added cherry machine

This commit is contained in:
Ingolf Wagner 2023-12-17 16:17:28 +01:00
parent 88de00b897
commit fd80b9de3a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
10 changed files with 30 additions and 100 deletions

View file

@ -1294,11 +1294,11 @@
"secrets": {
"flake": false,
"locked": {
"lastModified": 1702813900,
"narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=",
"lastModified": 1702824777,
"narHash": "sha256-Lsa6g03o8Qd35C9I48WZ7GFB3c8nQyHgrI7oGseMV98=",
"ref": "main",
"rev": "647d3f4ead533dc17be45504417acc4d1efe2d87",
"revCount": 56,
"rev": "fbe67abe5b5586d71f108a5214be28aeff49f4a3",
"revCount": 60,
"type": "git",
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
},

View file

@ -335,11 +335,8 @@
};
cherry = nixosConfigurationSetup {
name = "cherry";
host = "root@192.168.178.23";
modules = [
nixos-hardware.nixosModules.framework-13th-gen-intel
#retiolum.nixosModules.retiolum
#private_assets.nixosModules.jobrad
homeManagerModules
# { home-manager.users.root = import ./nixos/homes/root; }
{ home-manager.users.mainUser = import ./nixos/homes/palo; }

View file

@ -20,6 +20,11 @@
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
components.gui.enable = true;
components.mainUser.enable = true;
components.media.enable = true;

View file

@ -3,6 +3,11 @@
{ config, lib, ... }:
{
boot.supportedFilesystems = [ "zfs" ];
# head -c4 /dev/urandom | od -A none -t x4
networking.hostId = "59e38471";
services.zfs.autoSnapshot.enable = true;
# ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
# copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
@ -37,6 +42,8 @@
content = {
type = "luks";
name = "root";
settings.allowDiscards = true;
passwordFile = "/tmp/secret.key";
content = {
type = "zfs";
pool = "zroot";
@ -64,6 +71,14 @@
compression = "lz4";
};
};
"store" = {
type = "zfs_fs";
mountpoint = "/nix/store";
options = {
mountpoint = "legacy";
compression = "lz4";
};
};
};
};
};

View file

@ -5,7 +5,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
@ -25,6 +26,4 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
}

View file

@ -2,14 +2,9 @@
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.27";
tinc.private.ipv4 = "10.23.42.29";
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.27";
# retiolum
#networking.retiolum.port = 720;
#sops.secrets.tinc_retiolum_ed25519_key = { };
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
tinc.secret.ipv4 = "10.123.42.29";
}

View file

@ -7,9 +7,4 @@
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.27";
# retiolum
#networking.retiolum.port = 720;
#sops.secrets.tinc_retiolum_ed25519_key = { };
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
}

View file

@ -42,7 +42,7 @@
# Machines should be fast by default
# ----------------------------------
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
powerManagement.cpuFreqGovernor = lib.mkOverride 1001 "ondemand";
# set vim to the default editor
# -----------------------------

View file

@ -1,76 +0,0 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
EXTRA_FILES=$( mktemp -d )
LUKS_KEY=$( mktemp )
SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
cat <<EOF | boxes -d ian_jones
- create ssh host keys
- create age key from ssh host key (for sops)
- create luks encryption key
EOF
# make sure you set
# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
mkdir -p "$( dirname "$SSH_HOST_KEY")"
ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
echo
echo
IFS= read -s -p 'LUKS Encryption Password please: ' password
echo -n "$password" > "$LUKS_KEY"
echo
echo
echo
cat <<EOF | boxes -d shell
put this in you .sops.yaml
and run sops updatekeys secrets/<machine>.yaml
EOF
cat <<EOF
keys:
- &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
creation_rules:
- path_regex: secrets/<machine>.yaml
key_groups:
- age:
- *palo
- $AGE_KEY
EOF
echo
echo make sure you configure services.openssh.hostKeys | boxes -d shell
cat <<EOF
services.openssh.hostKeys = [
{
bits = 4096;
path = /etc/ssh/ssh_host_ed25519_key;
rounds = 100;
type = "ed25519";
}
];
EOF
echo
echo add this to your nixos-anywhere options | boxes -d shell
cat <<EOF
nixos-anywhere \\
--extra-files $EXTRA_FILES \\
--disk-encryption-keys <remote_path> $LUKS_KEY
EOF