From a777d9c708971b30a9165416941bcd51c904ffce Mon Sep 17 00:00:00 2001 From: blackblack-berry Date: Fri, 11 Nov 2022 16:33:01 +0100 Subject: [PATCH 1/3] added ssh and pgp keys --- keys/pgp/helene.asc | 14 ++++++++++++++ keys/ssh/helene | 0 modules/base.nix | 2 ++ 3 files changed, 16 insertions(+) create mode 100755 keys/pgp/helene.asc create mode 100644 keys/ssh/helene diff --git a/keys/pgp/helene.asc b/keys/pgp/helene.asc new file mode 100755 index 0000000..dd14b85 --- /dev/null +++ b/keys/pgp/helene.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEY25hjRYJKwYBBAHaRw8BAQdAwXQGNdoOQ0KS7xoM3Io7RbXZS4ad07jJDNXG +cogJkn20PkhlbGVuZSBIYXVzbWFubiA8aGVsZW5lX2VtaWxpYS5oYXVzbWFubkBt +YWlsYm94LnR1LWRyZXNkZW4uZGU+iJkEExYKAEEWIQS0PDqKksooSGrGxOLxFRAM +eHwcGQUCY25hjQIbAwUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK +CRDxFRAMeHwcGd0nAP4q27usCc2D14xwY6q8FWCZZQ86qq8FbT1CeKUjdKbqIwEA +jPf5j9mbwqk2jC1sn6HckN3IfMI/sEZY9j98oXEJSgG4OARjbmGNEgorBgEEAZdV +AQUBAQdAYyk/n0waZXblLfuQcscC4qLeEzkG5/dSHbCP9vZ3K1QDAQgHiH4EGBYK +ACYWIQS0PDqKksooSGrGxOLxFRAMeHwcGQUCY25hjQIbDAUJA8JnAAAKCRDxFRAM +eHwcGSy8AP9ST71/7ksXmLTsjnNZ5YY6z+Za2xUqhZOEhbJqnYmgyAD/VqUcCyVA +Y9g9vIUAtV0tCNEkC5MTO7Q++hgpqZvCWgU= +=QBGo +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/ssh/helene b/keys/ssh/helene new file mode 100644 index 0000000..e69de29 diff --git a/modules/base.nix b/modules/base.nix index e2e695d..56df325 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -29,6 +29,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmb1kv+7HU1QKE53+gNxUhrggbwomC40Xjxd9hACkoo bennofs@d-cube" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0X6L7NwTHiOmFzo8mJBCy6H+DKUePAAXU4amm32DAQ fugi@arch" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHD1ZkrAmC9g5eJPDgv4zuEM+UIIEWromDzM1ltHt4TM fugi@macbook" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBtP2ltExnQL5llOvfSKp6OCZKbPWsa2s6P0i00XyrH helene_emilia.hausmann@mailbox.tu-dresden.de" ]; keyFiles = [ ../keys/ssh/marcus-sapphire @@ -37,6 +38,7 @@ ../keys/ssh/jannusch-arch ../keys/ssh/tassilo ../keys/ssh/jonasga + ../keys/shh/helene ]; }; From ab8e827acad30f14b68283c48815604ff4d5b9da Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 11 Nov 2022 16:37:17 +0100 Subject: [PATCH 2/3] fixed typo and added test vm --- flake.nix | 22 +++++++- modules/vm.nix | 41 +++++++++++++++ secrets/{durian.yaml => quitte.yaml} | 0 secrets/test.yaml | 79 ++++++++++++++++++++++++++++ 4 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 modules/vm.nix rename secrets/{durian.yaml => quitte.yaml} (100%) create mode 100644 secrets/test.yaml diff --git a/flake.nix b/flake.nix index b49d4cb..c6934a6 100755 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,8 @@ let in { #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; - #packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; + packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.vm; + packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; nixosConfigurations = { birne = nixpkgs.lib.nixosSystem { @@ -64,6 +65,25 @@ ./modules/wiki.nix ./modules/stream.nix { + sops.defaultSopsFile = ./secrets/quitte.yaml; + } + ]; + }; + quitte-vm = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + inputs.sops-nix.nixosModules.sops + ./modules/base.nix + ./modules/sops.nix + ./modules/keycloak.nix + ./modules/nginx.nix + ./modules/hedgedoc.nix + ./modules/wiki.nix + ./modules/stream.nix + ./modules/vm.nix + "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" + { + _module.args.buildVM = true; sops.defaultSopsFile = ./secrets/durian.yaml; } ]; diff --git a/modules/vm.nix b/modules/vm.nix new file mode 100644 index 0000000..41de9d3 --- /dev/null +++ b/modules/vm.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, buildVM, ... }: + +{ + assertions = [ + { assertion = buildVM; message = "this module may only be used when building a VM!"; } + ]; + + users.users.root.hashedPassword = ""; + users.mutableUsers = false; + + networking.useDHCP = lib.mkForce false; + networking.interfaces = lib.mkForce { + eth0.useDHCP = true; + }; + networking.defaultGateway = lib.mkForce null; + + sops.defaultSopsFile = lib.mkForce ../secrets/quitte-vm.yaml; + sops.age.sshKeyPaths = lib.mkForce [ ]; + sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + sops.age.keyFile = lib.mkForce "${../keys/gpg/test.age}"; + sops.age.generateKey = lib.mkForce false; + + # don't use production endpoint for test vm, to avoid rate limiting + security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + # Set VM disk size (in MB) + virtualisation.diskSize = 2048; + + # Set VM ram amount (in MB) + virtualisation.memorySize = 2048; + + virtualisation.forwardPorts = [ + { from = "host"; host.port = 2222; guest.port = 22; } + ]; + virtualisation.graphics = false; + + # show systemd logs on console + services.journald.extraConfig = '' + ForwardToConsole=yes + ''; +} diff --git a/secrets/durian.yaml b/secrets/quitte.yaml similarity index 100% rename from secrets/durian.yaml rename to secrets/quitte.yaml diff --git a/secrets/test.yaml b/secrets/test.yaml new file mode 100644 index 0000000..f12ee48 --- /dev/null +++ b/secrets/test.yaml @@ -0,0 +1,79 @@ +postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] +postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] +hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] +wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] +mediawiki: + postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] + initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] + ldapprovider: