From 5cce9461c1b6c1bec33fda10a9a4d49e2dc37a01 Mon Sep 17 00:00:00 2001 From: marc Date: Sun, 11 Feb 2024 22:06:54 +0100 Subject: [PATCH] Added Thingvellir --- docs/hosts.org | 7 +-- docs/install.org | 4 +- hosts/thingvellir/README.org | 2 + hosts/thingvellir/default.nix | 45 ++++++++++++++++++ hosts/thingvellir/hardware.nix | 36 ++++++++++++++ .../consul.d/agent-token-reykjavik.json.age | Bin 364 -> 364 bytes .../consul.d/agent-token-thingvellir.json.age | 7 +++ secrets/consul.d/consul-agent-ca.pem.age | Bin 1290 -> 1510 bytes secrets/consul.d/gossip.json.age | 12 +++-- secrets/nomad.d/consul-token.json.age | 12 +++-- secrets/secrets.nix | 22 +++++++-- secrets/ssh-keys/id_thingvellir.gpg | Bin 0 -> 462 bytes secrets/ssh-keys/id_thingvellir.pub | 1 + 13 files changed, 131 insertions(+), 17 deletions(-) create mode 100644 hosts/thingvellir/README.org create mode 100644 hosts/thingvellir/default.nix create mode 100644 hosts/thingvellir/hardware.nix create mode 100644 secrets/consul.d/agent-token-thingvellir.json.age create mode 100644 secrets/ssh-keys/id_thingvellir.gpg create mode 100644 secrets/ssh-keys/id_thingvellir.pub diff --git a/docs/hosts.org b/docs/hosts.org index 8943937..d59d3c4 100644 --- a/docs/hosts.org +++ b/docs/hosts.org @@ -1,7 +1,5 @@ #+title: Hosts -* [[file:../hosts/reykjavik/README.org][Reykjavik]] -* [[file:../hosts/kopavogur/README.org][Kopavogur]] -* <> Setting up a new host +* Setting up a new host ** Generate a host ssh key pair Generate the key pair (we'll use the name `id_`) #+BEGIN_SRC bash @@ -37,3 +35,6 @@ Host remotehost IdentitiesOnly yes IdentityFile ~/.ssh/remotehost #+END_SRC +* List of hosts +** [[file:../hosts/reykjavik/README.org][Reykjavik]] +** [[file:../hosts/kopavogur/README.org][Kopavogur]] diff --git a/docs/install.org b/docs/install.org index b6e7143..0aa0f8d 100644 --- a/docs/install.org +++ b/docs/install.org @@ -1,9 +1,9 @@ #+title: Installing * Set up -** If new host, follow [[new_host][Setting up a new host]] +** If new host, follow [[file:hosts.org][Setting up a new host]] ** Open a nix-shell with dependencies #+BEGIN_SRC bash -nix shell nixpkgs#git +nix-shell -p git #+END_SRC ** Obtain the flake + Via git clone diff --git a/hosts/thingvellir/README.org b/hosts/thingvellir/README.org new file mode 100644 index 0000000..02c4373 --- /dev/null +++ b/hosts/thingvellir/README.org @@ -0,0 +1,2 @@ +* Thingvellir +Servidor a Vultr diff --git a/hosts/thingvellir/default.nix b/hosts/thingvellir/default.nix new file mode 100644 index 0000000..f502fc2 --- /dev/null +++ b/hosts/thingvellir/default.nix @@ -0,0 +1,45 @@ +{ config, pkgs, lib, inputs, ... }: + +with lib; +{ + imports = [ + ./hardware.nix + ]; + + # - Basic -------------------------------------- + + user.name = "marc"; + user.shell = pkgs.zsh; + networking.hostName = "thingvellir"; + networking.firewall = { + enable = true; + }; + + # - Bootloader --------------------------------- + + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + # - Modules ------------------------------------ + + samfelag.modules = { + # - Common ----------------------------------- + # See modules/common.nix for common packages installed + + # - System ----------------------------------- + system.utils.enable = true; + system.gpg.enable = true; + system.pass.enable = true; + system.ssh.enable = true; + system.sshfs.enable = true; + + # - Editors and development ------------------ + dev.git.userName = "marc"; + dev.git.userEmail = "marc@sastre.cat"; + + dev.docker.enable = true; + dev.docker.users = ["marc"]; + }; +} diff --git a/hosts/thingvellir/hardware.nix b/hosts/thingvellir/hardware.nix new file mode 100644 index 0000000..8d24782 --- /dev/null +++ b/hosts/thingvellir/hardware.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot = { + initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + kernelModules = [ ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; + + networking = { + useDHCP = lib.mkDefault true; + interfaces = { + ens3.useDHCP = lib.mkDefault true; + }; + nameservers = [ "108.61.10.10" ]; + }; + + virtualisation.hypervGuest.enable = true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/secrets/consul.d/agent-token-reykjavik.json.age b/secrets/consul.d/agent-token-reykjavik.json.age index 1bdf2039c698f6d34ef4080f9f23533c53c8359e..f292dfa33de50e31cf64deb71b0688a7921875b9 100644 GIT binary patch delta 329 zcmV-P0k;0^0_*~iEPruEH#l%}Mq@KbNl<2RV{d0!NH}Xmctuk}FJoq8R7Y(wc4k>k zO;veUMGA0MNM&_lGdM$TG)s7FGAm1Aa#Kufc}a9_M{sgzVM1(Tbx%)CVsJ`LO$se7 zEg(fsO-FWXWH2%_O;a&;b!=2uSXz2{LwRjAQ&?elVRTkCZGT2pVNrNwX+a9%dO$_% z6n>XSt-V5l`wy^Hu z2rOfq<%=%)qkx*Se)5P(GvVLYz*&h>F6?;R6P1LbwZh*Rx&x*4o4Z?=$a5P7)24P_ zuC6I2V*YZ8m_moOB{h7Xm^WX_j{p$1NHw{n%PC!P8icW8Wlst9+@Eb0N!c-lng_;s b$$#%U4x5Q7a!