From 37fa6c9f059f88f9543b5b6414ea8d211fd24976 Mon Sep 17 00:00:00 2001 From: Squibid Date: Tue, 25 Nov 2025 10:25:47 -0500 Subject: [PATCH 01/15] more secure servers --- flake.nix | 1 + modules/server.nix | 20 ++++++++++++++++++++ modules/ssh.nix | 7 ++++++- 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 modules/server.nix diff --git a/flake.nix b/flake.nix index c26540a..074a76f 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,7 @@ # I've put these all here so that it's easier to see what's being # imported by default ./modules/os.nix + ./modules/server.nix ./modules/ssh.nix ./modules/time.nix ./modules/pkgs.nix diff --git a/modules/server.nix b/modules/server.nix new file mode 100644 index 0000000..09ad9ab --- /dev/null +++ b/modules/server.nix @@ -0,0 +1,20 @@ +# Most of this has been yoinked from nix-community/srvos, the only reason I'm +# not using it is because I want absolute control over my nix settings and using +# it would mean I would have to disable options that they enabled +{ + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + systemd.enableEmergencyMode = false; + + # No need for fonts on a server + fonts.fontconfig.enable = false; + + # Ensure that basic bugs in systemd services are caught. + systemd.enableStrictShellChecks = true; + + # Make builds to be more likely killed than important services. + # 100 is the default for user slices and 500 is systemd-coredumpd@ + # We rather want a build to be killed than our precious user sessions as builds can be easily restarted. + systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; +} diff --git a/modules/ssh.nix b/modules/ssh.nix index a04ab33..bd618bf 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -20,7 +20,12 @@ services.sshguard.enable = true; services.openssh = { enable = true; - settings.PasswordAuthentication = false; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + UseDns = false; + X11Forwarding = false; + }; }; users.users.root.openssh.authorizedKeys.keys = config.ssh.keys; From 469f4dcd438475584db57c911574a48c9db5e837 Mon Sep 17 00:00:00 2001 From: Squibid Date: Tue, 25 Nov 2025 10:28:33 -0500 Subject: [PATCH 02/15] add some terminfo to make sshing much easier --- modules/pkgs.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/pkgs.nix b/modules/pkgs.nix index 59d3a48..25f7b12 100644 --- a/modules/pkgs.nix +++ b/modules/pkgs.nix @@ -11,6 +11,12 @@ tree unzip zmotd + + # mmmm terminfo + foot.terminfo + ghostty.terminfo + kitty.terminfo + termite.terminfo ]; security.sudo.execWheelOnly = true; From d28ec06ae94bde5b2a724e96e184e3549f38bbd3 Mon Sep 17 00:00:00 2001 From: Squibid Date: Tue, 25 Nov 2025 10:42:04 -0500 Subject: [PATCH 03/15] deploy-rs + nixos-anywhere --- .sops.yaml | 6 +- Makefile | 24 +++-- flake.lock | 93 ++++++++++++++++++++ flake.nix | 27 ++++++ hosts/blobercraft/default.nix | 6 +- hosts/blobercraft/disko.nix | 36 ++++++++ hosts/blobercraft/hardware-configuration.nix | 13 --- modules/os.nix | 1 + 8 files changed, 182 insertions(+), 24 deletions(-) create mode 100644 hosts/blobercraft/disko.nix diff --git a/.sops.yaml b/.sops.yaml index 9ad1fd3..c85cd92 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,9 +9,9 @@ keys: - &users: - &dev age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c - &hosts: - - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 - - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv - - &blobercraft age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh + - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 + - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv + - &blobercraft age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh creation_rules: - path_regex: secrets.yaml$ key_groups: diff --git a/Makefile b/Makefile index 45bd70b..5b88ecc 100644 --- a/Makefile +++ b/Makefile @@ -1,25 +1,35 @@ IP ?= HOST ?= -deploy: - # push flake config to a remote server +init: ifeq ($(IP),) $(error IP not set) endif ifeq ($(HOST),) $(error HOST not set) endif + nix run github:nix-community/nixos-anywhere -- --flake .