ENC[AES256_GCM,data:dVrCFVgm4BDtUhcj9rSKXwnaIKsC5GGsDUoPJH1q5F4inskuSbFigcLM/UJFNOcr5R1dL+mYUOvnmIcoWA5AsuFKs3NzSYJVtVAm0x7vYSkHnfXu93V2F8Lc1xX/kZrFfnmNUXwhv2I+hknPUApY7wpmZOdk9NLKv4tbsgVTbfmR/WM6soOurh3b6b4cknfxqSeLZLeOIKL5WL8842t5SethyCfPsCm74JCpwHmflkCyT/lzIP1Kghab+xGWWyN9OAENlDZrJE6VAdctR+MKYZnhA7dXKeQPjKii9MZsDYFYTL5YDRysam4r7Jog/fozgWkXNrCUan29efnnBwpLz5hgV1MguIpvU8ccDQLNvgJCOdp6FgH45ZRlCxx29EWzh9iTDGPqmNsctUknFdfUVfIg9ziz/97i/kGcwy5N1oOsoUf7iRj5zLyLP6OlXGNThowF4jlNdI2b+caQGz7H6ZkJfUPWULotBUrjxrZo3pSYRkpJ77xbGUZf35ysxTHpfsmhyyO9HRhhgNkilEHlcsi8u+AC0su+Htg/Io332tSX+W6Gj6R6Q23hQ0gf8on5Y2xx34ysobEh8cMS4+Kj0nwasMHjW70g3qWpKkG1LSOIgXiA7hcusGCo8xPZ1y3gIyRiTxVTPJHh63Ecd0O37P4NWVSKEpsIM5pkngMN5L5K/ymtZ0kjREX2q4qpXf2xJiTTdAkeTMcmDs9HHjOzIIynYouY7P6qdXUpXjyGwqfovmnIv5icQ6sqFA==,iv:sPRnnIEif6W1SPy5SKiUuY681HeLPcR19U4p1mdUGdc=,tag:zeMdtTRk8ULP4GYDQLIU7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RWM5YXhXWkRCVEVFcERX + L0JVa3YwSm9qdC9jUHhpMVliOERuTTc5aERvCnJVSGR1Wmg3aW1YaU5RUE5xYkJp + aW1wY2w0ZUZYNm9zVEpjUHBkWDhlZGMKLS0tIEkxWi9rTmN4Q0NIYm0vMTdlNGFr + bEs1QzV1VFpmWFVrQkYrYmhYNVBLT0kKYgJBI1umfryFsnCUQB4JQzO/Dky7gJW8 + cQVM4TbYuDKfhwAUq7Mik+bG4ZYNmfMBiJU56C6ZSRyEg7pgJ2U7Hw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-05T11:24:00Z" + mac: ENC[AES256_GCM,data:IgW58nKqznUoWBhsI+HZD47HjJ7qF8/lS5nQ2Qg2VE7JkQgs/+AYVyMNAckjnpDtHEnK/YaFmnTfRpdQ7BMGaJtGu6TT0PR60jme82rg+iMwspSOVsAIDf9YyrjIv0rF7xwCF65p4/3TIc1OohV2GzLsAykKApMA5kqAo+UNSAs=,iv:sWURn1jmZ7myC2gEuo5BdcZn8JNSXQsopLWeOoLEpkc=,tag:E5kldjnyElfvJyilPiCYUg==,type:str] + pgp: + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DntlvaG5T7wcSAQdAA4h5/uTB/NOngHrB0uN4oMLZ2XRtBXuXo1kT2vJ8I1sw + bxWh7NFIcbzD7sjcse5lvuFjFZKkBb41CAwIqA9/SFlSufi0D5M3bt+Mk/Ffh2jw + 0lwBt1+dhvzzg2iKHR2mZAzGF0pEcbO25gAN67hLjI1rrOirLq6DMobehlyUOKRN + tkuVB2MvXNHI/P/oRCq5rll7FTwswUkN2JYqk7gU4/HBdK78D41A1Qwj99ObcA== + =N4aD + -----END PGP MESSAGE----- + fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAAvyI5eOmyH9t9k2kTb1Sq2GFiZixENx4jY3KIFo6285Ds + +feNjJ1nJKrS9qgX/ne8ZmRAH2ZIkMhvAbzTwiV1TWyMPSrViVpo2ZL4C16A8quR + x2AuHcPPf4Cl9Jo1dsVoxBmnSMJWWbTkZZKvhr2HuKErkHYquwOxmXvbtEr6J+aT + pvc9X9Ea3wSGrBZC+m7sItJHLP5Qvkn+gHbUsRlwg5lQ6tz/U+nrxd0L+Q7gPOen + y6NCyqcLgwrzdCmgEu4noip0JozWAYPEk3ZRCJ7iGdwshPq7KkB/t1ywzWbbsd81 + f5j/eExo8IXP4MQiNxKsKZRQj49zdLoFwXmLyTSoYzUtgnwlC4EcuH28YvNn9/xJ + f2s/6brR6Y01oYfgBWBpu6VAt2MNEcjKRWC/s/78Fts5rB8RQ0E11daoBCCogypd + QOy1ym9NpuUDKvfzS7xcdM1vs4JN6c+AtbrqRxpw6m/kU6P8yI3EAB9kaRMSAbdo + vX3GKvraAdsGLz4ZiCdOS41W1KCbhc8zgSBSeR0/ik//z1C+0MNloUlgok/2dwPQ + eRP9KKNVPAxj2OLZ8C0N5l4+p7EPRFmATvLjxNUMPkxfdt++ApmZZBhaCfh+USoL + MYY+mhK4wLS+toeB6p44cqDBTZBNs+w/NHo1+esce/1RVlJAzp2qjzlgcAPe3mHS + XAFWHGkOoADXJ6hg3cOkHIVkYXT0vou0IitugbHjHtzJaElNgrkF7Ch1mUZSd+N2 + RPG4+mDSsWdZQmqu8eSowmSwa8ZFhEUP5L9RAg+RvBGa0+C5OUHbvTrOjU1w + =FHpt + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8uqUsBLHj6XAQ/+OwyrFFRyXuoCsmamBHyT1+EWQ2iaQk8+6ds+NcdKwmxX + qL3JFwsHwgKWStNslmcoypvOmrsla+ucOe3UNo3HigoiQe89oWFexdLqedyqxDo5 + 4N3Y6Pn0YTBNNgRi4Ep/Foswsv6l1sPpntCJxp7KXMD2iEkwUYNmhjfcu6qZTeMk + SneXTK7DBVoflDHXqPUcxvHfVpMXfqDQuy7jK+8f1WPHt5+LSODMXU+co5jV+L2J + 1BFZIO8o+oUDkPViAOcLJlv+bQU2T2bMDA2i8H5wO6Fmvl2jlG5eiJa9EUCmta6T + MNrGhhNbGuqm940kBb5n07wNE1d1bZDZ56BIPbd+/kRSiq0RPGaknb5sl8/sAWps + 7TMdb9+TwDAg/POHsvNYVqzCB36i4sZi9s48JvWdCUzzZukXhxqUN3DArIvI+Msc + l0Tn2VVi7H6ZOC21EJRJAR1olD98kwytXjA4uKvfVZRhuiP4QjQRwSlN1jwYnTPM + ojIWle5XRdsbdJhktosKPuKQda17VxpkPlqRgwbZH7UtO5t+3x8Q8/pa4J7ntSs8 + RiqqAkNzHPvCJ0ljU5QyDMupPY4IA4k1Yxt7bdtFVAus+WalZL/9Nec1yuxyStVh + T00GmcVr7We/i59SuJ8WY0sAVXx5dZntn+FM9Ty1Q0/iHsHCMrQbrllGV7owk1PS + XAFrQOzD0Imnsgttv/h8pvXa6PXrdN7lZGriyvtPcubcBqgbIrwfDMbpGt0fKItR + GROiPg0CVO2cTsFM+MOHY832DZjdximf53BI/A1OLm8e2MUr21ODt4ux+J6G + =0Kqy + -----END PGP MESSAGE----- + fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 + unencrypted_suffix: _unencrypted + version: 3.7.3 From 7279ea13e9942842fac7180199fdb58073498cf1 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Fri, 11 Nov 2022 16:39:48 +0100 Subject: [PATCH 3/3] more test vm config --- .gitignore | 2 + .sops.yaml | 4 +- flake.nix | 6 +- hosts/quitte-vm/configuration.nix | 71 ++++++++++++++++++++++ hosts/quitte-vm/hardware-configuration.nix | 31 ++++++++++ hosts/quitte/configuration.nix | 66 +------------------- modules/base.nix | 2 +- modules/vm.nix | 6 +- 8 files changed, 116 insertions(+), 72 deletions(-) create mode 100644 .gitignore create mode 100644 hosts/quitte-vm/configuration.nix create mode 100644 hosts/quitte-vm/hardware-configuration.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8cb727e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.qcow2 +result diff --git a/.sops.yaml b/.sops.yaml index 8cd66ef..61e4baa 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: # private key stored in repo, used for test VM - &test age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh creation_rules: - - path_regex: secrets/durian\.yaml$ + - path_regex: secrets/quitte\.yaml$ key_groups: - pgp: - *bennofs @@ -15,7 +15,7 @@ creation_rules: - *felix age: - *durian - - path_regex: secrets\.test\.yaml$ + - path_regex: secrets/test\.yaml$ key_groups: - pgp: - *bennofs diff --git a/flake.nix b/flake.nix index c6934a6..087bed7 100755 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ let in { #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; - packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.vm; + packages."x86_64-linux".quitte = self.nixosConfigurations.quitte-vm.config.system.build.vm; packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; nixosConfigurations = { @@ -73,8 +73,8 @@ system = "x86_64-linux"; modules = [ inputs.sops-nix.nixosModules.sops + ./hosts/quitte/configuration.nix ./modules/base.nix - ./modules/sops.nix ./modules/keycloak.nix ./modules/nginx.nix ./modules/hedgedoc.nix @@ -84,7 +84,7 @@ "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" { _module.args.buildVM = true; - sops.defaultSopsFile = ./secrets/durian.yaml; + sops.defaultSopsFile = ./secrets/test.yaml; } ]; }; diff --git a/hosts/quitte-vm/configuration.nix b/hosts/quitte-vm/configuration.nix new file mode 100644 index 0000000..8413fb3 --- /dev/null +++ b/hosts/quitte-vm/configuration.nix @@ -0,0 +1,71 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, inputs, ... }: + +{ + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # setup NIX_PATH for flakes + nix.nixPath = [ + "nixpkgs=${inputs.nixpkgs}" + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "espresso"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens3 = { + useDHCP = false; + ipv4.addresses = [ + { + address = "141.30.30.150"; + prefixLength = 25; + } + ]; + }; + + # enp65s0f0np0^C + networking.defaultGateway = "141.30.30.129"; + networking.nameservers = [ "9.9.9.9" ]; + + # allow building for aarch64 (pi) target + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? + +} + diff --git a/hosts/quitte-vm/hardware-configuration.nix b/hosts/quitte-vm/hardware-configuration.nix new file mode 100644 index 0000000..aaf2678 --- /dev/null +++ b/hosts/quitte-vm/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/6d8f4b96-4ccb-4a94-a9b1-bab4a28fc940"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/58C2-5A6A"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + +} diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix index 34416b0..b8ba887 100644 --- a/hosts/quitte/configuration.nix +++ b/hosts/quitte/configuration.nix @@ -1,13 +1,8 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, pkgs, ... }: { imports = [ - # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -28,80 +23,23 @@ } ]; }; + networking.defaultGateway = "141.30.30.129"; networking.nameservers = [ "141.30.1.1" ]; networking.hostName = "quitte"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. time.timeZone = "Europe/Berlin"; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkbOptions in tty. - # }; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - - - - - # Configure keymap in X11 - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = { - # "eurosign:e"; - # "caps:escape" # map caps to escape. - # }; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # firefox - # thunderbird - # ]; - # }; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + vim wget git ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.permitRootLogin = "yes"; diff --git a/modules/base.nix b/modules/base.nix index 56df325..9f10ac3 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -38,7 +38,7 @@ ../keys/ssh/jannusch-arch ../keys/ssh/tassilo ../keys/ssh/jonasga - ../keys/shh/helene + ../keys/ssh/helene ]; }; diff --git a/modules/vm.nix b/modules/vm.nix index 41de9d3..e668821 100644 --- a/modules/vm.nix +++ b/modules/vm.nix @@ -6,6 +6,7 @@ ]; users.users.root.hashedPassword = ""; + users.users.root.initialPassword = ""; users.mutableUsers = false; networking.useDHCP = lib.mkForce false; @@ -14,12 +15,13 @@ }; networking.defaultGateway = lib.mkForce null; - sops.defaultSopsFile = lib.mkForce ../secrets/quitte-vm.yaml; + sops.defaultSopsFile = lib.mkForce ../secrets/test.yaml; sops.age.sshKeyPaths = lib.mkForce [ ]; sops.gnupg.sshKeyPaths = lib.mkForce [ ]; - sops.age.keyFile = lib.mkForce "${../keys/gpg/test.age}"; + sops.age.keyFile = lib.mkForce "${../keys/test.age}"; sops.age.generateKey = lib.mkForce false; + # don't use production endpoint for test vm, to avoid rate limiting security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";