add bobi

2022-10-19 13:16:24 +02:00 · 2022-10-19 13:16:24 +02:00 · 658f05fa04
commit 658f05fa04
parent 3f74658365
9 changed files with 225 additions and 6 deletions
--- a/flake.lock
+++ b/flake.lock
@ -881,11 +881,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1663876023,
+        "lastModified": 1666166753,
-        "narHash": "sha256-esUjNxIvrKZXukSbZbre4l5nS++Iqhc19LGHcizHEk4=",
+        "narHash": "sha256-Gev83ZYEkEEXKcz+ChNajNzzuqPodjVbSlgdHLHXtVs=",
        "ref": "main",
-        "rev": "6b43a1b2f4ba34f684614d15f54e68d88eea2612",
+        "rev": "c5c4fad9987a0aaab4d2b072fe40ec55f15462d2",
-        "revCount": 38,
+        "revCount": 39,
        "type": "git",
        "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -202,10 +202,27 @@
          };
          robi = { name, nodes, pkgs, ... }: {
-            deployment.targetHost = "${name}";
+            deployment.targetHost = "${name}.private";
            deployment.tags = [ "server" "online" "private" ];
            imports = [ ];
          };
          bobi = { name, nodes, pkgs, ... }: {
            #deployment.targetHost = "${name}.private";
            deployment.targetHost = "localhost";
            deployment.targetPort = 2222;
            deployment.tags = [ "desktop" "usb" "private" ];
            imports = [
              grocy-scanner.nixosModule
            ];
            home-manager.users.mainUser = {
              imports = [
                doom-emacs-nix.hmModule
                home-manager-utils.hmModule
              ];
            };
          };
          mobi = { name, nodes, pkgs, ... }: {
            deployment.targetHost = "${name}.private";
            deployment.tags = [ "desktop" "usb" "private" ];
--- a/images/usb-init-configuration.nix
+++ b/images/usb-init-configuration.nix
@ -16,7 +16,7 @@
  # -----------------
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.device = "/dev/sdb";
  boot.loader.grub.efiInstallAsRemovable = true;
  boot.tmpOnTmpfs = true;
--- a/nixos/assets/tinc/bobi_host_file
+++ b/nixos/assets/tinc/bobi_host_file
@ -0,0 +1,14 @@
 Ed25519PublicKey = jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD
 -----BEGIN RSA PUBLIC KEY-----
 MIICCgKCAgEA4N0Pm09nePnlTUtmJLVTxEP41i+9kd4tke6KjG+PIbGI0xrgZJBX
 sP6wK3vf5q3PZp6U3a452SjzSWKQtjXA94Zmr4HaWqYQJPtJlJcsNeWbx/I0WoaA
 918iltvgkLkPKITZ1Gp6iYtKjIn2vxOKv+Pm/YYSRGB4RE3GE5M7TVcitnC89lxm
 bK8GAnUs4xUXE4DWund0h81j7XWJpF6T3N3+rlCrfmEfYYmSYg2DRkprGHvAVP26
 kWzjei9sIfPVgL0iSprOxqfAw/3Sz0uk3Ny6YvsJU+N4e8QTKQTi75XlkAWbG9OF
 P1+1xFDX3d0MdPPNq2c6hHI4VmTMDYVqMPztZNOOKKe+GWBtz/Mlbb55cccNECYA
 eVrAkhgUqjFF2lOFK1j7Ivf8ogETUcYRCEaLEZyf5Q+DuHkGzct1DBVEKn23dR2E
 B8eDm4ap4YxmrZymPbbl5IUyc/d9pmm04MFWMOifDlw5KEH3+ia93ma3ByBI3UjP
 kAg8po3rh3WWjpI26E8icjSjkJ7f1rRsEWmNAf54JwPHkWBZIoUufVxvMNZ9PXn9
 7GdP2Z7z+Tn6zUDA62Z9DRDmRGEnuDio450dNMP6ZNWj6leYBbnkP5JtfpRymVKW
 GVJfpMwSlf/qP00Jd0WQQyICKQOIns+4jzCvRcOLzSaPj7OvgVUnx00CAwEAAQ==
 -----END RSA PUBLIC KEY-----
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@ -31,6 +31,10 @@
        tincIp = "10.23.42.23";
        publicKey = lib.fileContents ../../../assets/tinc/mobi_host_file;
      };
      bobi = {
        tincIp = "10.23.42.23";
        publicKey = lib.fileContents ../../../assets/tinc/bobi_host_file;
      };
      robi = {
        realAddress = [ "144.76.13.147" ];
        tincIp = "10.23.42.111";
--- a/nixos/machines/bobi/configuration.nix