#$(HOST) --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix --target-host nixos@$(IP) + +deploy: + # no impurity allowed ifneq ($(shell git diff),) git add . git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" endif - rsync -azr ./ crown@$(IP):~/flake-config - ssh crown@$(IP) "sudo NIX_CONFIG='experimental-features = flakes pipe-operators' nixos-rebuild switch --flake ~/flake-config#$(HOST)" + # push flake config to a remote server(s) + nix run github:serokell/deploy-rs . sops: - # update sops keys + # For setting up a new host: to generate a sops key from an existing ssh key + # just run `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age` and then add + # that to the .sops.yaml file sops updatekeys secrets.yaml .DEFAULT_GOAL := default -.PHONY: default deploy sops +.PHONY: default deploy init sops default: - # noop + # This is my tiny makefile to create new machines and update existing ones + # it requires you to have nix and sops installed to correctly setup a new + # system and nix to deploy to an existing one. + # + # I'm not using just cause I've already got make installed everywhere and I + # know how to use it. diff --git a/flake.lock b/flake.lock index 16d09e0..a294fa1 100644 --- a/flake.lock +++ b/flake.lock @@ -22,6 +22,64 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1762286984, + "narHash": "sha256-9I2H9x5We6Pl+DBYHjR1s3UT8wgwcpAH03kn9CqtdQc=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "9c870f63e28ec1e83305f7f6cb73c941e699f74f", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1764017209, + "narHash": "sha256-RoJGCtKExXXkNCZUmmxezG3eOczEOTBw38DaZGSYJC0=", + "owner": "nix-community", + "repo": "disko", + "rev": "ec8eabe00c4ee9a2ddc50162c125f0ec2a7099e1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nid": { "inputs": { "nixpkgs": [ @@ -60,6 +118,8 @@ "root": { "inputs": { "declarative-jellyfin": "declarative-jellyfin", + "deploy-rs": "deploy-rs", + "disko": "disko", "nid": "nid", "nixpkgs": "nixpkgs", "sops-nix": "sops-nix", @@ -100,6 +160,21 @@ "type": "indirect" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -135,6 +210,24 @@ "ref": "nixos-unstable", "type": "indirect" } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 074a76f..c04931b 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,12 @@ declarative-jellyfin.url = "github:Sveske-Juice/declarative-jellyfin"; declarative-jellyfin.inputs.nixpkgs.follows = "nixpkgs"; + + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, unstable, ... }@inputs: let base = [ @@ -34,6 +40,8 @@ # use comma just in case I need to do some sysadmin stuff inputs.nid.nixosModules.nix-index { programs.nix-index-database.comma.enable = true; } + # disko for completly declarative machines + inputs.disko.nixosModules.disko ]; # ts so DRY it makes me wanna cry @@ -47,11 +55,30 @@ ] ++ modules; } )) <| hosts; + + mkNodes = nodes: + (builtins.mapAttrs (name: options: + nixpkgs.lib.attrsets.recursiveUpdate { + hostname = name; + profiles.system = { + user = "root"; + sshUser = "crown"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${name}; + }; + } options + )) <| nodes; in { # define all of my machines nixosConfigurations = mkHosts { blobercraft = []; crayon = []; }; + + # and where they get deployed to + deploy.nodes = mkNodes { + crayon = { hostname = "squi.bid"; }; + }; + + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; }; } diff --git a/hosts/blobercraft/default.nix b/hosts/blobercraft/default.nix index 07474e3..5c2ca18 100644 --- a/hosts/blobercraft/default.nix +++ b/hosts/blobercraft/default.nix @@ -1,6 +1,10 @@ -{ ... }: +{ modulesPath, ... }: { imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disko.nix + ./hardware-configuration.nix # Include the results of the hardware scan. ./jellyfin.nix ./minecraft.nix diff --git a/hosts/blobercraft/disko.nix b/hosts/blobercraft/disko.nix new file mode 100644 index 0000000..b6dd767 --- /dev/null +++ b/hosts/blobercraft/disko.nix @@ -0,0 +1,36 @@ +{ lib, ... }: +{ + disko.devices = { + disk.main = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/blobercraft/hardware-configuration.nix b/hosts/blobercraft/hardware-configuration.nix index 1e3ab01..87a58d7 100644 --- a/hosts/blobercraft/hardware-configuration.nix +++ b/hosts/blobercraft/hardware-configuration.nix @@ -13,19 +13,6 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/59b4c37b-b8c6-4b95-96af-e343161381bb"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/E8A3-780D"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/modules/os.nix b/modules/os.nix index 5b49310..e30e6df 100644 --- a/modules/os.nix +++ b/modules/os.nix @@ -4,6 +4,7 @@ settings = { experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; auto-optimise-store = true; + trusted-users = [ "@wheel" ]; }; gc = { dates = "weekly"; From 8e5d21527520d777888dfab9d1d7dc255480ee30 Mon Sep 17 00:00:00 2001 From: Squibid Date: Tue, 25 Nov 2025 15:24:59 -0500 Subject: [PATCH 04/15] fancy new runner --- .sops.yaml | 12 +++++++- Makefile | 35 ---------------------- flake.nix | 7 ++++- secrets.yaml | 39 ++++++++++-------------- shell.nix | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 117 insertions(+), 61 deletions(-) delete mode 100644 Makefile create mode 100644 shell.nix diff --git a/.sops.yaml b/.sops.yaml index c85cd92..1d859f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,7 +11,12 @@ keys: - &hosts: - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv - - &blobercraft age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh + - &blobercraft + - &blobercraft + - &blobercraft + - &blobercraft + - &blobercraft + # new-host marker creation_rules: - path_regex: secrets.yaml$ key_groups: @@ -20,3 +25,8 @@ creation_rules: - *dev-vm - *crayon - *blobercraft + - *blobercraft + - *blobercraft + - *blobercraft + - *blobercraft + # new-host ptr marker diff --git a/Makefile b/Makefile deleted file mode 100644 index 5b88ecc..0000000 --- a/Makefile +++ /dev/null @@ -1,35 +0,0 @@ -IP ?= -HOST ?= -init: -ifeq ($(IP),) - $(error IP not set) -endif -ifeq ($(HOST),) - $(error HOST not set) -endif - nix run github:nix-community/nixos-anywhere -- --flake .#$(HOST) --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix --target-host nixos@$(IP) - -deploy: - # no impurity allowed -ifneq ($(shell git diff),) - git add . - git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" -endif - # push flake config to a remote server(s) - nix run github:serokell/deploy-rs . - -sops: - # For setting up a new host: to generate a sops key from an existing ssh key - # just run `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age` and then add - # that to the .sops.yaml file - sops updatekeys secrets.yaml - -.DEFAULT_GOAL := default -.PHONY: default deploy init sops -default: - # This is my tiny makefile to create new machines and update existing ones - # it requires you to have nix and sops installed to correctly setup a new - # system and nix to deploy to an existing one. - # - # I'm not using just cause I've already got make installed everywhere and I - # know how to use it. diff --git a/flake.nix b/flake.nix index c04931b..473f42d 100644 --- a/flake.nix +++ b/flake.nix @@ -63,7 +63,7 @@ profiles.system = { user = "root"; sshUser = "crown"; - path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${name}; + path = inputs.deploy-rs.lib."x86_64-linux".activate.nixos self.nixosConfigurations.${name}; }; } options )) <| nodes; @@ -79,6 +79,11 @@ crayon = { hostname = "squi.bid"; }; }; + # dev shell to deploy this flake + devShells."x86_64-linux".default = builtins.import ./shell.nix { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + }; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; }; } diff --git a/secrets.yaml b/secrets.yaml index fe10e0e..2b4befe 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -13,38 +13,29 @@ sops: - recipient: age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT0IxYjhWWkZadnVmcGpz - VXB5U2VvTFllYWhJTkNwQmxsWkxEL2drRHcwCksrMGs4SVZoL1pJNU00TUZBeU5V - UFBRcnRFdTlxUjgvcVpSelZIU0NyVWsKLS0tICtnZm8rYnB5cWhIUVBmQzQxSWIr - M29ZRHIwNGZSdi9LYmp5d2xyTWdmRDgKhs6COQa3Vmosiwv7I/IjvYr10Mx83V6z - W2d8PPTHBlRMqPcghpG2UOFsygzP8Y6UlMpCgt25vnFLUwCPlo7ERA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOWlGajE0Q0FQclZUdUJ2 + RjNUcVBuckZpT1FrbzJaaFcyNXgrTklub0V3ClNIZHpyWVlmVUExK0phNlRIOCtl + ajhPR1M1eERIclhiWEpRelFQRi94em8KLS0tIG1wdVlmbis3OXcxOXRBbFp6b0Nw + QzEyaWIrdVlpcHRHSmpZQkhjN2U3OGcKXRTscSq9D73awM2CLbst8KHPXs3WFXBy + rM8W40zgn6wDPjy2XxB54qZg9hnsBGdAtNnY5PInjMJ5F17lgSdXaw== -----END AGE ENCRYPTED FILE----- - recipient: age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMUFJY2RjSHcrS2Foa2Fo - dUJMSmpEL0NEN1BLYlZDNlA3aUQyQUNkYWxnCnNmV0ZpWTA0ZHUrUEtBV3MyZ3U1 - SitYaVFBZklaZ282K2plYUhlVjRVWGMKLS0tIGlOZENMbURDMWR5VEFIVEdyV3k5 - S3hQemRLNFd6eDlQY3pvUlkzUVhRUlUKHvdPyCCb0I825u9Hx+Fz+W9ESM2Gxy+N - lUsxP/ngAnG52MSrxxU33PG4TXSvaaYzuGP7gOQF6hB9U79inWzFzg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaVFIaWllNU0xR0ZHQWtZ + T2tsK0dkQVlTL0N6Z0UvYlRKallXeTFVbDJNCis4UWtSZ0tCZHp2aXBDaDFTeUJu + TWFPdlRJUFRCb3E1UWdmUUhGOU5BS0kKLS0tIEFEWVBzNUxDTzhCSndKZ0JxSFlo + K2ZVekRCeXVtL0FhbmpYc0dEQmo2NjAKKSg1/XSIAoVMHsnkMJHSGTzmX8eQYp77 + hGjx4T26UxwTK8KJ8KKPFI5KWiIHzP/HHTeiJb4IhJ5G+z/npttZIA== -----END AGE ENCRYPTED FILE----- - recipient: age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYTkvaldVWUk1TC94REEr - OHNiUHlqN0l3QWFJbjZ6anZpVTN5OGtibGtNCm9DcVJ6SktQeEFWU2REU0dpRjZu - WnBBaDMrbnRNaVhtR3BqdjVkc2tpZEEKLS0tIHRVdW8yL1JmcDVrVkNaa2lNN2h5 - Y0gxSjYrY3gydnBseEVlQTBSSEtJSVEKH4v1Q9kKQaj5vdV9mW2Rsl/GUbq1h/m9 - iy6BPmjC9GNtTBJ8VuvkQSvPLD+dsMwYqhmSbTQgDpRP3sQ4a6rWkA== - -----END AGE ENCRYPTED FILE----- - - recipient: age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWVDbmhhc1FHRG5WOTEz - emp4Rm9YMlA3aXUvMnpDWElqRElzQjdlMzNRCjducWdqQzliZjkzaWtGdEdUbk9u - MlBCL0lqdWs4TVo0RW9ham5mTExTSzQKLS0tICtJWk15NG9yMWwyVjF6SE1weWFF - NmlybmxKYlJESGxJbFdCazZUKzVjYmMK56j3+CuRfZsbVeYfmESlD2z6GYzIFQYz - f/jpI+8CteDlxbGuUvW10hD7lB8az2+Z+MQX2+koy3PZBkGChPh/Yg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlV1J2bjl2K21WUlpyLzQw + amNRajFuNEFOOTJUdUFmdzBzK29hbFhnL2dRCml4OVZoS1llSVRoa216aWlvR0R3 + cjgyS0pibnQ2SHBBcVlZeXo1MmVNV0UKLS0tIEh3bGt3WnVqYlVwSlI5SUJheU9z + MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN + R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-11-09T02:00:10Z" mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str] diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..8147204 --- /dev/null +++ b/shell.nix @@ -0,0 +1,85 @@ +{ + pkgs ? + # If pkgs is not defined, instantiate nixpkgs from locked commit + # yoinked from (github.com/EmergentMind/nix-config) + let + lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked; + nixpkgs = builtins.fetchTarball { + url = "https://github.com/${lock.owner}/${lock.repo}/archive/${lock.rev}.tar.gz"; + sha256 = lock.narHash; + }; + in + builtins.import nixpkgs { overlays = [ ]; }, + ... +}: +pkgs.mkShell { + nativeBuildInputs = with pkgs.buildPackages; [ + git + openssh + ssh-to-age + nixos-anywhere + + (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml") + + (pkgs.writeShellScriptBin "-init" '' + USER="root" + if [ -z "$1" ] || [ -z "$2" ]; then + echo "the 1st argument must be the ip address" + echo "the 2nd argument must be the new hostname (the nix flake host)" + echo "the 3rd argument may be the user to ssh with if unset the default is root" + exit 0 + fi + + IP=$1 + HOST=$2 + if [ -n "$3" ]; then + USER=$3 + fi + + # get the remote systems ssh key + key=$(ssh $(USER)@$(IP) 'cat /etc/ssh/ssh_host_ed25519_key.pub' | ssh-to-age) + if [ -z "$key" ]; then + echo "failed to get the remote systems ssh pubkey" + exit 1 + fi + + # add the new sops key to the .sops.yaml + sed -i '/# new-host marker/i\ - &$(HOST) $(key)' .sops.yaml + sed -i '/# new-host ptr marker/i\ - *$(HOST)' .sops.yaml + + # update the keys + sops updatekeys secrets.yaml + + # push the flake to the remote system + nixos-anywhere --\ + --flake .#$(HOST)\ + --build-on remote\ + --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix\ + --target-host $(USER)@$(IP) + '') + + (pkgs.writeShellScriptBin "-deploy" '' + # there shall be no impurity + if [ -n "$(git diff)" ]; then + git add . + git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" + fi + + # push flake config to a remote server(s) + nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using + '') + ]; + + shellHook = '' + cat << EOF + # This is my tiny nix shell to create new machines and update existing ones + # it requires you to have nix and sops installed to correctly setup a new + # system and nix to deploy to an existing one. + # + # Available commands: + # '-sops' -> updates your sops secret file + # '-init' -> initializes a new system with nix-anywhere + # '-deploy' -> deploys the existing flake to all nodes using deploy-rs + EOF + ''; +} From c753407691eb986d66260f999592567dc5442f6f Mon Sep 17 00:00:00 2001 From: Squibid Date: Wed, 26 Nov 2025 13:40:14 -0500 Subject: [PATCH 05/15] wireguard --- flake.nix | 1 + hosts/crayon/default.nix | 9 +++++- modules/sops.nix | 1 + modules/wireguard.nix | 60 ++++++++++++++++++++++++++++++++++++++++ secrets.yaml | 6 ++-- 5 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 modules/wireguard.nix diff --git a/flake.nix b/flake.nix index 473f42d..7970c61 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,7 @@ ./modules/unstable.nix ./modules/zmotd.nix ./modules/sops.nix + ./modules/wireguard.nix ./modules/users/admin.nix ./overlays diff --git a/hosts/crayon/default.nix b/hosts/crayon/default.nix index