wip

flake.lock

@@ -1294,11 +1294,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1692771442,
+        "lastModified": 1702813900,
-        "narHash": "sha256-ZyPeoIoDGh4Sfgpcx0grNDVDXNDmR1YHgU1K3z4x2EE=",
+        "narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=",
         "ref": "main",
-        "rev": "0a13af540fe8fea07ca020be953b14923a80d25c",
+        "rev": "647d3f4ead533dc17be45504417acc4d1efe2d87",
-        "revCount": 55,
+        "revCount": 56,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },

flake.nix

@@ -333,6 +333,19 @@
               { home-manager.users.mainUser.gui.enable = true; }
             ];
           };
+          cherry = nixosConfigurationSetup {
+            name = "cherry";
+            host = "root@192.168.178.23";
+            modules = [
+              nixos-hardware.nixosModules.framework-13th-gen-intel
+              #retiolum.nixosModules.retiolum
+              #private_assets.nixosModules.jobrad
+              homeManagerModules
+              # { home-manager.users.root = import ./nixos/homes/root; }
+              { home-manager.users.mainUser = import ./nixos/homes/palo; }
+              { home-manager.users.mainUser.gui.enable = true; }
+            ];
+          };
           chungus = nixosConfigurationSetup {
             name = "chungus";
             modules = [

nixos/components/network/tinc/private.nix

@@ -14,6 +14,7 @@ let
     pepe = "10.23.42.26";
     cream = "10.23.42.27";
     chungus = "10.23.42.28";
+    cherry = "10.23.42.29";
     robi = "10.23.42.111";
   };
   subDomains = {
@@ -30,12 +31,6 @@ let
     "prowlarr.robi" = hosts.robi;
     "jellyseerr.robi" = hosts.robi;
     "unmanic.robi" = hosts.robi;
-    # pepe
-    "grafana.pepe" = hosts.pepe;
-    "loki.pepe" = hosts.pepe;
-    "prometheus.pepe" = hosts.pepe;
-    "tdarr.pepe" = hosts.pepe;
-    "tts.pepe" = hosts.pepe;
     # chungus
     "de.tts.chungus" = hosts.chungus;
     "en.tts.chungus" = hosts.chungus;
@@ -76,6 +71,10 @@ in
           subnets = [{ address = hosts.cream; }];
           settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
         };
+        cherry = {
+          subnets = [{ address = hosts.cherry ; }];
+          settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
+        };
         sterni = {
           subnets = [{ address = hosts.sterni; }];
           settings.Ed25519PublicKey = "r6mRDc814z2YtyG9ev/XXV2SgquqWR8n53V13xNXb7O";

nixos/homes/palo/packages/nextcloud.nix

@@ -12,8 +12,6 @@ let
         ~/Nextcloud/${folder} \
         "https://${user}:${password}@nextcloud.ingolf-wagner.de"
     '';
-
-
 in
 {
   home.packages = [

