diff --git a/common/.sops.yaml b/common/.sops.yaml index f2b9bc3..cffdf21 100644 --- a/common/.sops.yaml +++ b/common/.sops.yaml @@ -1,5 +1,6 @@ keys: - &blitzar age1mc72my8whm2fm3wjg2ucvckx27dyp09urdgs9lpzqswl5pa5py8sfwszt9 + - &comet age18e4ttr7k6r7j662a6pvgrvsptuhsvffq70z4westqs3gfx7804fq0ewfaa - ¯onova age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra - &nebula age1vyq4xceveer87xt506yl59lh82dmeuagzlmnk87augfvqry7vqaq5hwy33 - &singularity age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu @@ -13,5 +14,6 @@ creation_rules: - path_regex: auths.yaml$ key_groups: - age: + - *comet - *macronova - *singularity diff --git a/common/auths.yaml b/common/auths.yaml index eb8e364..25d2556 100644 --- a/common/auths.yaml +++ b/common/auths.yaml @@ -12,23 +12,32 @@ sops: azure_kv: [] hc_vault: [] age: + - recipient: age18e4ttr7k6r7j662a6pvgrvsptuhsvffq70z4westqs3gfx7804fq0ewfaa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVnJ0T3dQM1g3UllYVTZN + bkhON2RRTElDMUtBaTFhRkpTWHorbnVOdkFRCjl5cWM2NmtPRzdlT1pRaXNmOXND + RTBlT3ZmYW1sQlkyOXRNek5BS0lySVUKLS0tIERKM201ZzFZZHgrZjVPQTA1SWh2 + Y2ljQzNBQnhwdzlEZGJLVFZreWJkN3cK90kk2p+kOag2IaY0QWbiUVerfq18TNax + 4ashMrFV5trh0Uq+/9Nob2MqSTVbmIC3UtP4m7x1j1TzpDuT+nEzPA== + -----END AGE ENCRYPTED FILE----- - recipient: age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRDcyaExMVktDMjQ1dWZL - VHUvYVNUWDV5UEpRVlAwMEdMVHRGMWRmQVUwCjI5VzBhY1RjQm9LeEtXbFpGK29p - cm5icTg3OHp1QTZ4NnhSMGtmbHh6eTAKLS0tIDBrN00rSUxiLzFFMWNZSldESmxU - b3hEc3lScGl3UTRGNjQvZTFQYzMzQncKr9RA+wl52Ul+BiTq+0UrSBrd0QrWsfNs - fMiGMUrp+dxjBoG4S0oYJbXdoPJb+us4a+YZzsmraWbwbqph5vOXQg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cnJybjArb0ZtZkFyUjln + cDVGbVdJcFpRdVRUd1lkMkJuME5vS2tBZjFnCldXODdiaFQzb1JHZHJycUNtMUo5 + L3E5c1VZL3lYOXZDVUxsaEMwcXJJRXMKLS0tIHlQcmVjcVBZcTFwV2dZM1UrWlN0 + Q0hMWlVWSmtqa083dTBzT252UjRGMWMK0lxWqBpx0zvH6HkGjatBS4rv9/7+0ZLr + 5m0kWm9bOQXhpy26IljNnx4nbMSuSO/bmLnVIst62pLFkHq+SjoYAQ== -----END AGE ENCRYPTED FILE----- - recipient: age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUdCMmlmL3I1YUJYcDQ2 - Z0pyUTkzS0RMcGFvODBNUnNscGg3Ykp0WHpnCjQ1NnlWMXhtZnA3NUNiVXRFM05F - Yk9Jb0lmRjVINXdBTVlpUVErODZlbFEKLS0tIDhheE9OSXJUcktMRGpaejRKOVNn - ZW9EMlgrMnFHaHdQSWgvM25ocmNoVEkKo7H1Y+kZrtmk58Oe6d51wJQLF5T7OZtX - 0LgNOjevRPfxG4FpNk9yhLyrelpHkiSmBFTGHqbnouFE54L1eot/UQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyYWxtTWxad0V6cklxZm8y + Wmh0dld6Y0FPRVU4Zk5pN1hsT1hRWmhha3gwCkFISjlEK1QxaVBPcVVPWXZmdk1m + Ymw1UHhveTN1R0VDdXJYRHNvczcxQTQKLS0tIFN1UDdqYXNGY29QS0pMYmJac055 + VHRRUnRpQzE3L0V4OVpGM0krOW9KWVUK3c8IH6tD2f8WKFm+yeVF3hP/UFvr4n1/ + rqTt3cILSurq62MjtzU/F4+FC9/Le5j1xlDh075EuH+M/ewm65POSw== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-11-28T05:25:46Z" mac: ENC[AES256_GCM,data:e6p67apo/byZ1dNhvHqcbcUOnTFInoL9t2RGki8Wd114w+1IZxfPAmXzvoea3txXWnrvCuuZBVD+RglcWjbkvE54J8YfACgRN5+93NLWVVHrgbwL7WiI+W+rpzUqiWxByD72ee9rvG1dehAEAT0QEARVehIHpPK8F9/i/a3F+IA=,iv:rjtqpbKe4FyrX4RdVMwyqkCDMSP1rUaZoC9U9CAlzR0=,tag:4KSAB5eooNTdd/2ff9zL5Q==,type:str] diff --git a/flake.nix b/flake.nix index a08fe71..c0f1e10 100644 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,7 @@ ({ pkgs, ... }: { networking.hostName = instance; nix = { + binaryCaches = [ "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; gc = { automatic = true; options = "--delete-older-than 30d"; diff --git a/linux/comet/configuration.nix b/linux/comet/configuration.nix new file mode 100644 index 0000000..89a9cce --- /dev/null +++ b/linux/comet/configuration.nix @@ -0,0 +1,40 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ pkgs, ... }: + +{ + + # Configure boot loader + boot.loader = { + grub = let yorha = pkgs.yorha-grub-theme; in { + enable = true; + device = "nodev"; + splashImage = "${yorha}/background.png"; + theme = yorha; + }; + timeout = 3; + }; + + # Change secrets file + constants.sopsFile = ../../common/auths.yaml; + + # Disable sudo password + security.sudo.wheelNeedsPassword = false; + + # Set time zone. + time.timeZone = "Asia/Shanghai"; + + # Enable zram + zramSwap.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + +} diff --git a/linux/comet/default.nix b/linux/comet/default.nix new file mode 100644 index 0000000..8b64bba --- /dev/null +++ b/linux/comet/default.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: + +{ + imports = with inputs; [ + disko.nixosModules.disko + hardware.nixosModules.common-cpu-intel + ] ++ [ + ./configuration.nix + ./hardware-configuration.nix + ./network.nix + ./tailscale.nix + ../../common + ]; +} diff --git a/linux/comet/hardware-configuration.nix b/linux/comet/hardware-configuration.nix new file mode 100644 index 0000000..ca06acd --- /dev/null +++ b/linux/comet/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "uas" "sd_mod" "sdhci_acpi" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/9f65c4b3-1c87-42a0-8c1d-f3c1ff2e71b1"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/1C5A-E5B5"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/linux/comet/network.nix b/linux/comet/network.nix new file mode 100644 index 0000000..9e01630 --- /dev/null +++ b/linux/comet/network.nix @@ -0,0 +1,27 @@ +{ config, ... }: + +let hn = config.networking.hostName; in { + networking = { + domain = config.constants.domain; + firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + hostId = "3ddd2ad2"; + nftables.enable = true; + }; + + services = { + openssh = { + enable = true; + hostKeys = [{ + comment = "host@${hn}"; + path = "/etc/ssh/host"; + rounds = 100; + type = "ed25519"; + }]; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + resolved.enable = true; + }; +} diff --git a/linux/comet/tailscale.nix b/linux/comet/tailscale.nix new file mode 100644 index 0000000..bc7601f --- /dev/null +++ b/linux/comet/tailscale.nix @@ -0,0 +1,7 @@ +{ ... }: { + services.tailscale = { + enable = true; + port = 12765; + useRoutingFeatures = "both"; + }; +}