From 0ed396cd885aa877bbd385100c26307a0b6566d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Thu, 7 Mar 2024 23:14:44 +0100 Subject: [PATCH] Initial commit --- .sops.yaml | 11 ++++ flake.lock | 96 ++++++++++++++++++++++++++++ flake.nix | 33 ++++++++++ hosts/ns3/configuration.nix | 52 +++++++++++++++ hosts/ns3/default.nix | 6 ++ hosts/ns3/hardware-configuration.nix | 36 +++++++++++ secrets/secrets.yaml | 21 ++++++ services/ns/master-authorative.nix | 11 ++++ services/ns/test-2rjus-net.conf | 39 +++++++++++ system/default.nix | 7 ++ system/root-user.nix | 13 ++++ system/sops.nix | 7 ++ system/sshd.nix | 9 +++ 13 files changed, 341 insertions(+) create mode 100644 .sops.yaml create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/ns3/configuration.nix create mode 100644 hosts/ns3/default.nix create mode 100644 hosts/ns3/hardware-configuration.nix create mode 100644 secrets/secrets.yaml create mode 100644 services/ns/master-authorative.nix create mode 100644 services/ns/test-2rjus-net.conf create mode 100644 system/default.nix create mode 100644 system/root-user.nix create mode 100644 system/sops.nix create mode 100644 system/sshd.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..bfbebee --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini) + key_groups: + - age: + - *admin_torjus + - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini) + key_groups: + - age: + - *admin_torjus diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..bd49cb0 --- /dev/null +++ b/flake.lock @@ -0,0 +1,96 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1709677081, + "narHash": "sha256-tix36Y7u0rkn6mTm0lA45b45oab2cFLqAzDbJxeXS+c=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "880992dcc006a5e00dd0591446fdf723e6a51a64", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1709703039, + "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1709356872, + "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "458b097d81f90275b3fdf03796f0563844926708", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..dfdd0d5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,33 @@ +{ + description = "Homelab v5 Nixos Server Configurations"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-23.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; + }; + + outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs: + let + system = "x86_64-linux"; + overlay-unstable = final: prev: { + unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; + }; + in + { + nixosConfigurations = { + ns3 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs self sops-nix; }; + modules = [ + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) + ./hosts/ns1 + sops-nix.nixosModules.sops + ]; + }; + }; + }; +} diff --git a/hosts/ns3/configuration.nix b/hosts/ns3/configuration.nix new file mode 100644 index 0000000..3dec270 --- /dev/null +++ b/hosts/ns3/configuration.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + + ../system + ../services/ns/master-authorative.nix + ]; + + nixpkgs.config.allowUnfree = true; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelModules = [ "v4l2loopback" ]; + + networking.hostName = "ns3.home.2rjus.net"; # Define your hostname. + networking.useNetworkd = true; + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.13.7/24" + ]; + routes = [ + { routeConfig.Gateway = "10.69.13.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + environment.systemPackages = with pkgs; [ + vim + wget + git + ]; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + system.stateVersion = "23.11"; # Did you read the comment? +} + diff --git a/hosts/ns3/default.nix b/hosts/ns3/default.nix new file mode 100644 index 0000000..3010802 --- /dev/null +++ b/hosts/ns3/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ]; +} diff --git a/hosts/ns3/hardware-configuration.nix b/hosts/ns3/hardware-configuration.nix new file mode 100644 index 0000000..881ea3c --- /dev/null +++ b/hosts/ns3/hardware-configuration.