diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..3f5a435 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,83 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + - &tuxedo age17c4swm58zt07axl5u6kkxrwtr5haqkvu4ye4t98qdph98qdclgtq2cyzkq + - &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 + - &web-01-server age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + - &home-assistant-server age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 + - &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t + - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 + - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 + - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw +creation_rules: + - path_regex: ^[^/]+\.yaml$ + key_groups: + - age: + - *tuxedo + - *dominik + - path_regex: computers/git.cloonar.com/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *git-server + - path_regex: computers/web-01.cloonar.com/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-01-server + - path_regex: computers/home-assistant.cloonar.com/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *home-assistant-server + - path_regex: computers/ldap.cloonar.com/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *ldap-server-arm + - *ldap-server-test + - path_regex: modules/lego/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *git-server + - *web-01-server + - *home-assistant-server + - *ldap-server-arm + - *ldap-server-test + - *testmodules + - *netboot + - path_regex: modules/bitwarden/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-01-server + - path_regex: modules/drone/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *git-server + - path_regex: modules/zammad/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-01-server + - path_regex: modules/plausible/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-01-server + - path_regex: modules/openldap/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *ldap-server-arm + - *ldap-server-test + - path_regex: modules/home-assistant/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *home-assistant-server diff --git a/README.md b/README.md new file mode 100644 index 0000000..7f106e2 --- /dev/null +++ b/README.md @@ -0,0 +1,28 @@ +# 1. Installation of new servers +- install ubuntu 20.04 +- get age key from SSH +```console +$ nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' +``` +- fix secrets files +```console +$ sops': nix-shell -p sops --run "sops updatekeys -y secrets.yaml" +``` +- run install command +```console +$ ./install.sh example.com +``` + +# 2. Web Server specific +- change the permissions for /var/www +```console +$ chown nginx:nginx /var/www +$ chmod 755 /var/www +``` + +# 3. Net data +- Netdata data page: Add a node +- Once you got the token, we will claim it to associate it to a node: +- create /var/lib/netdata/cloud.d/token and write the token in it +- run nix-shell -p netdata --run "netdata-claim.sh -id=$(uuidgen)" as root +- your node should be registered in Netdata cloud diff --git a/hosts/nb-epicenter/configuration.nix b/hosts/nb-epicenter/configuration.nix new file mode 100644 index 0000000..be3d3e3 --- /dev/null +++ b/hosts/nb-epicenter/configuration.nix @@ -0,0 +1,209 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: +{ + nixpkgs.config.allowUnfree = true; + + imports = + [ # Include the results of the hardware scan. + ./utils/modules/clevis.nix + + ./utils/modules/sops.nix + ./utils/modules/nur.nix + ./utils/modules/sway/sway.nix + # ./modules/gnome.nix + ./utils/modules/nvim/default.nix + ./utils/modules/tuxedo.nix + ./utils/modules/autoupgrade.nix + + # ./pkgs/howdy/howdy-module.nix + # ./pkgs/howdy/ir-toggle-module.nix + + # ./modules/howdy + + ./hardware-configuration.nix + ]; + + nixpkgs.overlays = [ (import ./overlays/packages.nix) ]; + + # security.sudo.wheelNeedsPassword = false; + services.clevis.uuid = "7435d48f-f942-485b-9817-328ad3fc0b93"; + + # nixos cross building qemu + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + boot.supportedFilesystems = [ "ntfs" ]; + boot.plymouth.enable = true; + boot.plymouth.theme = "breeze"; + boot.kernelParams = ["quiet"]; + # boot.loader.systemd-boot.netbootxyz.enable = true; + # boot.plymouth.themePackages = [ pkgs.nixos-bgrt-plymouth ]; + # boot.plymouth.theme = "nixos-bgrt"; + # allow hibernation + security.protectKernelImage = false; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + sops.secrets.epicenter_vpn_ca = {}; + sops.secrets.epicenter_vpn_cert = {}; + sops.secrets.epicenter_vpn_key = {}; + sops.secrets.wg_private_key = {}; + sops.secrets.wg_preshared_key = {}; + sops.secrets.wg-cloonar-key = {}; + + virtualisation.docker.enable = true; + virtualisation.virtualbox.host = { + enable = true; + enableExtensionPack = true; + }; + + networking.hostName = "cl-nb-01"; # Define your hostname. + networking.resolvconf.enable = true; + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.extraHosts = '' + 10.25.0.25 archive.zeichnemit.at epicenter.works