diff --git a/flake.nix b/flake.nix index 0d63957..3ada11b 100644 --- a/flake.nix +++ b/flake.nix @@ -78,74 +78,77 @@ nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; - nixosConfigurations = { - # Workstations - wodan = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; - modules = [ - { - nixpkgs.overlays = [ - tidalcycles.overlays.default - (_: prev: { - tailscale = prev.tailscale.overrideAttrs (old: { - checkFlags = builtins.map ( - flag: - if prev.lib.hasPrefix "-skip=" flag then - flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$" - else - flag - ) old.checkFlags; - }); - }) - ]; - } - { nixpkgs.overlays = [ tidalcycles.overlays.default ]; } - ./hosts/wodan - ]; - }; - widar = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/widar - ]; - }; - heimdall = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/heimdall - ]; - }; + nixosConfigurations = + let + hetzner = import ./lib/hetzner.nix { inherit inputs nixpkgs; }; + in + { + # Workstations + wodan = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + { + nixpkgs.overlays = [ + tidalcycles.overlays.default + (_: prev: { + tailscale = prev.tailscale.overrideAttrs (old: { + checkFlags = builtins.map ( + flag: + if prev.lib.hasPrefix "-skip=" flag then + flag + "|^TestGetList$|^TestIgnoreLocallyBoundPorts$|^TestPoller$" + else + flag + ) old.checkFlags; + }); + }) + ]; + } + { nixpkgs.overlays = [ tidalcycles.overlays.default ]; } + ./hosts/wodan + ]; + }; + widar = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/widar + ]; + }; + heimdall = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/heimdall + ]; + }; - # servers - db-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/db-01 - ]; + # servers + db-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/db-01 + ]; + }; + hosting-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/hosting-01 + ]; + }; + hosting-02 = hetzner.mkHetznerMachine "hosting-02" { + ipv6Address = "2a01:4f8:c013:7fc0::/64"; + extraModules = [ + ./hosts/hosting-02 + ]; + }; + mail-01 = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit inputs outputs; }; + modules = [ + ./hosts/mail-01 + ]; + }; }; - hosting-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/hosting-01 - ]; - }; - hosting-02 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/hosting-02 - ]; - }; - mail-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/mail-01 - ]; - }; - }; }; } diff --git a/hosts/hosting-02/default.nix b/hosts/hosting-02/default.nix index ccf6155..70bd7c1 100644 --- a/hosts/hosting-02/default.nix +++ b/hosts/hosting-02/default.nix @@ -5,13 +5,8 @@ { _module.args.disks = [ "/dev/sda" ]; } - - ../common/servers ]; - time.timeZone = "Europe/Berlin"; - - networking.hostName = "hosting-02"; networking.firewall = { enable = true; allowedTCPPorts = [ @@ -31,12 +26,6 @@ addRouteTablesToIPRoute2 = true; }; - systemd.network.networks."30-wan" = { - address = [ - "2a01:4f8:c013:7fc0::/64" - ]; - }; - systemd.services."netns@" = { description = "Network namespace %i"; serviceConfig = { diff --git a/lib/hetzner.nix b/lib/hetzner.nix new file mode 100644 index 0000000..5d421e8 --- /dev/null +++ b/lib/hetzner.nix @@ -0,0 +1,137 @@ +{ + inputs, + nixpkgs, + ... +}: +{ + mkHetznerMachine = + hostname: + { + system ? "aarch64-linux", + timeZone ? "Europe/Berlin", + ipv6Address, + tailscale ? true, + extraModules, + }: + nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops + ( + { + config, + lib, + pkgs, + ... + }: + { + boot = { + loader.grub = { + devices = [ "/dev/sda" ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + initrd.kernelModules = [ "virtio_gpu" ]; + + kernelParams = [ "console=tty" ]; + }; + + time.timeZone = timeZone; + + networking = { + useNetworkd = true; + hostName = hostname; + }; + + systemd.network = { + enable = true; + + networks = { + "30-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + address = [ ipv6Address ]; + routes = [ + { Gateway = "fe80::1"; } + ]; + }; + }; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + extraConfig = '' + PrintLastLog no + ''; + }; + + sops.secrets.tailscale-authkey = lib.mkIf tailscale { + owner = "root"; + group = "root"; + sopsFile = ../hosts/common/servers/secrets.yaml; + }; + + services.tailscale = lib.mkIf tailscale { + enable = tailscale; + openFirewall = false; + extraUpFlags = [ + "--login-server=https://headscale.escapeangle.com" + ]; + authKeyFile = config.sops.secrets.tailscale-authkey.path; + }; + + programs.zsh.enable = true; + environment.pathsToLink = [ "/share/zsh" ]; + environment.shells = [ pkgs.zsh ]; + environment.enableAllTerminfo = true; + + users.users.lander = { + isNormalUser = true; + shell = pkgs.zsh; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" + ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" + ]; + + nix = { + settings = { + trusted-users = [ "lander" ]; + accept-flake-config = true; + auto-optimise-store = true; + }; + + registry = { + nixpkgs = { + flake = nixpkgs; + }; + }; + + nixPath = [ + "nixpkgs=${nixpkgs.outPath}" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + + package = pkgs.nixVersions.stable; + extraOptions = ''experimental-features = nix-command flakes''; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + }; + } + ) + ] ++ extraModules; + }; +}