+DwM`lt&K~YsWb!tyVWo=C}X9_JX zEg(=xVt8~;V?}g&D`Qq#P)TB0WOXxYYIAQ^LS`~%Vn#`ELVqx4Q(7`aL~9C@;eBZ| z?BDstYEr1R)&EEoUwJ(;CsdqDe%LX3OfVpz@duiTC{7J!?H>BdVt*1iO@D68Klrcy zNsS&=hNsC|k%-ck^B3$s*;Bn~^d}Owo_P8Yp2z7c^JFBlDm2@iW3j}naXn+DV7t(m z7r#FN{gO5o^g ssh-ed25519 GWuf0Q mCQbETRLULM4/f70NUKHvn9iSDdfnM1a1PDRGVnS9ys +CNFbhSDNq3cOmyrc56w75ZUZXPfVgT29F5+fFoP5Kmk +-> ssh-ed25519 kNjiNQ jSJAUXcGPZiKvLqab9BBfjCsSrM1FhYfbKgHg81L7E8 +xcbPJUR3TvY0PiBrY62+UxUeZ/dfVLt0uTj2+giwtkM +--- roH7F9Fb3B1lcvSiDoM/e1vCmFRbUupKGF+pRUO7gek +1X" 㡉)KSPpt+ J*& < #)97/]M9wqٹE-:5/]7jf;60z/zLYF> @\: sOWt꒚WhK)2XVٜ 5s4e \ No newline at end of file diff --git a/secrets/consul.d/consul-agent-ca.pem.age b/secrets/consul.d/consul-agent-ca.pem.age index 277ffda8c3adabe73835c164bd4ba961083c1c1b..fcb06a49286c223d9ac1f762eb513e656b969340 100644 GIT binary patch delta 1484 zcmV;-1vC1J3g!!tEPqcqcWp>Wb!#^(H84R-XL&?7L`6tfH%?SiN=HFxbwO1@b#8S* zbxwIlGzv##dNDyrNl#)qXDe|pHc(JVOEyt!P)JH?GEHz!Gb>VTXL&btT5xDMYYHts zAaiqQEoEdfH8n9gAbMz4M@V-dbvROSZcH^dF;{C+Z*FQ#Gk;oYa5hT)HO-6P_ zQffI%Q8O`EXJ|w?3PWRdSa)T4W^gq&Fi|U2PflS-FitjNHF`lcL{v{pZ%->#Vp2m( zZg@9m3N1b$b8~1dWn?lnH8D9LYffruPEjCmNqIGRc{OV?V>fwaZFE+1GC6riSZ-x( zR!Mg_ykdF_Z{_l8EaZgYOY^-$KNWn}1|uUBiKIdaW{9!rd~_V-fvf})LJrwB~}KKvKfj7knk1@v_bh2;*J$y`u)wzWu5P=R&t+2dk0cOmT?7O zZY@3?qvZk&(EKqqV`MY){%oBo=mNGb&CGw{%9HxKX#f%*`Ob?o;@jT>D@+7t5_`G2S+%opS@DT>xqtRCe)%xx zawR!0VRzUHU0L*8H~#;O z?tgM$bh0Jp0bfnq41&Bs5U_HPc}$u1lP?E>=nUY_WD()I{a{~>08_Wvv*5+mx#~4g z`?ri>0Fdujcu(f=_)#0TV90ersf^)n8*UoSUOM;PyYAjk@J@Mc7yK8`oV8pZr2PHzutzGWx7o#T^ks2fdoeKW`AJ) zN}V+m#ERC<+OY{S&T0c3p+VN3y~4>_k49bZP`cTwgWDd$|K)`#G2s{0I97L&fFK~O zpk(|#Hrt#(xV=acIK6W8jz@EvNnd+t3G&KQgv)u-1^}oWKBG|?+;_n?+7dWJ=34*B zz%nPV)5W=li$ghaQ%P3DoQxA;#(zZQS*s8*pKtpYI3&IB$LI+Kl`D6?C$(z=9EFK@ zs2FHcPdaJG?pu7CJ4qf9P+B(AHqd((L}^39a7F`uooIP0I2Cm8pyM}b_zXWQAZ%=+ z)Mn<93Lji*M!-b5+s+o5VGCNTe7;bUVZ5$w`P>oqxc>u1KH=e&2%qZUGJmY2ci|nP zL_qtyB@{*~GDrOonJi%s*uJV)mE;2OZvw~EZzEArTwc04vh+b2n$rOUX~a#wEFI|q zF$^an?^2yTQ1D{7Mkx4KJu+og(mCO$ZW|vB1Pi0R*5M(U39Z9^lFnu4-3K~SWER!B z3<=qwQrBQL=3ADoB}6vAO+}kt4M$EU_JQWw;vvZq>U0QCDyKze6tg-k`CQHbTj|R! mE~n=!tw-76<$2N+F&pqzQmG`+1(YsY*Nx|{3( delta 1262 zcmVEkVnb3wWJ!2pLsM!mI8D0F$G-7OXC(2KRB``AimaD2YRh!txCs4WVyV`9b}EUFj*@b z?d~X<3Ed-lrGN6YUTYG~gcV+owT7{N+B`?3LVcC)i-tO?WGnebQ3+KTjN4+9H0+Ws z_ybm4HBMB&=dd}8Ag}s!l;9Q>H>Lf1j