added cherry machine
This commit is contained in:
parent
88de00b897
commit
fd80b9de3a
10 changed files with 30 additions and 100 deletions
|
@ -1294,11 +1294,11 @@
|
|||
"secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1702813900,
|
||||
"narHash": "sha256-iW4thfqQUqm3A/nh9pwRUrIHsgavaS3A/pifynJmYkI=",
|
||||
"lastModified": 1702824777,
|
||||
"narHash": "sha256-Lsa6g03o8Qd35C9I48WZ7GFB3c8nQyHgrI7oGseMV98=",
|
||||
"ref": "main",
|
||||
"rev": "647d3f4ead533dc17be45504417acc4d1efe2d87",
|
||||
"revCount": 56,
|
||||
"rev": "fbe67abe5b5586d71f108a5214be28aeff49f4a3",
|
||||
"revCount": 60,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
|
||||
},
|
||||
|
|
|
@ -335,11 +335,8 @@
|
|||
};
|
||||
cherry = nixosConfigurationSetup {
|
||||
name = "cherry";
|
||||
host = "root@192.168.178.23";
|
||||
modules = [
|
||||
nixos-hardware.nixosModules.framework-13th-gen-intel
|
||||
#retiolum.nixosModules.retiolum
|
||||
#private_assets.nixosModules.jobrad
|
||||
homeManagerModules
|
||||
# { home-manager.users.root = import ./nixos/homes/root; }
|
||||
{ home-manager.users.mainUser = import ./nixos/homes/palo; }
|
||||
|
|
|
@ -20,6 +20,11 @@
|
|||
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
|
||||
|
||||
|
||||
components.gui.enable = true;
|
||||
components.mainUser.enable = true;
|
||||
components.media.enable = true;
|
||||
|
|
|
@ -3,6 +3,11 @@
|
|||
{ config, lib, ... }:
|
||||
{
|
||||
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
# head -c4 /dev/urandom | od -A none -t x4
|
||||
networking.hostId = "59e38471";
|
||||
services.zfs.autoSnapshot.enable = true;
|
||||
|
||||
# ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
|
||||
# copied from : https://github.com/numtide/srvos/blob/main/nixos/common/zfs.nix
|
||||
services.udev.extraRules = lib.optionalString (config.boot.zfs.enabled) ''
|
||||
|
@ -37,6 +42,8 @@
|
|||
content = {
|
||||
type = "luks";
|
||||
name = "root";
|
||||
settings.allowDiscards = true;
|
||||
passwordFile = "/tmp/secret.key";
|
||||
content = {
|
||||
type = "zfs";
|
||||
pool = "zroot";
|
||||
|
@ -64,6 +71,14 @@
|
|||
compression = "lz4";
|
||||
};
|
||||
};
|
||||
"store" = {
|
||||
type = "zfs_fs";
|
||||
mountpoint = "/nix/store";
|
||||
options = {
|
||||
mountpoint = "legacy";
|
||||
compression = "lz4";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
|
||||
|
@ -25,6 +26,4 @@
|
|||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
# high-resolution display
|
||||
hardware.video.hidpi.enable = lib.mkDefault true;
|
||||
}
|
||||
|
|
|
@ -2,14 +2,9 @@
|
|||
{
|
||||
|
||||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.27";
|
||||
tinc.private.ipv4 = "10.23.42.29";
|
||||
|
||||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.27";
|
||||
|
||||
# retiolum
|
||||
#networking.retiolum.port = 720;
|
||||
#sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
||||
tinc.secret.ipv4 = "10.123.42.29";
|
||||
|
||||
}
|
||||
|
|
|
@ -7,9 +7,4 @@
|
|||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.27";
|
||||
|
||||
# retiolum
|
||||
#networking.retiolum.port = 720;
|
||||
#sops.secrets.tinc_retiolum_ed25519_key = { };
|
||||
#services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
||||
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
|
||||
# Machines should be fast by default
|
||||
# ----------------------------------
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||
powerManagement.cpuFreqGovernor = lib.mkOverride 1001 "ondemand";
|
||||
|
||||
# set vim to the default editor
|
||||
# -----------------------------
|
||||
|
|
|
@ -1,76 +0,0 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
|
||||
|
||||
EXTRA_FILES=$( mktemp -d )
|
||||
LUKS_KEY=$( mktemp )
|
||||
SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
|
||||
|
||||
cat <<EOF | boxes -d ian_jones
|
||||
- create ssh host keys
|
||||
- create age key from ssh host key (for sops)
|
||||
- create luks encryption key
|
||||
EOF
|
||||
|
||||
# make sure you set
|
||||
# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
|
||||
mkdir -p "$( dirname "$SSH_HOST_KEY")"
|
||||
ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
|
||||
AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
|
||||
|
||||
echo
|
||||
echo
|
||||
IFS= read -s -p 'LUKS Encryption Password please: ' password
|
||||
echo -n "$password" > "$LUKS_KEY"
|
||||
echo
|
||||
echo
|
||||
echo
|
||||
|
||||
|
||||
cat <<EOF | boxes -d shell
|
||||
put this in you .sops.yaml
|
||||
and run sops updatekeys secrets/<machine>.yaml
|
||||
EOF
|
||||
|
||||
cat <<EOF
|
||||
|
||||
keys:
|
||||
- &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
|
||||
creation_rules:
|
||||
- path_regex: secrets/<machine>.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *palo
|
||||
- $AGE_KEY
|
||||
|
||||
EOF
|
||||
|
||||
|
||||
|
||||
echo
|
||||
echo make sure you configure services.openssh.hostKeys | boxes -d shell
|
||||
|
||||
cat <<EOF
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{
|
||||
bits = 4096;
|
||||
path = /etc/ssh/ssh_host_ed25519_key;
|
||||
rounds = 100;
|
||||
type = "ed25519";
|
||||
}
|
||||
];
|
||||
|
||||
|
||||
EOF
|
||||
|
||||
echo
|
||||
echo add this to your nixos-anywhere options | boxes -d shell
|
||||
|
||||
cat <<EOF
|
||||
|
||||
nixos-anywhere \\
|
||||
--extra-files $EXTRA_FILES \\
|
||||
--disk-encryption-keys <remote_path> $LUKS_KEY
|
||||
|
||||
|
||||
EOF
|
Loading…
Reference in a new issue