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + # boot.kernelModules = [ ]; + # boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/6889aba9-61ed-4687-ab10-e5cf4017ac8d"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/BC07-3B7A"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/64e5757b-6625-4dd2-aa2a-66ca93444d23"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..f101cc9 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,21 @@ +root_password_hash: ENC[AES256_GCM,data:wk/xEuf+qU3ezmondq9y3OIotXPI/L+TOErTjgJz58wEvQkApYkjc3bHaUTzOrmWjQBgDUENObzPmvQ8WKawUSJRVlpfOEr5TQ==,iv:I8Z3xJz3qoXBD7igx087A1fMwf8d29hQ4JEI3imRXdY=,tag:M80osQeWGG9AAA8BrMfhHA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaDVkVGdtbFFnZmxJWTA2 + OFFIaU50N1UrVGcrRkxHYTduZjU3ejY2cVdvCi8xQUQ5N0c4VE5sUUx4NG50aEk3 + bzMrNFUwUlcrdS9OZllzTDd1ZTlKMkUKLS0tIHlta0grUTROLzJmRzcrYWVRMm9Q + WHhJRlNZZGFaZE83dEc4WklkVExhaFkK6q6WsqEJXveQ+8ISbGOHcjLGUf4KrIqX + lDBI9HtB5pxhOSYsX92ARCl95cOnqAHT6u2n5iHrGJKwtWml4ef0zA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-07T21:44:19Z" + mac: ENC[AES256_GCM,data:iyDz5zhOf4sQ2js+azNz3hP8W8YcIVRA4xglcRkvPSEmj2EzLm3Zv8XLHXFNIIYDBo2oQasYXaQSOW6rdHt0qwRv7mwTGHKreimTUi0eUAzXLhE8Pfwxk7V3XyuevGWgQc4UnAmmy0FOKaP+Rb74LoVUrXBT/2/Jq2U1pA+IZCA=,iv:LrhI0KWR3YovkjWBltPTA1JFFO2CJMLfdilAWC9V0Wo=,tag:xafFJVGY1zFYnCnr4M0Xvw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/services/ns/master-authorative.nix b/services/ns/master-authorative.nix new file mode 100644 index 0000000..9f7e862 --- /dev/null +++ b/services/ns/master-authorative.nix @@ -0,0 +1,11 @@ +{ ... }: { + services.nsd = { + enable = true; + port = 8053; + + "test.2rjus.net." = { + provideXFR = [ "10.69.0.0/16 NOKEY" ]; + }; + data = builtins.readFile ./zones-test-2rjus-net.conf; + }; +} diff --git a/services/ns/test-2rjus-net.conf b/services/ns/test-2rjus-net.conf new file mode 100644 index 0000000..4e32472 --- /dev/null +++ b/services/ns/test-2rjus-net.conf @@ -0,0 +1,39 @@ +$ORIGIN test.2rjus.net. +$TTL 1800 +@ IN SOA ns1.test.2rjus.net. admin.test.2rjus.net. ( + 2023 ; serial number + 3600 ; refresh + 900 ; retry + 1209600 ; expire + 120 ; ttl + ) + + IN NS ns1.test.2rjus.net. + IN NS ns2.test.2rjus.net. + IN NS ns3.test.2rjus.net. +; 10 +gw IN A 10.69.10.1 +; 12_CORE +virt-mini1 IN A 10.69.12.11 +nas IN A 10.69.12.50 +nzbget IN A 10.69.12.51 +restic IN A 10.69.12.52 +radarr IN A 10.69.12.53 +sonarr IN A 10.69.12.54 +bazarr IN A 10.69.12.55 +mpnzb IN A 10.69.12.57 + +; 13_SVC +ns1 IN A 10.69.13.5 +ns2 IN A 10.69.13.6 +ns3 IN A 10.69.13.7 + +; 22_WLAN +unifi-ctrl IN A 10.69.22.5 + +; 30 +media IN A 10.69.31.50 + +; 99_MGMT +sw1 IN A 10.69.99.2 + diff --git a/system/default.nix b/system/default.nix new file mode 100644 index 0000000..74827e0 --- /dev/null +++ b/system/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + import = [ + ./sops.nix + ./root-user.nix + ./sshd.nix + ]; +} diff --git a/system/root-user.nix b/system/root-user.nix new file mode 100644 index 0000000..eba1925 --- /dev/null +++ b/system/root-user.nix @@ -0,0 +1,13 @@ +{ pkgs, config, ... }: { + programs.zsh.enable = true; + sops.secrets.root_password_hash = { }; + sops.secrets.root_password_hash.neededForUsers = true; + + users.users.root = { + shell = pkgs.zsh; + hashedPasswordFile = config.sops.secrets.root_password_hash.path; + opennsh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwfb2jpKrBnCw28aevnH8HbE5YbcMXpdaVv2KmueDu6 torjus@gunter" + ]; + }; +} diff --git a/system/sops.nix b/system/sops.nix new file mode 100644 index 0000000..9ee9e2a --- /dev/null +++ b/system/sops.nix @@ -0,0 +1,7 @@ +{ ... }: { + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + age.keyFile = "/var/lib/sops-nix/key.txt"; + age.generateKey = true; + }; +} diff --git a/system/sshd.nix b/system/sshd.nix new file mode 100644 index 0000000..1754436 --- /dev/null +++ b/system/sshd.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.openssh = { + enable = true; + permitRootLogin = "no"; + # TODO: Allow root login from certain hosts. + # Then dissallow rest. + passwordAuthentication = true; + }; +}