+++ b/nixos/machines/bobi/configuration.nix
@ -0,0 +1,81 @@
 { config, pkgs, lib, ... }: {
  imports = [
    ../../system/desktop
    ./hardware-configuration.nix
    ./tinc.nix
    ./syncthing.nix
  ];
  security.wrappers = {
    pmount = {
      source = "${pkgs.pmount}/bin/pmount";
      setuid = true;
      owner = "root";
      group = "root";
    };
    pumount = {
      source = "${pkgs.pmount}/bin/pumount";
      setuid = true;
      owner = "root";
      group = "root";
    };
  };
  # fonts
  # -----
  programs.custom.urxvt.fontSize = 12;
  programs.custom.xterm.fontSize = 12;
  system.custom.fonts.dpi = 100;
  configuration.desktop = {
    width = 1366;
    height = 768;
  };
  # grub configuraton
  # -----------------
  boot.loader.grub.enable = true;
  boot.loader.grub.efiSupport = true;
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.efiInstallAsRemovable = true;
  boot.tmpOnTmpfs = true;
  networking.networkmanager.enable = true;
  networking.hostName = "bobi";
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  environment.systemPackages = with pkgs; [
    vim
    wget
    htop
    silver-searcher
  ];
  environment.extraInit = ''
    # use vi shortcuts
    # ----------------
    set -o vi
    EDITOR=vim
  '';
  services.openssh.enable = true;
  component.network.sshd.onlyTincAccess = false;
  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/nixos/machines/bobi/hardware-configuration.nix
+++ b/nixos/machines/bobi/hardware-configuration.nix
@ -0,0 +1,47 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    {
      device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5";
      fsType = "ext4";
    };
  boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c";
  fileSystems."/boot" =
    {
      device = "/dev/disk/by-uuid/AEE5-221F";
      fsType = "vfat";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
  # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true;
  # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true;
  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nixos/machines/bobi/syncthing.nix
+++ b/nixos/machines/bobi/syncthing.nix
@ -0,0 +1,42 @@
 { config, pkgs, lib, ... }: {
  #sops.secrets.syncthing_cert = { };
  #sops.secrets.syncthing_key = { };
  services.syncthing = {
    enable = true;
    openDefaultPorts = false;
    user = "palo";
    dataDir = "/home/palo/.syncthing";
    configDir = "/home/palo/.syncthing";
    #cert = toString config.sops.secrets.syncthing_cert.path;
    #key = toString config.sops.secrets.syncthing_key.path;
    overrideFolders = true;
    folders = {
      # on encrypted drive
      # ------------------
      private = {
        enable = true;
        path = "/home/palo/private";
      };
      desktop = {
        enable = true;
        path = "/home/palo/desktop";
      };
      finance = {
        enable = true;
        path = "/home/palo/finance";
      };
      password-store = {
        enable = true;
        path = "/home/palo/.password-store";
      };
    };
  };
  system.permown."/home/palo/music-library" = {
    owner = "palo";
    group = "users";
  };
 }
--- a/nixos/machines/bobi/tinc.nix
+++ b/nixos/machines/bobi/tinc.nix
@ -0,0 +1,14 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  module.cluster.services.tinc = {
    "private" = {
      enable = true;
      openPort = true;
      connectTo = [ "robi" ];
    };
  };
 }