diff --git a/.sops.yaml b/.sops.yaml index ca04545..d792053 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2 - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8 - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly + - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e creation_rules: # Global secrets @@ -104,3 +105,15 @@ creation_rules: - *user_pederbs_bjarte pgp: - *user_oysteikt + + - path_regex: secrets/lupine/[^/]+\.yaml$ + key_groups: + - age: + - *host_lupine-1 + - *user_danio + - *user_felixalb + - *user_pederbs_sopp + - *user_pederbs_nord + - *user_pederbs_bjarte + pgp: + - *user_oysteikt diff --git a/flake.nix b/flake.nix index 019e361..58f4860 100644 --- a/flake.nix +++ b/flake.nix @@ -170,7 +170,16 @@ inputs.gergle.overlays.default ]; }; - }; + } + // + (let + machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); + stableLupineNixosConfig = name: extraArgs: + nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; + in lib.genAttrs machineNames (name: stableLupineNixosConfig name { + modules = [{ networking.hostName = name; }]; + specialArgs.lupineName = name; + })); nixosModules = { snakeoil-certs = ./modules/snakeoil-certs.nix; diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix new file mode 100644 index 0000000..54f2910 --- /dev/null +++ b/hosts/lupine/configuration.nix @@ -0,0 +1,35 @@ +{ fp, values, lupineName, ... }: +{ + imports = [ + ./hardware-configuration/${lupineName}.nix + + (fp /base) + (fp /misc/metrics-exporters.nix) + + ./services/gitea-runner.nix + ]; + + sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { + matchConfig.Name = "enp0s31f6"; + address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ]; + networkConfig.LLDP = false; + }; + systemd.network.wait-online = { + anyInterface = true; + }; + + # There are no smart devices + services.smartd.enable = false; + + # Do not change, even during upgrades. + # See https://search.nixos.org/options?show=system.stateVersion + system.stateVersion = "25.05"; +} diff --git a/hosts/lupine/hardware-configuration/lupine-1.nix b/hosts/lupine/hardware-configuration/lupine-1.nix new file mode 100644 index 0000000..73c33c7 --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-1.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/81D6-38D3"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-2.nix b/hosts/lupine/hardware-configuration/lupine-2.nix new file mode 100644 index 0000000..3e8e14e --- /dev/null +++ b/hosts/lupine/hardware-configuration/lupine-2.nix @@ -0,0 +1,41 @@ +# IKKE EKTE BARE EN TEST +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/81D6-38D3"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lupine/hardware-configuration/lupine-3.nix b/hosts/lupine/hardware-configuration/lupine-3.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/lupine/hardware-configuration/lupine-4.nix b/hosts/lupine/hardware-configuration/lupine-4.