en.epicenter.works + 10.25.0.100 download.intra.epicenter.works + 127.0.0.1 wohnservice.local mieterhilfe.local wohnpartner.local wohnberatung.local wienbautvor.local wienwohntbesser.local + 127.0.0.1 wohnservice-wien.local mieterhilfe.local wohnpartner-wien.local wohnberatung-wien.local wienbautvor.local wienwohntbesser.local + 127.0.0.1 diabetes.local + ''; + + # Set your time zone. + time.timeZone = "Europe/Vienna"; + console.keyMap = "de"; + + users.users.dominik = { + isNormalUser = true; + extraGroups = [ "wheel" "disk" "video" "audio" "mysql" "docker" "vboxusers" "networkmanager" "onepassword" "onepassword-cli" "dialout" ]; # Enable ‘sudo’ for the user. + }; + + environment.systemPackages = with pkgs; [ + bento + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + docker-compose + drone-cli + wireguard-tools + libftdi1 + ]; + + environment.variables = { + TERMINAL_COMMAND = "alacritty"; + }; + + services.blueman.enable = true; + + services.printing.enable = true; + services.printing.drivers = [ pkgs.brlaser ]; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureUsers = [ + { + name = "dominik"; + ensurePermissions = { + "*.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "dominik"; + ensurePermissions = { + "DATABASE \"zammad\"" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "zammad" ]; + }; + + system.stateVersion = "22.11"; # Did you read the comment? + + security.polkit.enable = true; + systemd = { + user.services.polkit-gnome-authentication-agent-1 = { + description = "polkit-gnome-authentication-agent-1"; + wantedBy = [ "graphical-session.target" ]; + wants = [ "graphical-session.target" ]; + after = [ "graphical-session.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; + Restart = "on-failure"; + RestartSec = 1; + TimeoutStopSec = 10; + }; + }; + }; + + + networking.firewall = { + allowedUDPPorts = [ 51820 ]; # Clients and peers can use the same port, see listenport + # if packets are still dropped, they will show up in dmesg + logReversePathDrops = true; + # wireguard trips rpfilter up + extraCommands = '' + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN + ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN + ''; + extraStopCommands = '' + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true + ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true + ''; + }; + # networking.wireguard.interfaces = { + # wg0 = { + # # Determines the IP address and subnet of the client's end of the tunnel interface. + # ips = [ "10.42.98.201/32" ]; + # listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + # + # # Path to the private key file. + # # + # # Note: The private key can also be included inline via the privateKey option, + # # but this makes the private key world-readable; thus, using privateKeyFile is + # # recommended. + # privateKeyFile = config.sops.secrets.wg-cloonar-key.path; + # + # peers = [ + # { + # publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q="; + # allowedIPs = [ "0.0.0.0/0" ]; + # endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 + # persistentKeepalive = 25; + # } + # ]; + # }; + # }; + + # Facial recognition "Windows hello" + # services.ir-toggle.enable = true; + # services.howdy = { + # enable = true; + # device = "/dev/video2"; + # }; + nix = { + settings.auto-optimise-store = true; + # autoOptimiseStore = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + # Free up to 1GiB whenever there is less than 100MiB left. + extraOptions = '' + min-free = ${toString (100 * 1024 * 1024)} + max-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + +} + diff --git a/hosts/nb-epicenter/hardware-configuration.nix b/hosts/nb-epicenter/hardware-configuration.nix new file mode 100644 index 0000000..fda9b13 --- /dev/null +++ b/hosts/nb-epicenter/hardware-configuration.nix @@ -0,0 +1,58 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.kernelParams = [ "resume=/swap/swapfile" "resume_offset=533760" ]; + boot.resumeDevice = "/dev/disk/by-uuid/92284909-c5dd-4e0f-ab22-64157c8175cb"; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/92284909-c5dd-4e0f-ab22-64157c8175cb"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + # boot.initrd.luks.devices."nixos-enc".device = "/dev/disk/by-uuid/7435d48f-f942-485b-9817-328ad3fc0b93"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/92284909-c5dd-4e0f-ab22-64157c8175cb"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/C281-E509"; + fsType = "vfat"; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-uuid/92284909-c5dd-4e0f-ab22-64157c8175cb"; + fsType = "btrfs"; + options = [ "subvol=swap" ]; + }; + + swapDevices = [{ + device = "/swap/swapfile"; + size = (1024 * 16); + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp52s0.useDHCP = lib.mkDefault true; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nb-epicenter/utils b/hosts/nb-epicenter/utils new file mode 120000 index 0000000..7d6b64a --- /dev/null +++ b/hosts/nb-epicenter/utils @@ -0,0 +1 @@ +../../utils/ \ No newline at end of file