c16c088..b343d1d 100644 --- a/hosts/crayon/default.nix +++ b/hosts/crayon/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { imports = [ ./hardware-configuration.nix # Include the results of the hardware scan. @@ -9,4 +9,11 @@ boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; + + wireguard = { + enable = true; + # pub: gq0/fX4EF/3jUNJSW5C3ythZjMVAWYqQdAVRw1eUC1Y= + privateKeyFile = config.sops.secrets."wireguard/crayon".path; + externalInterface = "enp1s0"; + }; } diff --git a/modules/sops.nix b/modules/sops.nix index f769a40..8bb471d 100644 --- a/modules/sops.nix +++ b/modules/sops.nix @@ -16,6 +16,7 @@ secrets = { "mail/me" = {}; "jellyfin/zachary" = {}; + "wireguard/crayon" = {}; }; }; } diff --git a/modules/wireguard.nix b/modules/wireguard.nix new file mode 100644 index 0000000..f6b7f41 --- /dev/null +++ b/modules/wireguard.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +{ + options.wireguard = { + enable = lib.mkEnableOption "wireguard"; + port = lib.mkOption { + default = 51820; + description = "The port for wireguard to use."; + type = lib.types.int; + }; + externalInterface = lib.mkOption { + description = "The external networking interface for wireguard to use."; + type = lib.types.str; + }; + internalInterface = lib.mkOption { + default = "wg0"; + description = "The networking interface for wireguard to use."; + type = lib.types.str; + }; + privateKeyFile = lib.mkOption { + description = "The path to the private key of the wireguard server."; + type = lib.types.path; + }; + }; + + config = lib.mkIf config.wireguard.enable { + networking.nat.enable = true; + networking.nat.externalInterface = config.wireguard.externalInterface; + networking.nat.internalInterfaces = [ config.wireguard.internalInterface ]; + networking.firewall.allowedUDPPorts = [ config.wireguard.port ]; + networking.wireguard.interfaces = { + ${config.wireguard.internalInterface} = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + listenPort = config.wireguard.port; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the servers private key file. + privateKeyFile = config.wireguard.privateKeyFile; + + # TODO: add config option? + peers = [ + { + publicKey = "L+NlTn0E9pgCoEoTYs4aDewZSMmyeyC1Os9DCdwYTjY="; + allowedIPs = [ "10.100.0.2/32" ]; + } + ]; + }; + }; + }; +} diff --git a/secrets.yaml b/secrets.yaml index 2b4befe..772d0cb 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -4,6 +4,8 @@ jellyfin: zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str] users: crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str] +wireguard: + crayon: ENC[AES256_GCM,data:pQ4nOzcON+yCqgisBQO8LIdfi9GmXE9YcPzBRgu9Fdzx0R6p4dEK+DVBuDg=,iv:vq0uDgZlLwXVZMwE3xTWZDP20uaAcT4I0D7qLS61ApI=,tag:btVyZREPAgfcC694/Wusmg==,type:str] sops: kms: [] gcp_kms: [] @@ -37,8 +39,8 @@ sops: MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-09T02:00:10Z" - mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str] + lastmodified: "2025-11-26T18:38:21Z" + mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 From d2e20817b4ce8ae512c03584bf0715ef97ca55f7 Mon Sep 17 00:00:00 2001 From: Squibid Date: Wed, 26 Nov 2025 14:25:01 -0500 Subject: [PATCH 06/15] rename blobercraft -> blob --- README.md | 4 ++-- flake.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 39094d6..c9939ae 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ That's it, have fun poking around. ## Systems I suppose if you're trying to understand my config you'd need to know where this stuff is deployed and what for. -- blobercraft +- blob - This is my main homelab server. It's used for my media (jellyfin) along with some other stuff that you can find by looking at my config. - crayon @@ -33,7 +33,7 @@ I'll probably end up switching to something more standard once I've got the time. ## TODO: -- [ ] blobercraft +- [ ] blob - [ ] add a git backup for everything on crayon (if possible) - [ ] ff sync server - [ ] crayon diff --git a/flake.nix b/flake.nix index 7970c61..1f46b96 100644 --- a/flake.nix +++ b/flake.nix @@ -71,7 +71,7 @@ in { # define all of my machines nixosConfigurations = mkHosts { - blobercraft = []; + blob = []; crayon = []; }; From 3d71ed911d1217c23c4f9c59c4e4673a025491b5 Mon Sep 17 00:00:00 2001 From: Squibid Date: Wed, 26 Nov 2025 14:27:01 -0500 Subject: [PATCH 07/15] update readme --- README.