From 3566d19ba7691d4cbcde9f65eff8679917664555 Mon Sep 17 00:00:00 2001 From: Nikita Wootten Date: Wed, 25 Sep 2024 00:07:08 -0400 Subject: [PATCH] feat: Bootstrap new config for Oracle cloud server - Fix ACME issues causing DNS challenges to fail - Move agenix import to homelab module - Add initial password to main user --- flake.nix | 4 ++ hostModules/homelab/acme.nix | 2 - hostModules/homelab/default.nix | 1 + hostModules/homelab/media/default.nix | 2 +- hostModules/homelab/samba.nix | 8 ++-- hostModules/personal/user.nix | 2 + hosts/default.nix | 5 +++ hosts/hades/default.nix | 5 +-- hosts/hermes/default.nix | 16 ++++++++ hosts/hermes/disk-config.nix | 50 +++++++++++++++++++++++++ hosts/hermes/hardware-configuration.nix | 21 +++++++++++ hosts/iris/default.nix | 4 +- 12 files changed, 106 insertions(+), 14 deletions(-) create mode 100644 hosts/hermes/default.nix create mode 100644 hosts/hermes/disk-config.nix create mode 100644 hosts/hermes/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 124c00d..9e40ef7 100644 --- a/flake.nix +++ b/flake.nix @@ -66,6 +66,10 @@ inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs-stable.follows = "nixpkgs-stable"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, home-manager, darwin, flake-utils, pre-commit-hooks diff --git a/hostModules/homelab/acme.nix b/hostModules/homelab/acme.nix index ddcfd18..7708220 100644 --- a/hostModules/homelab/acme.nix +++ b/hostModules/homelab/acme.nix @@ -29,8 +29,6 @@ in { certs.${config.homelab.domain} = { extraDomainNames = [ "*.${config.homelab.domain}" ]; - # This is intended to be used on a local network - dnsPropagationCheck = false; }; }; diff --git a/hostModules/homelab/default.nix b/hostModules/homelab/default.nix index 9f434c2..6eec9f5 100644 --- a/hostModules/homelab/default.nix +++ b/hostModules/homelab/default.nix @@ -9,6 +9,7 @@ in { ./homepage.nix ./samba.nix inputs.nix-topology.nixosModules.default + inputs.agenix.nixosModules.default ]; options.homelab = { diff --git a/hostModules/homelab/media/default.nix b/hostModules/homelab/media/default.nix index d3d293b..041590d 100644 --- a/hostModules/homelab/media/default.nix +++ b/hostModules/homelab/media/default.nix @@ -60,7 +60,7 @@ in { }; }]; - services.samba.shares = lib.mkIf cfg.enableSambaShare { + services.samba.settings = lib.mkIf cfg.enableSambaShare { media = { path = cfg.storageRoot; writable = true; diff --git a/hostModules/homelab/samba.nix b/hostModules/homelab/samba.nix index 4cfabe1..b036ba9 100644 --- a/hostModules/homelab/samba.nix +++ b/hostModules/homelab/samba.nix @@ -11,11 +11,11 @@ in { enable = true; package = pkgs.samba4Full; openFirewall = true; - extraConfig = '' - server smb encrypt = required + settings.global = { + "server smb encrypt" = "required"; # ^^ Note: Breaks `smbclient -L -U%` by default, might require the client to set `client min protocol`? - server min protocol = SMB3_00 - ''; + "server min protocol" = "SMB3_00"; + }; }; services.avahi = { diff --git a/hostModules/personal/user.nix b/hostModules/personal/user.nix index 6a298b8..969bb81 100644 --- a/hostModules/personal/user.nix +++ b/hostModules/personal/user.nix @@ -20,6 +20,8 @@ in { shell = lib.mkForce pkgs.zsh; description = lib.mkDefault "Nikita"; isNormalUser = lib.mkDefault true; + initialHashedPassword = + "$y$j9T$3DxK1nrBp3Xl2DHN8X97y0$19IRZEIoDdq.owYAW9MFataPDunzsyfWXS25aT3Am77"; }; home-manager = { diff --git a/hosts/default.nix b/hosts/default.nix index f8fd305..dd62a75 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -24,4 +24,9 @@ inherit specialArgs; modules = [ ./iris ]; }; + hermes = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + inherit specialArgs; + modules = [ ./hermes ]; + }; } diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index bebf293..a54f420 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -1,9 +1,6 @@ -{ self, inputs, config, secrets, ... }: { +{ self, config, secrets, ... }: { imports = [ ./hardware-configuration.nix - inputs.agenix.nixosModules.default - inputs.nix-topology.nixosModules.default - self.nixosModules.personal self.nixosModules.homelab ]; diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix new file mode 100644 index 0000000..29d96d2 --- /dev/null +++ b/hosts/hermes/default.nix @@ -0,0 +1,16 @@ +# Bootstrapped via the following command: +# $ nix run github:nix-community/nixos-anywhere -- --flake .#hermes --build-on-remote +{ self, inputs, ... }: { + imports = [ + self.nixosModules.personal + inputs.disko.nixosModules.disko + ./hardware-configuration.nix + ./disk-config.nix + ]; + networking.hostName = "hermes"; + + services.tailscale.useRoutingFeatures = "server"; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; +} diff --git a/hosts/hermes/disk-config.nix b/hosts/hermes/disk-config.nix new file mode 100644 index 0000000..082a104 --- /dev/null +++ b/hosts/hermes/disk-config.nix @@ -0,0 +1,50 @@ +{ + disko.devices = { + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + end = "4G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + end = "-12G"; + content = { + type = "filesystem"; + format = "bcachefs"; + mountpoint = "/"; + }; + }; + encryptedSwap = { + size = "6G"; + content = { + type = "swap"; + randomEncryption = true; + priority = + 100; # prefer to encrypt as long as we have space for it + }; + }; + plainSwap = { + size = "100%"; + content = { + type = "swap"; + discardPolicy = "both"; + resumeDevice = true; # resume from hiberation from this device + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/hermes/hardware-configuration.nix b/hosts/hermes/hardware-configuration.nix new file mode 100644 index 0000000..b234aff --- /dev/null +++ b/hosts/hermes/hardware-configuration.nix @@ -0,0 +1,21 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: { + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.tmp.useTmpfs = false; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; +} diff --git a/hosts/iris/default.nix b/hosts/iris/default.nix index a15a0b1..b510220 100644 --- a/hosts/iris/default.nix +++ b/hosts/iris/default.nix @@ -1,7 +1,5 @@ -{ self, inputs, config, lib, secrets, ... }: { +{ self, config, lib, secrets, ... }: { imports = [ - inputs.agenix.nixosModules.default - self.nixosModules.raspi4sd self.nixosModules.personal self.nixosModules.homelab