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/lupine/hardware-configuration/lupine-5.nix b/hosts/lupine/hardware-configuration/lupine-5.nix new file mode 100644 index 0000000..e69de29 diff --git a/hosts/lupine/services/gitea-runner.nix b/hosts/lupine/services/gitea-runner.nix new file mode 100644 index 0000000..9c46f35 --- /dev/null +++ b/hosts/lupine/services/gitea-runner.nix @@ -0,0 +1,45 @@ +{ config, lupineName, ... }: +{ + # This is unfortunately state, and has to be generated one at a time :( + # To do that, comment out all except one of the runners, fill in its token + # inside the sops file, rebuild the system, and only after this runner has + # successfully registered will gitea give you the next token. + # - oysteikt Sep 2023 + sops = { + secrets."gitea/runners/token" = { + key = "gitea/runners/${lupineName}"; + }; + + templates."gitea-runner-envfile" = { + restartUnits = [ + "gitea-runner-${lupineName}.service" + ]; + content = '' + TOKEN="${config.sops.placeholder."gitea/runners/token"}" + ''; + }; + }; + + services.gitea-actions-runner.instances = { + ${lupineName} = { + enable = true; + name = "git-runner-${lupineName}"; + url = "https://git.pvv.ntnu.no"; + labels = [ + "debian-latest:docker://node:current-bookworm" + "ubuntu-latest:docker://node:current-bookworm" + ]; + tokenFile = config.sops.templates."gitea-runner-envfile".path; + }; + }; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + autoPrune.enable = true; + }; + + networking.dhcpcd.IPv6rs = false; + + networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353]; +} diff --git a/secrets/lupine/lupine.yaml b/secrets/lupine/lupine.yaml new file mode 100644 index 0000000..343c43a --- /dev/null +++ b/secrets/lupine/lupine.yaml @@ -0,0 +1,84 @@ +gitea: + runners: + lupine-1: ENC[AES256_GCM,data:UcZB2p/dInvcl0yNBEohzbmcVxg/QQPXlIsaVB3M3hyxFg1gtGfUGA==,iv:OigyPfPoRIjvyiId7hiiWdNrZqyZqI3OonvJC+zYEzI=,tag:SjBsvo/IJKhFQs+PiI596g==,type:str] +sops: + age: + - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRW9KRUlSeVBaeFVTc29G + UFJoU1pKWmVObXpXWjZzRWNUR082Qk5FQ2djClJmMWI0YndtVTNrZmNlcXpPSER2 + a0FMWitKeEhYSDRjR1BMbDFPcGlqYncKLS0tIGtYOFRpdllqTFJ0UGRNNzdkQ1VF + cHEzSTlvakFYd003WkE4SzkxS0ZVb2cK4GO9xi5Z1izyAcq4qqSqeWi3tHI8bbbr + aUuMQonbKA5XWUu6g+6pNiy225ci6ISXwnB6RoJFKd9tFYIP+3JQ0Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZ1ltOVRzZm8vQXMrTUMv + TDZSb0dQVXNLaWkrcEcwdW13WXhiMVdCM2hJCko4bGVLNzMydDBQUGVtbFZnSHZB + eWRqY0liOEJ3bHFZN1ExMUNOUVYyaDAKLS0tIENVZjVOOUYzSnNGU3g2UEZzRFhJ + NCttU0NNaW5XU3dENW9VYmdBUzlzbTAKD1VzA7ms5SlI4JCpWAjc7SfSTaQ+qFJU + KvgWN+jT2/qaRL657z3XzHawZd9AValNLAgi3clNgEmhM5pQ5a5PFA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJeEVQNUVHaHJObWsvNmlh + di9zV0VwZ2JzdnpuNHBFUVV2SFUxcmRVWEZNCmMyNW54QUptWGg2bEtJM3VBbHlC + VVVSWCtkUUxJRGZRaFNpcm9iVHNrMGcKLS0tIG1jSTdFTVAyUmV5THBNeEU3QUFF + alF0T3Y2S0tqNlB0ZmtQUjVZdmNoNVEKdkDrrSn8QG5iVCh4etpTXVcFcyd2qK95 + OY3G77iJrxoM2BGICh6WuZfAgOgasVLzunkeX5DzF0lSuP3glzJbBA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUklWV3IxL3ZYbHY5NEpS + UzMvL1k0WmtOVC9xdlRMOFppZnJJYkw1ZEU0Cjl4VllRaU94LzJvblhCcS9XUTFQ + MXVjUnlKeVMyckhIdnBmYlo3V1BZZXMKLS0tIFJnSEpZKy80ZjdpelRaWVhZdWxF + NS84NDRranB5ZENoRlhBT1hBVWt4VjAKmCNCCclkHLYyEnt24Hl3V2YAexuUEC94 + B4rq0kXRA187682kCVf8uz4h6qrgs+WyN6Qf4LZD1wyfWG+Sf0vTvQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYisrSEJKT2F4S3UwRGdN + dFhvWjRWNjBCdnNaMGd2N3lMKy9zOVdvV3lRCm1pb2VHT2RKMXVtNnZMQUNoSk0w + SGtiUEdhQzFNYUdXb1VYcVRWMVEvNzQKLS0tIHhwWXZDa0d0aTJvdGE5WGdiWEpv + NTFZMUlLMWsraEVhcVpTUGN0a2QrWTgKOQkZ9TF4de2+jhw0W5uiFQt/HV22EcgO + fdLJi4KeIyEddeuLyHks5s83jF8wFS847gKVTCEcfqtJHV9yfV7sfw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1djlnZnh6RjZsVGtXTG5s + UUVJRVJIQ1ZndTErWXBHemxGUkxaVHpYV3hzCmJBSGYwNmhOUTN0MDE0WHZmdDBP + RkVkS0dhdnFuOGh2TDV4YU5wTHlpd3MKLS0tIFg2WnZ0NUFReGZ1TngwR2g2UmU0 + R2d6dXBldFovQ0J6cHVxMXVPd2NHYncKYbSv7BYLxyd9awJeFk3B2GnUKSHnMeMR + gRmNsLLgByiPbtB/YXvtsSv98ioO6Xqk8TWJ11x2nfkIoem0gci7mw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-21T01:23:58Z" + mac: ENC[AES256_GCM,data:RcwHWNMQmOzdVpk63a7laTrpbf5sbP0xqCIyRsE7Kr4J9UYlWxpKJGpvF975xpWzAPaTbJB64vDfOZaoONp1LIf8W/v3nU7Zp2CTLIMQjxgmVyl3TR4NQYNdrv7Qtbamx+0rpTOg8gvnSLeAtH05EGbEb5EUg193p3lmbyS3haw=,iv:ykN0+RsaggzNz1aaqKl4SZyf2nVKE/Iirmh3vzQ17wU=,tag:CRjnQx5NydN4gbMDN3XD9w==,type:str] + pgp: + - created_at: "2025-07-21T01:23:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYARAAxdcP2bAKtTYZl55FDQoxjH2yTZw778itZsnCdpCH+J7g + 6Fa5p8BRkZ2yu19IlMmKcgQg+ZSwRiTSJ06IODxnhiAYXJJYo0rOfDx5UgQg1mCX + /sYqiVgmL0H5Yh6uq5/uTRFeYN/K4w/3C6wLEG2+6vUneeHRI/PkcbjHenb6Rn7K + sQvB/f2oGUVAR/8JAzEzADVpGi7Yb7xiMLFItaQhvpZ7LdShV0zScfQcn4H4/yCY + XoMM5uwbCsuko7ZCtzbpIyhVTayGLx5Z9zbuRb5oeZldUgqKzOTxKmcxz/PjECG0 + M4Ib+85sevrFgaF4Z9GbEGRbMivBuj8Yez7W9vTBbsIKtI5+JIxqwHezE+Tns7F3 + N4im1i7khoXGwWmf7pOZzPG6+P+GUM/xdo1tsXHdRL8WOodabtU8RaOXD/h/9puK + ZLTLXRn3FhJNyVwu7rSd1eoOCbtLRwNkHUiBbdLCT4StmNwpRx+JfO2Wj9WLhsTG + 27Y4xneDC3sbQE0nsWdcj/opSAA6zqX2U/DGu359qF12SnYcahcG0vThCfCYIH6X + /x5TND0716Vs5ObuAsnqlw/wjeKrILRl2j2/IBjmjlaujFRzzTW3ukRrwwwfSrFp + ZHsstigTk9cyblKW0HTClm4UlJ36ESqUYCAw7kXYnW4kb3URo3oz+kcE+W1f5vTS + XgE2Ql0eo/e+HycILJDepOiFRYzTcR3XzbdRDO/k6Hk8b5STBZ05JhHdD2M1xeZt + kkzR/PJ0IgCSDVK7d7f0mg0gkKn6ehh80uWVH5pdPg752WC4Y0Y0PKu9AZi6Tl4= + =qhzP + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/values.nix b/values.nix index 9eab664..9453a35 100644 --- a/values.nix +++ b/values.nix @@ -68,6 +68,26 @@ in rec { ipv4 = pvv-ipv4 240; ipv6 = pvv-ipv6 240; }; + lupine-1 = { + ipv4 = pvv-ipv4 224; + ipv6 = pvv-ipv6 224; + }; + lupine-2 = { + ipv4 = pvv-ipv4 225; + ipv6 = pvv-ipv6 225; + }; + lupine-3 = { + ipv4 = pvv-ipv4 226; + ipv6 = pvv-ipv6 226; + }; + lupine-4 = { + ipv4 = pvv-ipv4 227; + ipv6 = pvv-ipv6 227; + }; + lupine-5 = { + ipv4 = pvv-ipv4 228; + ipv6 = pvv-ipv6 228; + }; }; defaultNetworkConfig = {