zYUPt)Ck~sE6`~CcruH)DwjK=M=~exnV*sDwBFIxSLw{}H2Tl}MuL*&fzpgZ1S@VKf z1NyBObZV z1;h4qcjny_sYRQW4NR=oSjEI8gwal?o25n}>$!CPh+P&hXx zB^@=4;*Cvt?ufH%evaGvlOD_b2@+@boY2Is^MW?k7=Ens6-d_TNamGJq`3>d2vR&0 z>u}x&vU0iKwrum!M1-oRAK~n&2&c<8E5cZ4$h+*8*M@6LviyhNO%D>ver3svAjUNK z#eY~&dufn-Y04o4e`*BzTt&=lhHc6*GlACUaGr2${}8>o`)gG$33IUYCUK?g7ZSX0 za|trdj!;q!8o81-j_bp{7X(RMGi+$#F9ZeyP}zt~2_C-1LTv;e3@H<--;1?PK3-9~ z)F=)bnKq$3a0bGrS6oWGIR2XO={Bk!F@IAP%+~=M8&BxiJwqGIgK{w+sH2ML`2UAE zl9EL0SZHozj3I_4$9A&p$Y+I1U(xQ55I{|vtM!-@i9#uz1eea8ITd4PZ=*A7p>(`N zin!)Ww^MEa&|3wn8TJ4ZtHogibMsp4+nrsonc5ZXRNOTvB$KWKnhNZoe9~|T2!B^Z zSQm#r%q>&-v=gx@T=z9@G>&eUpye&&nw+}m11`7bPR|w;wnM>2qe`sy>PEeeT=nP^ z5u{MFdTzP2v+-x;q-fxp>pu52fg?Q`K8wJY$XLXOorRloaT$QknVti@mN9Jxr~Yvi zCf8Fw#EO7DC;`#t_$pj2QZ{~O8D|B-He?Y6Tx)Oi9sfkEpVWc{6p`-S#;ww*I8C6W zDQZOco}I}OkgzT+z|ltZs%MdMn=*H0ZtA5|WF0dOSxZbL3HtHektin53q_>G^JN-X Y)Fs#-=^toZhJcm?ewDmv?F4WT`JqKk8vp ssh-ed25519 GWuf0Q PZ9afqz3THF8vuV1bBzKU2QQ5j0cA7TriznFu1/eF1Q -sk8JAVRjCyhjjkebWtqJaxoacxiYSdir7w9Ep9ch0/4 ---- lBViOk0i5qkicV2kqyGSI/fiEjtyrGqKAoUIzz3V9lQ -8"V !yYK}{/LD;?g9p;u||"OӋrk#"W,p$7x砾Z~V;Խ߉mg \ No newline at end of file +-> ssh-ed25519 GWuf0Q Mr94MtZjrZxrlA7IoiyDQmup8YiALGJqmf0A4JTUNUo +y3Y+XaXPyGgAR0a48s0IKvAugOdeEIuRpWv7pacJxWw +-> ssh-ed25519 zhVGHw MhDh4XhG85MU4J8VmR4/mhQOPF9KQFGcytrH0CFaYTQ +9F5HgLtxP8fB7kQYjRxjFnoGL6+Hpa+/+QAiByJuPg0 +-> ssh-ed25519 kNjiNQ CnJ2jD2dbyixR0mBPu1ZjX3Ms/jDxkPQs03O222PN0U +MkcCN9OVhcdI5ReVAR/uW+bX3kNNBBPR7YI0DygNr1I +--- KzWsU/aTm7iuKmC9P5al90irn7+yvJSC6Z4jPd9uzhI +RlIW{>IVlua;hD4 J.;U·v~>EjY {oXnV(Ua׸& Oi4+I| \ No newline at end of file diff --git a/secrets/nomad.d/consul-token.json.age b/secrets/nomad.d/consul-token.json.age index a652390..e7d123a 100644 --- a/secrets/nomad.d/consul-token.json.age +++ b/secrets/nomad.d/consul-token.json.age @@ -1,5 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 GWuf0Q BbOx6cx+uu2ortgM+FKdQ58Mq/88oiilwQG4H9omY0c -yfQ092ZhIXDUfRK/1McsaKo3RnGvbmjtZcU1k769GX0 ---- ddjUdGmBLlYX2jY3FuEr11FudpoSP+gI+0PxIsJ1BZo ->_F$j?.Eg %kmǑ9/zf&g*VG^.ȖT^H۷>p$+EqP&muLJqʢfvOnHWc8Mnlp j'xI'| \ No newline at end of file +-> ssh-ed25519 GWuf0Q xVuLRTTmTLzFJKyh9RIdq0ZEgoIc6lQs4TlQ9ypb6As +TtblfYeBV1RpE8717ShUFh2wLmM5K5PviOVr0EyG4Qk +-> ssh-ed25519 zhVGHw hD2BDVwJMT1nQKvqFU04ih71pFhweIXK9+gk5KzbfGY +KmyxI4yLdlnbvAbENN9bLHFNpB8Hz6EVCLeQNsaHEho +-> ssh-ed25519 kNjiNQ 0WpE6n5Cu0F/r0LOpWV8DKtx90xssu6rA706/D0I+Q0 +nCSLiH6A5jsne2Z4tLq05EA3FDYThPvavJqtn4LfO5I +--- qtwiXJDiyOdy3XRMZLdwEWdDkpHVn+COhqmHR86cDJM +30lިUȻǒ-BfuZ#.