diff --git a/flake.nix b/flake.nix index b49d4cb..c6934a6 100755 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,8 @@ let in { #packages."aarch64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; - #packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; + packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.vm; + packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; nixosConfigurations = { birne = nixpkgs.lib.nixosSystem { @@ -64,6 +65,25 @@ ./modules/wiki.nix ./modules/stream.nix { + sops.defaultSopsFile = ./secrets/quitte.yaml; + } + ]; + }; + quitte-vm = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + inputs.sops-nix.nixosModules.sops + ./modules/base.nix + ./modules/sops.nix + ./modules/keycloak.nix + ./modules/nginx.nix + ./modules/hedgedoc.nix + ./modules/wiki.nix + ./modules/stream.nix + ./modules/vm.nix + "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" + { + _module.args.buildVM = true; sops.defaultSopsFile = ./secrets/durian.yaml; } ]; diff --git a/modules/vm.nix b/modules/vm.nix new file mode 100644 index 0000000..41de9d3 --- /dev/null +++ b/modules/vm.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, buildVM, ... }: + +{ + assertions = [ + { assertion = buildVM; message = "this module may only be used when building a VM!"; } + ]; + + users.users.root.hashedPassword = ""; + users.mutableUsers = false; + + networking.useDHCP = lib.mkForce false; + networking.interfaces = lib.mkForce { + eth0.useDHCP = true; + }; + networking.defaultGateway = lib.mkForce null; + + sops.defaultSopsFile = lib.mkForce ../secrets/quitte-vm.yaml; + sops.age.sshKeyPaths = lib.mkForce [ ]; + sops.gnupg.sshKeyPaths = lib.mkForce [ ]; + sops.age.keyFile = lib.mkForce "${../keys/gpg/test.age}"; + sops.age.generateKey = lib.mkForce false; + + # don't use production endpoint for test vm, to avoid rate limiting + security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + # Set VM disk size (in MB) + virtualisation.diskSize = 2048; + + # Set VM ram amount (in MB) + virtualisation.memorySize = 2048; + + virtualisation.forwardPorts = [ + { from = "host"; host.port = 2222; guest.port = 22; } + ]; + virtualisation.graphics = false; + + # show systemd logs on console + services.journald.extraConfig = '' + ForwardToConsole=yes + ''; +} diff --git a/secrets/durian.yaml b/secrets/quitte.yaml similarity index 