nixos/machines/cherry/configuration.nix

@@ -0,0 +1,146 @@
+{ config, pkgs, lib, ... }:
+{
+
+  imports = [
+
+    ../../components
+    ../../system/desktop
+    ../../system/server/netdata.nix
+
+    ./disko-config.nix
+    ./hardware-configuration.nix
+
+    ./syncthing.nix
+    ./cups.nix
+    ./tinc.nix
+    #./tinc_retiolum.nix
+
+    ./qemu.nix
+    ./wireguard.nix
+
+  ];
+
+  components.gui.enable = true;
+  components.mainUser.enable = true;
+  components.media.enable = true;
+  components.media.tts-client.enable = false;
+  components.network.enable = true;
+  components.network.wifi.enable = true;
+  components.terminal.enable = true;
+
+  home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
+
+  sops.secrets.yubikey_u2fAuthFile = { };
+
+  components.gui.taskwarrior.config = {
+    general = {
+      targets = [ "terranix" "my_github" ];
+      log_level = "INFO";
+      static_fields = [ "priority" ];
+      merge_annotations = false;
+    };
+    terranix = {
+      service = "github";
+      login = "mrVanDalo";
+      token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
+      username = "mrVanDalo";
+      default_priority = "";
+      description_template = "{{githubtitle}} {{githuburl}}";
+      add_tags = "github";
+      project_template = "terranix";
+      involved_issues = true;
+      query = "org:terranix is:open";
+      include_user_issues = false;
+      include_user_repos = false;
+    };
+    my_github = {
+      service = "github";
+      login = "mrVanDalo";
+      token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
+      username = "mrVanDalo";
+      description_template = "{{githubtitle}} {{githuburl}}";
+      add_tags = "github";
+      include_user_issues = true;
+      include_user_repos = true;
+      exclude_repos = [ "azubi" "csv-to-qif" "stepp0r" ];
+    };
+    # todo : add github issues
+  };
+
+
+  users.users.mainUser.extraGroups = [ "pipewire" ];
+
+  services.nginx.enable = true;
+
+  networking.hostName = "cherry";
+
+  # make sure battery is charged in a way to live for a long time
+  services.power-profiles-daemon.enable = false;
+  services.tlp = {
+    enable = true;
+    settings = {
+      CPU_BOOST_ON_BAT = 0;
+      CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
+      START_CHARGE_THRESH_BAT0 = 30;
+      STOP_CHARGE_THRESH_BAT0 = 85;
+      RUNTIME_PM_ON_BAT = "auto";
+    };
+  };
+
+  security.wrappers = {
+    pmount = {
+      source = "${pkgs.pmount}/bin/pmount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+    pumount = {
+      source = "${pkgs.pmount}/bin/pumount";
+      setuid = true;
+      owner = "root";
+      group = "root";
+    };
+  };
+
+  programs.custom.steam.enable = true;
+  services.printing.enable = true;
+
+  # fonts
+  # -----
+  programs.custom.urxvt.fontSize = 16;
+  programs.custom.urxvt.fontType = "vector";
+  programs.custom.xterm.fontSize = 16;
+  # todo : add xterm fontType
+  # programs.custom.xterm.fontType = "vector";
+
+  virtualisation = {
+    docker.enable = true;
+    podman.enable = true;
+    virtualbox = {
+      host.enable = false;
+      guest.x11 = false;
+      guest.enable = false;
+    };
+  };
+
+  #services.xserver.desktopManager.gnome.enable = true;
+  #services.xserver.displayManager.lightdm.enable = false;
+  #services.xserver.displayManager.sddm.enable = true;
+
+  custom.samba-share = {
+    enable = false;
+    folders = {
+      share = "/home/share";
+      video = "/home/video-material";
+    };
+  };
+
+
+  # for congress and streaming
+  hardware.opengl = {
+    enable = true;
+  };
+
+  system.stateVersion = "23.11";
+
+}

nixos/machines/cherry/cups.nix

@@ -0,0 +1,16 @@
+{
+  hardware.printers.ensurePrinters = [
+    {
+      description = "Lexmark E350d";
+      deviceUri = "usb://Lexmark/E350d?serial=622Z9ZC";
+      location = "office";
+      name = "Lexmark_E350d";
+      model = "drv:///sample.drv/generic.ppd";
+      ppdOptions = {
+        job-sheets = "none, none";
+        media = "na_letter_8.5x11in";
+        sides = "one-sided";
+      };
+    }
+  ];
+}

nixos/machines/cherry/disko-config.nix

@@ -0,0 +1,73 @@
+# nix run github:nix-community/disko -- --mode zap_create_mount ./disko-config.nix
+# nixos-generate-config --no-filesystems --root /mnt
+{ config, lib, ... }:
+{
+
+  # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
+  # copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
+  services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
+    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
+  '';
+
+  disko.devices = {
+    disk = {
+      root = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "table";
+          format = "gpt";
+          partitions = [
+            {
+              name = "ESP";
+              start = "0";
+              end = "500MiB";
+              bootable = true;
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "defaults" ];
+              };
+            }
+            {
+              name = "zfs";
+              start = "500MiB";
+              end = "100%";
+              content = {
+                type = "luks";
+                name = "root";
+                content = {
+                  type = "zfs";
+                  pool = "zroot";
+                };
+              };
+            }
+          ];
+        };
+      };
+    };
+    zpool = {
+      zroot = {
+        type = "zpool";
+        rootFsOptions = {
+          mountpoint = "none";
+          canmount = "off";
+          compression = "lz4";
+        };
+        datasets = {
+          "root" = {
+            type = "zfs_fs";
+            mountpoint = "/";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+            };
+          };
+        };
+      };
+    };
+
+  };
+}
+

nixos/machines/cherry/hardware-configuration.nix

@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s13f0u2c2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}

nixos/machines/cherry/qemu.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+{
+
+  virtualisation.libvirtd.enable = true;
+  #virtualisation.libvirtd.allowedBridges = ["virbr0"];
+  virtualisation.libvirtd.onShutdown = "shutdown";
+
+  environment.systemPackages = [
+    pkgs.qemu_kvm
+    (pkgs.quickemu.override { qemu = pkgs.qemu_kvm; })
+    pkgs.virt-manager
+  ];
+
+  users.users.mainUser.extraGroups = [ "libvirtd" ];
+
+}

