From f5637576bdfcc4ae2024215f5db41f8085ecee0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eirik=20Witters=C3=B8?= Date: Sat, 16 Mar 2024 23:47:19 +0100 Subject: [PATCH] Add skrott --- .sops.yaml | 6 ++++ flake.lock | 55 +++++++++++++++++++++++++++++++ flake.nix | 10 ++++++ hosts/skrott/configuration.nix | 27 +++++++++++++++ hosts/skrott/services/dibbler.nix | 11 +++++++ secrets/skrott/skrott.yaml | 41 +++++++++++++++++++++++ values.nix | 4 +++ 7 files changed, 154 insertions(+) create mode 100644 hosts/skrott/configuration.nix create mode 100644 hosts/skrott/services/dibbler.nix create mode 100644 secrets/skrott/skrott.yaml diff --git a/.sops.yaml b/.sops.yaml index 10f769d..5c58037 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -60,3 +60,9 @@ creation_rules: - *user_felixalb pgp: - *user_oysteikt + + - path_regex: secrets/skrott/[^/]+\.yaml$ + key_groups: + - age: + - *user_danio + - *user_eirikwit diff --git a/flake.lock b/flake.lock index 1b6860c..3fb769b 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "dibbler": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693682284, + "narHash": "sha256-FvVCkHH80YyUiqQlnGNr49rZRBniihF6YRpytguEkFQ=", + "owner": "Programvareverkstedet", + "repo": "dibbler", + "rev": "8a6a0c12ba37e239684d2de1be12fd73903cfb2c", + "type": "github" + }, + "original": { + "owner": "Programvareverkstedet", + "repo": "dibbler", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -20,6 +41,24 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "grzegorz": { "inputs": { "nixpkgs": [ @@ -148,6 +187,7 @@ }, "root": { "inputs": { + "dibbler": "dibbler", "disko": "disko", "grzegorz": "grzegorz", "grzegorz-clients": "grzegorz-clients", @@ -178,6 +218,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index fc0ebdf..7135c82 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,9 @@ grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable"; grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients"; grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs"; + + dibbler.url = "github:Programvareverkstedet/dibbler"; + dibbler.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: @@ -115,6 +118,13 @@ sops-nix.nixosModules.sops ]; }; + skrott = stableNixosConfig "skrott" { + modules = [ + ./hosts/skrott/configuration.nix + inputs.dibbler.nixosModules.default + sops-nix.nixosModules.sops + ]; + }; }; devShells = forAllSystems (system: { diff --git a/hosts/skrott/configuration.nix b/hosts/skrott/configuration.nix new file mode 100644 index 0000000..8299486 --- /dev/null +++ b/hosts/skrott/configuration.nix @@ -0,0 +1,27 @@ +{ config, pkgs, values, ... }: +{ + imports = [ + # Include the results of the hardware scan. + # ./hardware-configuration.nix + ../../base.nix + ../../misc/metrics-exporters.nix + ./services/dibbler.nix + ]; + + sops.defaultSopsFile = ../../secrets/skrott/skrott.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "skrott"; + + systemd.network.networks."30-yolo" = values.defaultNetworkConfig // { + matchConfig.Name = "*"; + address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ]; + }; + + system.stateVersion = "23.11"; +} \ No newline at end of file diff --git a/hosts/skrott/services/dibbler.nix b/hosts/skrott/services/dibbler.nix new file mode 100644 index 0000000..0d0164d --- /dev/null +++ b/hosts/skrott/services/dibbler.nix @@ -0,0 +1,11 @@ +{ config, inputs, ... }: +{ + sops.secrets = { + "dibbler/config" = { + owner = "dibbler"; + group = "dibbler"; + }; + }; + services.dibbler.package = inputs.dibbler.packages.dibbler; + services.dibbler.config = config.sops.secrets."dibbler/config".path; +} \ No newline at end of file diff --git a/secrets/skrott/skrott.yaml b/secrets/skrott/skrott.yaml new file mode 100644 index 0000000..fd0f1e3 --- /dev/null +++ b/secrets/skrott/skrott.yaml @@ -0,0 +1,41 @@ +hello: ENC[AES256_GCM,data:KRtCZhcS+LMV5oUivFDBjQo7m9XkaGbHKOW6N/SFRiyZA3eXSkVeltttUHhCrw==,iv:AXlyyW5gQvXu//jV/BVb79ASbKsfu5FFNnRmXNBbfg0=,tag:UVLWNgxtSFh4txCDWl5bPg==,type:str] +example_key: ENC[AES256_GCM,data:7SpSse4uVUzCwCzbdQ==,iv:zUh9qk/T7LNOXMqToQozn2KeHu9HJtAKarU+Xb5xwi0=,tag:AyO1cflpYraiABPApfjL8A==,type:str] +#ENC[AES256_GCM,data:NnvbBdwOv5xiqArBdyypGg==,iv:iFCVF8EL8xrKNaDcPOcWp65EoilnG0mN/ph/ZaafLS0=,tag:7pQcs8grVPZbbjr/tze4LQ==,type:comment] +example_array: + - ENC[AES256_GCM,data:fd3mltqGVj7bXHEMmcY=,iv:wzTLHEgQ7bDfUlu01qtaU6fe8L1ZTqmDEBJYf1jttxc=,tag:53XJn1OdJBTEC2BvoSIG1A==,type:str] + - ENC[AES256_GCM,data:jZffrJgY0C0YuGIwxxk=,iv:PH+x0/4vm40w+YuCO3JlOqw5bdfaBT29m0YjKMRCFXg=,tag:rWSocVW9kimF5Dcs8lBuLQ==,type:str] +example_number: ENC[AES256_GCM,data:lWYwd7RXk//H/w==,iv:lD62NqHV/o2QJft48l+0MSeoiGRQ1WFKDoD0sXUevqI=,tag:Ov8j/DqbFww27tDJhmaufA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:QEIQzw==,iv:sGfKE8VMl1uElsfG0Cip647jv/i1+eGE0UxgOM3i4uA=,tag:eWKw678aymRGa1fk8d7RSA==,type:bool] + - ENC[AES256_GCM,data:9czVwLg=,iv:OEKALhwOl0OcEJe+k9bhxxdZ/bNd/Xfcvrd40fwAwF8=,tag:CWBuPlcO9WgrSUb0BgfL9g==,type:bool] +dibbler: + config: ENC[AES256_GCM,data:SVTe6MOansry+FKwdu3mDZna4vmu+UMwySfKrfImnGozLz2FYHLW+RvjWaRpa7aGInPfE/icYbSxbHrFIPcIGGlJHTKUlCqQ6km/qYh3UxggKGH1JeUEIgkyvgBXvofym8b5CzyfRXpm35fs+1Io7MWTpeDhmNVk1hVoIU/qR6o6NhOCeH00Gy3cqxCGqi4loJYa51BMNczcUMynwP/9lB2OOb7ogl2TbKXZOK2jwSDCTLJ8FrKcCtUcUnGqUp9VwgktxNrRtFwGohW2gAg2Oq2OR+00dpT2VS+gUtHabrcwft7ioZBmb7rrI4KxpJwG96CYqX90iQiltkwA57BqVByvaYhga4nwdVT48e76MIgBYcQX1WDolL8eEU5QPvhnbmU2mVjdD9SmapoHwBm2qM7LqmsMjqnH8ZHMdtETs6kzt227/QZdh7fc7kaIK1x3Lpxpl3whUMc+mrM8D9xFSjuyxSiF0h7tBH6H,iv:oGd6Dnw655bpwXjqW4niU5dN0RfUDY39hFfiiIc9vhQ=,tag:4CL6iqCiALp/k03Ju6OI/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlh2azlDTm9PRjJXQ2hO + MDlVbTdEN1RIVHkrbjIyY3pVVVlXY3M4eFNjCmJvZUNobVJHdnBhWjFHVVhmVVdX + aFloQVRyUXZsQ2g0bENQald6T2F3cEUKLS0tIGRuQjBXb2lzQnJQdDk0SzYwNUsx + SnhWdGZaTTVXbm4waW42ZUE0aWFtdDQKFLiRLCBHLAn43q7EPdc/mmQImltIsA5T + 5ejVVvsva2wznc/pYvAeLb40yAwtszsNwH02SJ19WDz5wEARaQ8+8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwd2w1YUtHaFZoNEFxMjF4 + d1V2OFF4ZjFwNnpBWi9Cc3d1SHdqeVh4RDBzCmNLU3VWeVl4Z0ZPOUUvRjlsYzFZ + bjEwRlAweVcvME9nZTY1cmM4VHpXWVUKLS0tIHZJRjIveGoyQm02R0xaT2FEclFv + ZjhLdUhWdHp2N2krbkxqcHRoZVB6WkEK7uRAXYfI9LMfBXbHwitEVIyhGe6adIFz + 9at0KEwLXePpR6bO9PM+T4am9V46Ygdq5iS8bSmX03832sK69pF9CA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-16T22:32:52Z" + mac: ENC[AES256_GCM,data:A1kg0QtZN3gMnBz1uqllPK4WI4U/CE8yJh8rHJ9CQ9V2kJQA6Kk7XrESVMsBpIazI6GuN1s33v4hNpeXhns5DMSdpWgQdyz8OM4Kj2nGz5h/JxCYwKT0e3R5qy48e0dcM906SG08DVQCCsiBnXAFWymM9Hs2+dPAAWlCNiR0gME=,iv:SookZTJGT7F5vZU6uDr9gO1A6XuDmL1UXlyphYS2dsI=,tag:8S77OX8aJcCn3efY25k4Dw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values.nix b/values.nix index 2ff1c51..2ad3933 100644 --- a/values.nix +++ b/values.nix @@ -60,6 +60,10 @@ in rec { ipv4 = pvv-ipv4 231; ipv6 = pvv-ipv6 231; }; + skrott = { + ipv4 = pvv-ipv4 235; + ipv6 = pvv-ipv6 235; + }; }; defaultNetworkConfig = {