^qTyi8=\e'YKЯɸ)g Sv7["&.Hݷ8] xg_j #BJg+GCD. \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6109110..f059f09 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,14 +1,28 @@ let id-reykjavik = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwwpKfxNmUyBoPZqz1jYc6arCdHPvJrEsBN49m/P3By"; id-hvannadal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICy1ocZywBvFHpIj+FvaC7QspRWuLXjy6fwakq9t+0Ev"; + id-thingvellir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEIvWEwYayFK8iRb4g2+cnQXlqiMBu3aWxTahXkaCNG7"; + + # --- Host lists --- + # Since we want to be able to manage/edit all secrets from reykjavik, we create helper lists that + # always contain reykjavik + reykjavik = [id-reykjavik]; + thingvellir = [id-reykjavik id-thingvellir]; + + samfelag-hosts = [ + id-reykjavik + id-hvannadal + id-thingvellir + ]; in { # -- Consul ------------------------------- - "consul.d/gossip.json.age".publicKeys = [id-reykjavik]; - "consul.d/consul-agent-ca.pem.age".publicKeys = [id-reykjavik]; + "consul.d/gossip.json.age".publicKeys = samfelag-hosts; + "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts; # Agent tokens - "consul.d/agent-token-reykjavik.json.age".publicKeys = [id-reykjavik]; + "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik; + "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir; # -- Nomad ------------------------------- - "nomad.d/consul-token.json.age".publicKeys = [id-reykjavik]; + "nomad.d/consul-token.json.age".publicKeys = samfelag-hosts; } diff --git a/secrets/ssh-keys/id_thingvellir.gpg b/secrets/ssh-keys/id_thingvellir.gpg new file mode 100644 index 0000000000000000000000000000000000000000..976d25711df1087468fd5e0800414b667fb1791e GIT binary patch literal 462 zcmV;<0WtoBUIRi%8(({=gohFV2S8Yi7pNP41r;8wNZ?=Q|CaJ}gte;^8a{bT4^7o> zz$Gvxam4Z*M*^-hS_!Urek&1QsAI4`J_F#PqQJ0d`dEH7v>QNhoIdB#uN6~hf`pmW zz^efX0uV~IUq?UWX8wqNkoaUlGrw-xNi_>NH&a>fEQ9nezl0~UO-cC^EzKZ2{zQit zTe{-gVy z+xM|~0@8mtg50vt@<`Ot%-v4_pX3qumW(j8pdbQa%i7nl@00*Cg?1j6(5=VoV4@T24cBlYKo^quUo3}MBFNo^(5`#>Yr{E? zRjJiOvi;iz>0AsqY(p$w_?g8lwXpC0SlB*H-ZrU2jJsyBS?hiVA z1)bg6lOX{~f#47UMMHS>)yz8Q5D)MhX%B-!c|p$XpdRoQp-HWc>WwdlZtaDd-XQ~* zFrh_8ThD%Q(r?$k^rZuxsq8{0(^xz;;4%-7d1?^njmn<%e(&G*H<1ocgI(7VNzjSn EqfZFj