nixos/machines/cherry/syncthing.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }: {
+
+  #sops.secrets.syncthing_cert = { };
+  #sops.secrets.syncthing_key = { };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = false;
+    user = "palo";
+    dataDir = "/home/palo/.syncthing";
+    configDir = "/home/palo/.syncthing";
+    #cert = toString config.sops.secrets.syncthing_cert.path;
+    #key = toString config.sops.secrets.syncthing_key.path;
+    overrideFolders = true;
+    settings.folders = {
+
+      # on encrypted drive
+      # ------------------
+      password-store = {
+        enable = true;
+        path = "/home/palo/.password-store";
+      };
+      #private = {
+      #  enable = true;
+      #  path = "/home/palo/private";
+      #};
+      art = {
+        enable = true;
+        path = "/home/palo/art";
+      };
+      desktop = {
+        enable = true;
+        path = "/home/palo/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/home/palo/finance";
+      };
+
+      # no need to be encrypted
+      # -----------------------
+      books = {
+        enable = true;
+        path = "/home/palo/books";
+      };
+    };
+  };
+
+  services.permown."/home/palo/music-library" = {
+    owner = "palo";
+    group = "users";
+  };
+
+  services.permown."/home/palo/finance" = {
+    owner = "palo";
+    group = "syncthing";
+  };
+}

nixos/machines/cherry/tinc.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+
+  tinc.private.enable = true;
+  tinc.private.ipv4 = "10.23.42.27";
+
+  tinc.secret.enable = true;
+  tinc.secret.ipv4 = "10.123.42.27";
+
+  # retiolum
+  #networking.retiolum.port = 720;
+  #sops.secrets.tinc_retiolum_ed25519_key = { };
+  #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
+
+}

nixos/machines/cherry/tinc_retiolum.nix

@@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  sops.secrets.tinc_retiolum_ed25519_key = { };
+  sops.secrets.tinc_retiolum_rsa_key = { };
+
+  networking.retiolum.port = 720;
+  networking.retiolum.nodename = "sol";
+
+  services.tinc.networks.retiolum = {
+    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
+    rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
+  };
+}

nixos/machines/cherry/wireguard.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  sops.secrets.wireguard_private = { };
+
+  # Enable WireGuard
+  networking.wg-quick.interfaces = {
+    # Hub and Spoke Setup
+    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
+    wg0 = {
+      address = [ "10.100.0.7/32" ];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
+      peers = [
+        {
+          # robi
+          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
+          allowedIPs = [ "10.100.0.1/24" ];
+          endpoint = "ingolf-wagner.de:51820";
+        }
+      ];
+    };
+  };
+}

nixos/machines/cream/configuration.nix

@@ -138,7 +138,6 @@
     };
   };
 
-
   # for congress and streaming
   hardware.opengl = {
     enable = true;

nixos/machines/robi/network-wireguard.nix

@@ -49,6 +49,11 @@
           publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ=";
           allowedIPs = [ "10.100.0.6/32" ];
         }
+        {
+          # cherry
+          publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k=";
+          allowedIPs = [ "10.100.0.7/32" ];
+        }
       ];
     };
   };

scripts/nixos-anywhere-pet.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
+
+EXTRA_FILES=$( mktemp -d )
+LUKS_KEY=$( mktemp )
+SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
+
+cat <<EOF | boxes -d ian_jones
+- create ssh host keys
+- create age key from ssh host key (for sops)
+- create luks encryption key
+EOF
+
+# make sure you set
+# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
+mkdir -p "$( dirname "$SSH_HOST_KEY")"
+ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
+AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
+
+echo
+echo
+IFS= read -s -p 'LUKS Encryption Password please: ' password
+echo -n "$password" > "$LUKS_KEY"
+echo
+echo
+echo
+
+
+cat <<EOF | boxes -d shell
+put this in you .sops.yaml
+and run sops updatekeys secrets/<machine>.yaml
+EOF
+
+cat <<EOF
+
+keys:
+    - &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
+creation_rules:
+    - path_regex: secrets/<machine>.yaml
+      key_groups:
+      - age:
+        - *palo
+        - $AGE_KEY
+
+EOF
+
+
+
+echo
+echo make sure you configure services.openssh.hostKeys | boxes -d shell
+
+cat <<EOF
+
+services.openssh.hostKeys = [
+  {
+    bits = 4096;
+    path = /etc/ssh/ssh_host_ed25519_key;
+    rounds = 100;
+    type = "ed25519";
+  }
+];
+
+
+EOF
+
+echo
+echo add this to your nixos-anywhere options | boxes -d shell
+
+cat <<EOF
+
+nixos-anywhere \\
+  --extra-files $EXTRA_FILES \\
+  --disk-encryption-keys <remote_path> $LUKS_KEY
+
+
+EOF