAzqNRR4H6R6wIyUyfr93n - =VeKw - -----END PGP MESSAGE----- - fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/hosts/hosting-02/default.nix b/hosts/servers/hosting-02.nix similarity index 85% rename from hosts/hosting-02/default.nix rename to hosts/servers/hosting-02.nix index ccf6155..57b2490 100644 --- a/hosts/hosting-02/default.nix +++ b/hosts/servers/hosting-02.nix @@ -1,17 +1,5 @@ { config, pkgs, ... }: { - imports = [ - ./disk-config.nix - { - _module.args.disks = [ "/dev/sda" ]; - } - - ../common/servers - ]; - - time.timeZone = "Europe/Berlin"; - - networking.hostName = "hosting-02"; networking.firewall = { enable = true; allowedTCPPorts = [ @@ -31,12 +19,6 @@ addRouteTablesToIPRoute2 = true; }; - systemd.network.networks."30-wan" = { - address = [ - "2a01:4f8:c013:7fc0::/64" - ]; - }; - systemd.services."netns@" = { description = "Network namespace %i"; serviceConfig = { @@ -149,18 +131,18 @@ ]; }; - sops.secrets = { - wireguardKey = { - owner = "root"; - sopsFile = ./secrets.yaml; - }; - storageboxKey = { - owner = "root"; - sopsFile = ./secrets.yaml; - }; - storageboxCryptKey = { - owner = "root"; - sopsFile = ./secrets.yaml; + sops = { + defaultSopsFile = ./hosting-02.yaml; + secrets = { + wireguardKey = { + owner = "root"; + }; + storageboxKey = { + owner = "root"; + }; + storageboxCryptKey = { + owner = "root"; + }; }; }; diff --git a/hosts/servers/hosting-02.yaml b/hosts/servers/hosting-02.yaml new file mode 100644 index 0000000..85ef193 --- /dev/null +++ b/hosts/servers/hosting-02.yaml @@ -0,0 +1,30 @@ +wireguardKey: ENC[AES256_GCM,data:Z239oQMzOp4C33pBePuANX3aPkmjTcrT+Z/UY0dnUCmMOs2Oy3iktS6Fgsw=,iv:21XLXpgsoYpvz887ZlLJW/A6IOJwEX5YwJrnO725M5U=,tag:VDGjOiYqFN8tMhf8s2YV6g==,type:str] +storageboxKey: ENC[AES256_GCM,data:uWDkiWIk3OePRfoaqjllVlRVzW5+ryE4sIOs8qm6cS8JN/+YFbnkCsT5sdFeXSpJyQ7ymgD6uJJ75RWH6Y/iIARbmZN/x/9hnB3LORHSl/C0F3xMHUf6prXtYyPNLWe+ghCMygaLyvBuCBiEhleevRQANXLUJCysiODepSkXwyasAHKTKuKQUPU/T+1R7eXaQPDMehzD4/0o8SdLkqcZXBQzs3VRp+CbQyl7dx6znwoPWckmFH2W+9fZCE+AxFxBP3jPVjBPuOC3BviTYFSvZPEkmtH+lxYv+PXFAPpgYwmAEjCwWyDMDRy6bNVQIG6TKHn60TJv+GCfRwPJ46mVtbruyil23d7g/V7dhu8btPbgtvcBx/8EexJ0PHAVWcIZ1FJwr7inMCAghbSDD3CkGpOV8btaYgUZtosqfg9r5cd75jB+7RZPwyb8/1mrLWE3eL9Za2lZ6bC7a9AeIn1q3Cn6+aoMKqXp8q/sVwozNpUJj73yhjR146MGjCGpqoKJqK453qc3VCC50OZTOULV,iv:sEwA6zrK6FFqTmVJOMD77g0OuDjCHDLRBlirjhZBx/0=,tag:z1fX+7goXk4U6Di+4EK6Fw==,type:str] +storageboxCryptKey: ENC[AES256_GCM,data:ryYOzFvdPaVkOHmypYbqw+KU6aB2OQutLw==,iv:FL4c7P36qxYR1KJlg7t0dvFHlKGMIrTlQG+CDkeJu9U=,tag:Ia4mhV9Ed/m1rRMCNnHqXw==,type:str] +sops: + age: + - recipient: age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSlA1Z3Q0ZzNlSmVtZmhn + dmxZWHplaEJXWFY3UjVSVDhaRkovb0srRkJvClpENmkzK3YrYysvVTJJQ1JVTDA0 + VG5ySFJYQTlqbkJVZ2pwYjhXeHNsQXcKLS0tIEZDdTRYUzJFdUdUeVpOd3gybkxs + b1ZqUzZLUkFwNHJyVlhmK0FOZ1JFYUEKDU4NmBCHRY+ZK+RFK/LioGzjJTaOE1ky + MC6jxt7Y5RkCk0BBqeoEVLaNXNViPjwakbvyfH0w0P6l0KDJ4mNlYQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-18T21:32:51Z" + mac: ENC[AES256_GCM,data:y3iMxGNyJfkmJZebiJ/iW/fhX3758Bz8/z8GfzvBiosjHOE6Awka70uQ7rFvHrLIFATDCrWW09ERD16/EIGL7bZMBKeXmjpkTe9WrmqYu4aS9qj1A/UzcW9zkxj6kKSZlgbdh2RaPXj9VcVfdYs/WDp8cxAuNmFLLEpY9Ar0SSY=,iv:rSGm4Y9XWrYmA2rL3t63NfSgHd6wBPWbtvfGivj6Qq0=,tag:gdHWOS0NO5piFK3fQiCSrw==,type:str] + pgp: + - created_at: "2025-09-18T21:32:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdA3//4oqX5uJuZHRzZ4TYvZ4rvbh1RLXKKwzmKkZ1wYBMw + kXxBjyp9624BQvC0P/aXgr1dWnAqkqNG7/y6Zfg0CLK8qcCkDiur20EH35XOy2gv + 0l4BbPW04HWvJKU3y6WvVucG87gRi83kJbT6AHXfuw2mAw77pJNZY0g645fV9wBc + tSkkum0EpC8P+4aiqcKyFy0KfsmOlouT6QqmlH1VZvCfRPZ1hysWG2bIzV0BDDOo + =nKA3 + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosts/hosting-02/disk-config.nix b/lib/disk-config.nix similarity index 95% rename from hosts/hosting-02/disk-config.nix rename to lib/disk-config.nix index aa2e1fa..28a738c 100644 --- a/hosts/hosting-02/disk-config.nix +++ b/lib/disk-config.nix @@ -1,11 +1,11 @@ { - lib, disks ? [ "/dev/sda" ], + nixpkgs, ... }: { disko.devices = { - disk = lib.genAttrs disks (disk: { + disk = nixpkgs.lib.genAttrs disks (disk: { device = disk; type = "disk"; content = { diff --git a/lib/hetzner.nix b/lib/hetzner.nix new file mode 100644 index 0000000..5b8672e --- /dev/null +++ b/lib/hetzner.nix @@ -0,0 +1,149 @@ +{ + inputs, + nixpkgs, + ... +}: +{ + mkHetznerMachine = + hostname: + { + system ? "aarch64-linux", + user ? "lander", + timeZone ? "Europe/Berlin", + disks ? [ "/dev/sda" ], + ipv6Address, + tailscale ? true, + extraModules ? [ ], + }: + let + diskConfig = import ./disk-config.nix { inherit disks nixpkgs; }; + machineConfig = ../hosts/servers/${hostname}.nix; + in + nixpkgs.lib.nixosSystem { + inherit system; + + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + + diskConfig + + ( + { + config, + lib, + pkgs, + ... + }: + { + boot = { + loader.grub = { + devices = [ "/dev/sda" ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + initrd.kernelModules = [ "virtio_gpu" ]; + + kernelParams = [ "console=tty" ]; + }; + + time.timeZone = timeZone; + + networking = { + useNetworkd = true; + hostName = hostname; + }; + + systemd.network = { + enable = true; + + networks = { + "30-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + address = [ ipv6Address ]; + routes = [ + { Gateway = "fe80::1"; } + ]; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + extraConfig = '' + PrintLastLog no + ''; + }; + + sops.secrets.tailscale-authkey = lib.mkIf tailscale { + owner = "root"; + group = "root"; + sopsFile = ../hosts/common/servers/secrets.yaml; + }; + + services.tailscale = lib.mkIf tailscale { + enable = tailscale; + openFirewall = false; + extraUpFlags = [ + "--login-server=https://headscale.escapeangle.com" + ]; + authKeyFile = config.sops.secrets.tailscale-authkey.path; + }; + + programs.zsh.enable = true; + environment.pathsToLink = [ "/share/zsh" ]; + environment.shells = [ pkgs.zsh ]; + environment.enableAllTerminfo = true; + + users.users.${user} = { + isNormalUser = true; + shell = pkgs.zsh; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" + ]; + + nix = { + settings = { + trusted-users = [ "${user}" ]; + accept-flake-config = true; + auto-optimise-store = true; + }; + + registry = { + nixpkgs = { + flake = nixpkgs; + }; + }; + + nixPath = [ + "nixpkgs=${nixpkgs.outPath}" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + + package = pkgs.nixVersions.stable; + extraOptions = ''experimental-features = nix-command flakes''; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + }; + } + ) + + machineConfig + ] ++ extraModules; + }; +}