100% rename from secrets/durian.yaml rename to secrets/quitte.yaml diff --git a/secrets/test.yaml b/secrets/test.yaml new file mode 100644 index 0000000..f12ee48 --- /dev/null +++ b/secrets/test.yaml @@ -0,0 +1,79 @@ +postgres_keycloak: ENC[AES256_GCM,data:dHuqrGcrJUE5GZhhWG5a4Ko=,iv:bvbyDXhkovtX5BQKw36WTGyUl3KR0Df2fB5qmMWbqqU=,tag:95XJCjKJjrITsHXK8ABF6A==,type:str] +postgres_hedgedoc: ENC[AES256_GCM,data:XWbf3F1b00RBFS9NXytzVkQ=,iv:dTbRUncYKsqOh0y0MTEJCpPcwfvROkIiO8v9OxZiHPU=,tag:YUxAkmbYKbGdGbIMS/8mOw==,type:str] +hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str] +wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str] +mediawiki: + postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str] + initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str] + ldapprovider: ENC[AES256_GCM,data:dVrCFVgm4BDtUhcj9rSKXwnaIKsC5GGsDUoPJH1q5F4inskuSbFigcLM/UJFNOcr5R1dL+mYUOvnmIcoWA5AsuFKs3NzSYJVtVAm0x7vYSkHnfXu93V2F8Lc1xX/kZrFfnmNUXwhv2I+hknPUApY7wpmZOdk9NLKv4tbsgVTbfmR/WM6soOurh3b6b4cknfxqSeLZLeOIKL5WL8842t5SethyCfPsCm74JCpwHmflkCyT/lzIP1Kghab+xGWWyN9OAENlDZrJE6VAdctR+MKYZnhA7dXKeQPjKii9MZsDYFYTL5YDRysam4r7Jog/fozgWkXNrCUan29efnnBwpLz5hgV1MguIpvU8ccDQLNvgJCOdp6FgH45ZRlCxx29EWzh9iTDGPqmNsctUknFdfUVfIg9ziz/97i/kGcwy5N1oOsoUf7iRj5zLyLP6OlXGNThowF4jlNdI2b+caQGz7H6ZkJfUPWULotBUrjxrZo3pSYRkpJ77xbGUZf35ysxTHpfsmhyyO9HRhhgNkilEHlcsi8u+AC0su+Htg/Io332tSX+W6Gj6R6Q23hQ0gf8on5Y2xx34ysobEh8cMS4+Kj0nwasMHjW70g3qWpKkG1LSOIgXiA7hcusGCo8xPZ1y3gIyRiTxVTPJHh63Ecd0O37P4NWVSKEpsIM5pkngMN5L5K/ymtZ0kjREX2q4qpXf2xJiTTdAkeTMcmDs9HHjOzIIynYouY7P6qdXUpXjyGwqfovmnIv5icQ6sqFA==,iv:sPRnnIEif6W1SPy5SKiUuY681HeLPcR19U4p1mdUGdc=,tag:zeMdtTRk8ULP4GYDQLIU7A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RWM5YXhXWkRCVEVFcERX + L0JVa3YwSm9qdC9jUHhpMVliOERuTTc5aERvCnJVSGR1Wmg3aW1YaU5RUE5xYkJp + aW1wY2w0ZUZYNm9zVEpjUHBkWDhlZGMKLS0tIEkxWi9rTmN4Q0NIYm0vMTdlNGFr + bEs1QzV1VFpmWFVrQkYrYmhYNVBLT0kKYgJBI1umfryFsnCUQB4JQzO/Dky7gJW8 + cQVM4TbYuDKfhwAUq7Mik+bG4ZYNmfMBiJU56C6ZSRyEg7pgJ2U7Hw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-05T11:24:00Z" + mac: ENC[AES256_GCM,data:IgW58nKqznUoWBhsI+HZD47HjJ7qF8/lS5nQ2Qg2VE7JkQgs/+AYVyMNAckjnpDtHEnK/YaFmnTfRpdQ7BMGaJtGu6TT0PR60jme82rg+iMwspSOVsAIDf9YyrjIv0rF7xwCF65p4/3TIc1OohV2GzLsAykKApMA5kqAo+UNSAs=,iv:sWURn1jmZ7myC2gEuo5BdcZn8JNSXQsopLWeOoLEpkc=,tag:E5kldjnyElfvJyilPiCYUg==,type:str] + pgp: + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DntlvaG5T7wcSAQdAA4h5/uTB/NOngHrB0uN4oMLZ2XRtBXuXo1kT2vJ8I1sw + bxWh7NFIcbzD7sjcse5lvuFjFZKkBb41CAwIqA9/SFlSufi0D5M3bt+Mk/Ffh2jw + 0lwBt1+dhvzzg2iKHR2mZAzGF0pEcbO25gAN67hLjI1rrOirLq6DMobehlyUOKRN + tkuVB2MvXNHI/P/oRCq5rll7FTwswUkN2JYqk7gU4/HBdK78D41A1Qwj99ObcA== + =N4aD + -----END PGP MESSAGE----- + fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAAvyI5eOmyH9t9k2kTb1Sq2GFiZixENx4jY3KIFo6285Ds + +feNjJ1nJKrS9qgX/ne8ZmRAH2ZIkMhvAbzTwiV1TWyMPSrViVpo2ZL4C16A8quR + x2AuHcPPf4Cl9Jo1dsVoxBmnSMJWWbTkZZKvhr2HuKErkHYquwOxmXvbtEr6J+aT + pvc9X9Ea3wSGrBZC+m7sItJHLP5Qvkn+gHbUsRlwg5lQ6tz/U+nrxd0L+Q7gPOen + y6NCyqcLgwrzdCmgEu4noip0JozWAYPEk3ZRCJ7iGdwshPq7KkB/t1ywzWbbsd81 + f5j/eExo8IXP4MQiNxKsKZRQj49zdLoFwXmLyTSoYzUtgnwlC4EcuH28YvNn9/xJ + f2s/6brR6Y01oYfgBWBpu6VAt2MNEcjKRWC/s/78Fts5rB8RQ0E11daoBCCogypd + QOy1ym9NpuUDKvfzS7xcdM1vs4JN6c+AtbrqRxpw6m/kU6P8yI3EAB9kaRMSAbdo + vX3GKvraAdsGLz4ZiCdOS41W1KCbhc8zgSBSeR0/ik//z1C+0MNloUlgok/2dwPQ + eRP9KKNVPAxj2OLZ8C0N5l4+p7EPRFmATvLjxNUMPkxfdt++ApmZZBhaCfh+USoL + MYY+mhK4wLS+toeB6p44cqDBTZBNs+w/NHo1+esce/1RVlJAzp2qjzlgcAPe3mHS + XAFWHGkOoADXJ6hg3cOkHIVkYXT0vou0IitugbHjHtzJaElNgrkF7Ch1mUZSd+N2 + RPG4+mDSsWdZQmqu8eSowmSwa8ZFhEUP5L9RAg+RvBGa0+C5OUHbvTrOjU1w + =FHpt + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-11-05T11:21:20Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA8uqUsBLHj6XAQ/+OwyrFFRyXuoCsmamBHyT1+EWQ2iaQk8+6ds+NcdKwmxX + qL3JFwsHwgKWStNslmcoypvOmrsla+ucOe3UNo3HigoiQe89oWFexdLqedyqxDo5 + 4N3Y6Pn0YTBNNgRi4Ep/Foswsv6l1sPpntCJxp7KXMD2iEkwUYNmhjfcu6qZTeMk + SneXTK7DBVoflDHXqPUcxvHfVpMXfqDQuy7jK+8f1WPHt5+LSODMXU+co5jV+L2J + 1BFZIO8o+oUDkPViAOcLJlv+bQU2T2bMDA2i8H5wO6Fmvl2jlG5eiJa9EUCmta6T + MNrGhhNbGuqm940kBb5n07wNE1d1bZDZ56BIPbd+/kRSiq0RPGaknb5sl8/sAWps + 7TMdb9+TwDAg/POHsvNYVqzCB36i4sZi9s48JvWdCUzzZukXhxqUN3DArIvI+Msc + l0Tn2VVi7H6ZOC21EJRJAR1olD98kwytXjA4uKvfVZRhuiP4QjQRwSlN1jwYnTPM + ojIWle5XRdsbdJhktosKPuKQda17VxpkPlqRgwbZH7UtO5t+3x8Q8/pa4J7ntSs8 + RiqqAkNzHPvCJ0ljU5QyDMupPY4IA4k1Yxt7bdtFVAus+WalZL/9Nec1yuxyStVh + T00GmcVr7We/i59SuJ8WY0sAVXx5dZntn+FM9Ty1Q0/iHsHCMrQbrllGV7owk1PS + XAFrQOzD0Imnsgttv/h8pvXa6PXrdN7lZGriyvtPcubcBqgbIrwfDMbpGt0fKItR + GROiPg0CVO2cTsFM+MOHY832DZjdximf53BI/A1OLm8e2MUr21ODt4ux+J6G + =0Kqy + -----END PGP MESSAGE----- + fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 + unencrypted_suffix: _unencrypted + version: 3.7.3