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index c9939ae..b94efc8 100644 --- a/README.md +++ b/README.md @@ -21,16 +21,11 @@ that I thought a new user might want to understand as nix is rather poorly documented. ## Maintaining -I've included a make file to keep remote systems up to date, here's an example -of what I use to deploy to crayon: +I've included a dev shell to keep the system up to date. To enter the shell run: ```sh -make deploy IP=squi.bid HOST=crayon +nix develop ``` -This step requires the remote system to have a crown user who can execute sudo -commands without an interactive prompt. - -I'll probably end up switching to something more standard once I've got the -time. +Once you've entered the shell will give you a rundown on what you can do. ## TODO: - [ ] blob From 9f388d75d8877505d1066be82913b7e95d727c46 Mon Sep 17 00:00:00 2001 From: Squibid Date: Wed, 26 Nov 2025 14:27:22 -0500 Subject: [PATCH 08/15] forgot to change the blobercraft path to blob --- hosts/{blobercraft => blob}/ai.nix | 0 hosts/{blobercraft => blob}/default.nix | 0 hosts/{blobercraft => blob}/disko.nix | 0 hosts/{blobercraft => blob}/gatus.nix | 0 hosts/{blobercraft => blob}/hardware-configuration.nix | 0 hosts/{blobercraft => blob}/jellyfin.nix | 0 hosts/{blobercraft => blob}/minecraft.nix | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename hosts/{blobercraft => blob}/ai.nix (100%) rename hosts/{blobercraft => blob}/default.nix (100%) rename hosts/{blobercraft => blob}/disko.nix (100%) rename hosts/{blobercraft => blob}/gatus.nix (100%) rename hosts/{blobercraft => blob}/hardware-configuration.nix (100%) rename hosts/{blobercraft => blob}/jellyfin.nix (100%) rename hosts/{blobercraft => blob}/minecraft.nix (100%) diff --git a/hosts/blobercraft/ai.nix b/hosts/blob/ai.nix similarity index 100% rename from hosts/blobercraft/ai.nix rename to hosts/blob/ai.nix diff --git a/hosts/blobercraft/default.nix b/hosts/blob/default.nix similarity index 100% rename from hosts/blobercraft/default.nix rename to hosts/blob/default.nix diff --git a/hosts/blobercraft/disko.nix b/hosts/blob/disko.nix similarity index 100% rename from hosts/blobercraft/disko.nix rename to hosts/blob/disko.nix diff --git a/hosts/blobercraft/gatus.nix b/hosts/blob/gatus.nix similarity index 100% rename from hosts/blobercraft/gatus.nix rename to hosts/blob/gatus.nix diff --git a/hosts/blobercraft/hardware-configuration.nix b/hosts/blob/hardware-configuration.nix similarity index 100% rename from hosts/blobercraft/hardware-configuration.nix rename to hosts/blob/hardware-configuration.nix diff --git a/hosts/blobercraft/jellyfin.nix b/hosts/blob/jellyfin.nix similarity index 100% rename from hosts/blobercraft/jellyfin.nix rename to hosts/blob/jellyfin.nix diff --git a/hosts/blobercraft/minecraft.nix b/hosts/blob/minecraft.nix similarity index 100% rename from hosts/blobercraft/minecraft.nix rename to hosts/blob/minecraft.nix From 754e4c945e35edb43e1b5927c3140873f9fa59c3 Mon Sep 17 00:00:00 2001 From: Squibid Date: Sat, 29 Nov 2025 00:02:01 -0500 Subject: [PATCH 09/15] update the shell --- hosts/blob/hardware-configuration.nix | 26 +------------------------- shell.nix | 9 +++++---- 2 files changed, 6 insertions(+), 29 deletions(-) diff --git a/hosts/blob/hardware-configuration.nix b/hosts/blob/hardware-configuration.nix index 87a58d7..857c8ef 100644 --- a/hosts/blob/hardware-configuration.nix +++ b/hosts/blob/hardware-configuration.nix @@ -1,25 +1 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} +throw "not generated yet" diff --git a/shell.nix b/shell.nix index 8147204..7e78f75 100644 --- a/shell.nix +++ b/shell.nix @@ -52,10 +52,11 @@ pkgs.mkShell { # push the flake to the remote system nixos-anywhere --\ - --flake .#$(HOST)\ - --build-on remote\ - --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix\ - --target-host $(USER)@$(IP) + --flake .#$HOST\ + --build-on remote\ + --copy-host-keys\ + --generate-hardware-config nixos-generate-config ./hosts/$HOST/hardware-configuration.nix\ + --target-host $USER@$IP '') (pkgs.writeShellScriptBin "-deploy" '' From 4c4b859ed073a720460c414d97b311bc4a935738 Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 20:43:35 -0500 Subject: [PATCH 10/15] this should be per host --- hosts/blob/default.nix | 6 ++++++ hosts/crayon/default.nix | 6 ++++++ modules/os.nix | 6 ------ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/hosts/blob/default.nix b/hosts/blob/default.nix index 5c2ca18..9a9cd87 100644 --- a/hosts/blob/default.nix +++ b/hosts/blob/default.nix @@ -18,4 +18,10 @@ # ai.enable = true; jellyfin.enable = true; minecraft.enable = true; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/hosts/crayon/default.nix b/hosts/crayon/default.nix index b343d1d..50373bc 100644 --- a/hosts/crayon/default.nix +++ b/hosts/crayon/default.nix @@ -16,4 +16,10 @@ privateKeyFile = config.sops.secrets."wireguard/crayon".path; externalInterface = "enp1s0"; }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/modules/os.nix b/modules/os.nix index e30e6df..dae64ba 100644 --- a/modules/os.nix +++ b/modules/os.nix @@ -19,10 +19,4 @@ enable = true; dates = "weekly"; }; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "25.05"; # Did you read the comment? } From e2bf8e94963eda3c9bcf1fb225f4891f74fc02ba Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 20:44:59 -0500 Subject: [PATCH 11/15] reset for another try at deploying blob --- .sops.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 1d859f9..2dcd4b5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,11 +11,6 @@ keys: - &hosts: - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv - - &blobercraft - - &blobercraft - - &blobercraft - - &blobercraft - - &blobercraft # new-host marker creation_rules: - path_regex: secrets.yaml$ @@ -24,9 +19,4 @@ creation_rules: - *dev - *dev-vm - *crayon - - *blobercraft - - *blobercraft - - *blobercraft - - *blobercraft - - *blobercraft # new-host ptr marker From 0f05c5da6c805bc894f60b976f65407d02ed935a Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 20:52:09 -0500 Subject: [PATCH 12/15] there shall be no impurity --- shell.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/shell.nix b/shell.nix index 7e78f75..bcfd501 100644 --- a/shell.nix +++ b/shell.nix @@ -19,6 +19,14 @@ pkgs.mkShell { ssh-to-age nixos-anywhere + (pkgs.writeShellScriptBin "-commit" '' + # there shall be no impurity + if [ -n "$(git diff)" ]; then + git add . + git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" + fi + '') + (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml") (pkgs.writeShellScriptBin "-init" '' @@ -50,6 +58,8 @@ pkgs.mkShell { # update the keys sops updatekeys secrets.yaml + -commit + # push the flake to the remote system nixos-anywhere --\ --flake .#$HOST\ @@ -60,11 +70,7 @@ pkgs.mkShell { '') (pkgs.writeShellScriptBin "-deploy" '' - # there shall be no impurity - if [ -n "$(git diff)" ]; then - git add . - git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" - fi + -commit # push flake config to a remote server(s) nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using From 693a1514be07bdc8d435810247a2886a50893699 Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 20:55:28 -0500 Subject: [PATCH 13/15] don't finish args --- shell.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shell.nix b/shell.nix index bcfd501..33db7da 100644 --- a/shell.nix +++ b/shell.nix @@ -61,7 +61,7 @@ pkgs.mkShell { -commit # push the flake to the remote system - nixos-anywhere --\ + nixos-anywhere\ --flake .#$HOST\ --build-on remote\ --copy-host-keys\ From a58e66c7479884efd4227e0dee357a0c91573cbd Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 20:55:49 -0500 Subject: [PATCH 14/15] auto commit on build .sops.yaml secrets.yaml auto commit on build hosts/blob/hardware-configuration.nix --- .sops.yaml | 2 ++ hosts/blob/hardware-configuration.nix | 26 +++++++++++++++++- secrets.yaml | 39 ++++++++++++++++----------- 3 files changed, 51 insertions(+), 16 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 2dcd4b5..7a03b5f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -11,6 +11,7 @@ keys: - &hosts: - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv + - &blob age1kardawqarv498rwayadsmnlx62kvjgduvhhg3drx39xacn9u3ajq5d0qra # new-host marker creation_rules: - path_regex: secrets.yaml$ @@ -19,4 +20,5 @@ creation_rules: - *dev - *dev-vm - *crayon + - *blob # new-host ptr marker diff --git a/hosts/blob/hardware-configuration.nix b/hosts/blob/hardware-configuration.nix index 857c8ef..3431b41 100644 --- a/hosts/blob/hardware-configuration.nix +++ b/hosts/blob/hardware-configuration.nix @@ -1 +1,25 @@ -throw "not generated yet" +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/secrets.yaml b/secrets.yaml index 772d0cb..4832b5f 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -15,29 +15,38 @@ sops: - recipient: age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOWlGajE0Q0FQclZUdUJ2 - RjNUcVBuckZpT1FrbzJaaFcyNXgrTklub0V3ClNIZHpyWVlmVUExK0phNlRIOCtl - ajhPR1M1eERIclhiWEpRelFQRi94em8KLS0tIG1wdVlmbis3OXcxOXRBbFp6b0Nw - QzEyaWIrdVlpcHRHSmpZQkhjN2U3OGcKXRTscSq9D73awM2CLbst8KHPXs3WFXBy - rM8W40zgn6wDPjy2XxB54qZg9hnsBGdAtNnY5PInjMJ5F17lgSdXaw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZVRGTEpIWW1qRWhPOTR5 + STdwVzZzeU1QS2l0TlN2NFNLY1VNZjVCdEhFCmxhejBDSjF5Vk1UQjdEYmpRRFRw + allpajVzcUFpc1h0TVBlUFdaUERPZ3cKLS0tIHc3S0FRbkgwc3BwYUYrWGUrUjZX + QjBLcFY5NnFBZXBJenFYUS8yMXBML0EKkuoDfnc0MnZ0bRQ4Op8GnxC0Mpld9nRE + 5tn6why12mT65jDHuaU3+bX2Rg5+NU90KpdA3S88M4tiCD3WSo70eg== -----END AGE ENCRYPTED FILE----- - recipient: age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaVFIaWllNU0xR0ZHQWtZ - T2tsK0dkQVlTL0N6Z0UvYlRKallXeTFVbDJNCis4UWtSZ0tCZHp2aXBDaDFTeUJu - TWFPdlRJUFRCb3E1UWdmUUhGOU5BS0kKLS0tIEFEWVBzNUxDTzhCSndKZ0JxSFlo - K2ZVekRCeXVtL0FhbmpYc0dEQmo2NjAKKSg1/XSIAoVMHsnkMJHSGTzmX8eQYp77 - hGjx4T26UxwTK8KJ8KKPFI5KWiIHzP/HHTeiJb4IhJ5G+z/npttZIA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVEx6VzRNOFBickVjcGFj + UkpGNUpTeTVVUVRGRHJrRTI3UzhrRjIvcXdrCkFSWGE4YS91dEpJbFZEcFNGUmdP + UFJDc0hpTEVvaHZjY2k3Vk5jdTk4NjgKLS0tIDFpU0srRzBMTDFPVGVVblpEMTZk + SEtxQnN6T2lNbkRGWmUwSFdMVUw0dlEKKYe2xCYLQ8Q21p6f3NIIwRMrQHTicSp3 + BSIG0SmRGcSrzPlg8agUi4aWQ7du9EECXanQSu98sGhCWkIc/QHWnQ== -----END AGE ENCRYPTED FILE----- - recipient: age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlV1J2bjl2K21WUlpyLzQw - amNRajFuNEFOOTJUdUFmdzBzK29hbFhnL2dRCml4OVZoS1llSVRoa216aWlvR0R3 - cjgyS0pibnQ2SHBBcVlZeXo1MmVNV0UKLS0tIEh3bGt3WnVqYlVwSlI5SUJheU9z - MVIyWFFmVXR3SkN4dmdJUzZEOE1nRzAKXYCh0Y0pwHUO6YAhGFBuVCphmL2dOAsN - R/5NDRIF2ab5hf5vE8g/4jHnrttujsbNyU96Jezh8q6MO2M1afIUwA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaVZxYTFMZDFCYnVTYWM4 + QS9Oa1dLa3dVNzArZ0hkKy8yR1Z3UVpRQzJVClo5dzU3dythWGU0NkoySUpYRUQv + MTlQYmJSVG5RNWkzWnlEaDh0YjFxL3MKLS0tIDdySlB3cGxoM09BZWdhN3RwNGtZ + Y1ZUb1Y3ais0dlZrclQyUUZxWkNSVHcKv1Q0VBHE9Y9bU6XyQ84WNf+JTIQq/mPI + tOD6uiS46KgnO5p8oM9rqvBmOPJKoS6bgSLUuEnqjLTtZE3QO0eKzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1kardawqarv498rwayadsmnlx62kvjgduvhhg3drx39xacn9u3ajq5d0qra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFR1UU1PaTl0NWZ1dEVk + WTZMUEtGWFFyNm9aTzNmZHh3RkZHOGsvRWowCnYzZ3JlRGlqN2tHbmtIMFFHUVBD + dWNNc2ZqL1UwdlBmMERlNVZGK1ZhdVkKLS0tIGV1RHh5Z0Z3MlNMZHB0K1liTFdr + NTUrY2pDQXJuTnREakRWQkFqckN2M2MKSonhOJsqcY/HDY+d25rEPwKSl3FSOpkW + EJFXcKKTiJB96Ms5yDGRAtUvbqw/oSBbdGTqe7bE7pQhfj3Y8ECz4w== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-11-26T18:38:21Z" mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str] From c3996f55ceba1ceba82cff368da3aedfde68b19d Mon Sep 17 00:00:00 2001 From: Squibid Date: Mon, 1 Dec 2025 21:02:47 -0500 Subject: [PATCH 15/15] update nixpkgs channel to 25.11 --- flake.lock | 8 ++++---- flake.nix | 2 +- hosts/crayon/mailserver.nix | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index a294fa1..a1a98cd 100644 --- a/flake.lock +++ b/flake.lock @@ -102,16 +102,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1762498405, - "narHash": "sha256-Zg/SCgCaAioc0/SVZQJxuECGPJy+OAeBcGeA5okdYDc=", + "lastModified": 1764522689, + "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6faeb062ee4cf4f105989d490831713cc5a43ee1", + "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "type": "indirect" } }, diff --git a/flake.nix b/flake.nix index 1f46b96..e6906a9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "Nixos config flake"; inputs = { - nixpkgs.url = "nixpkgs/nixos-25.05"; + nixpkgs.url = "nixpkgs/nixos-25.11"; unstable.url = "nixpkgs/nixos-unstable"; nid.url = "github:nix-community/nix-index-database"; diff --git a/hosts/crayon/mailserver.nix b/hosts/crayon/mailserver.nix index 301781a..1a30bda 100644 --- a/hosts/crayon/mailserver.nix +++ b/hosts/crayon/mailserver.nix @@ -4,13 +4,14 @@ # working :( imports = [ (builtins.fetchTarball { - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz"; - sha256 = "0la8v8d9vzhwrnxmmyz3xnb6vm76kihccjyidhfg6qfi3143fiwq"; + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.11/nixos-mailserver-nixos-25.11.tar.gz"; + sha256 = "16kanlk74xnj7xgmjsj7pahy31hlxqcbv76xnsg8qbh54b0hwxgq"; }) ]; mailserver = { enable = true; + stateVersion = 3; fqdn = "mail.zacharyscheiman.com"; domains = [ "zacharyscheiman.com" "squi.bid" ]; messageSizeLimit = 2500000000; # 2.5GB