Began provisioning a basic raspberry pi

- Added homelab module, currently set up only with grafana - Adjusted makefile remote to allow remote building - Hosts `authorized_keys` added automatically - Enable fprintd on my laptop
nikitawootten · Feb 28, 2024 · 650c121 · 650c121
1 parent 53fb5e5
commit 650c121
Show file tree

Hide file tree

Showing 13 changed files with 132 additions and 16 deletions.
diff --git a/Makefile b/Makefile
@@ -39,20 +39,24 @@ switch-nixos: ## Switch local NixOS config
 build-nixos: ## Build local NixOS config
 	$(call IN_NIXSHELL,sudo nixos-rebuild dry-activate --flake .#)
 
-# Default to connecting to the hostname directly
-ADDR=$(HOST)
+# Default to connecting to the host directly
+TARGET=$(HOST)
+# Default to using the local machine as the builder
+BUILDER=
 
 .PHONY: remote-switch-nixos
-remote-switch-nixos: ## Switch a remote NixOS config (e.x. make remote-switch-nixos HOST="" USER="" ADDR="") ADDR defaults to HOST
-	@if [[ -z "$(HOST)" || -z "$(USER)" || -z "$(ADDR)" ]]; then \
+remote-switch-nixos: ## Switch a remote NixOS config (e.x. make remote-switch-nixos HOST="" TARGET="" BUILDER="") TARGET defaults to HOST, BUILDER can be undefined
+	@if [[ -z "$(HOST)" || -z "$(TARGET)" ]]; then \
   		echo 'one or more variables are undefined'; \
   		exit 1; \
 	fi
 
-	@echo Rebuilding configuration for $(HOST) on target $(USER)@$(ADDR)
+	@echo Rebuilding configuration for $(HOST) on target $(TARGET) \
+		$(if $(BUILDER),with builder $(BUILDER))
 
-	$(call IN_NIXSHELL,NIX_SSHOPTS=-t nixos-rebuild --flake ".#$(HOST)" \
-		--target-host "$(USER)@$(ADDR)" --use-remote-sudo switch)
+	$(call IN_NIXSHELL,nixos-rebuild --flake ".#$(HOST)" \
+		--target-host "$(HOST)" --use-remote-sudo switch \
+		$(if $(BUILDER),--build-host "$(BUILDER)"))
 
 # Utility roles
 

diff --git a/flake.nix b/flake.nix
@@ -85,6 +85,7 @@
         "nikita@olympus".system = "x86_64-linux";
         "nikita@cochrane".system = "x86_64-linux";
         "pi@raspberrypi4".system = "aarch64-linux";
+        "nikita@iris".system = "aarch64-linux";
       };
     };
 
@@ -105,30 +106,40 @@
       configBasePath = ./hosts;
       hosts = {
         hades = {
+          # My home server
           username = "nikita";
           system = "x86_64-linux";
         };
         olympus = {
+          # Old server, unused currently
           username = "nikita";
           system = "x86_64-linux";
         };
         voyager = {
+          # My laptop and main development machine
           username = "nikita";
           system = "x86_64-linux";
         };
         dionysus = {
+          # My desktop
           username = "nikita";
           system = "x86_64-linux";
         };
-        # My GPD Pocket 2 mini-pc
         cochrane = {
+          # My GPD Pocket 2 mini-laptop
           username = "nikita";
           system = "x86_64-linux";
         };
         raspberrypi4 = {
+          # Generic Raspberry Pi 4 (bootstrap config)
           username = "pi";
           system = "aarch64-linux";
         };
+        iris = {
+          # My Raspberry Pi 4
+          username = "nikita";
+          system = "aarch64-linux";
+        };
       };
     };
 

diff --git a/hostModules/default.nix b/hostModules/default.nix
@@ -2,4 +2,5 @@
   personal.imports = [ ./personal ];
   raspi4sd.imports = [ ./raspi4sd ];
   dslr-webcam.imports = [ ./dslr-webcam ];
+  homelab.imports = [ ./homelab ];
 }
diff --git a/hostModules/homelab/default.nix b/hostModules/homelab/default.nix
@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+let
+  cfg = config.homelab;
+in
+{
+  imports = [
+    ./observability
+  ];
+
+  options.homelab = {
+    lan-domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The base domain of the local network";
+      example = "local";
+      default = "arpa.nikita.computer";
+    };
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain all services will be deployed under";
+      default = "${config.networking.hostName}.${cfg.lan-domain}";
+      readOnly = true;
+    };
+  };
+
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    services.nginx.enable = true;
+    # Helper function to create a subdomain for a service
+    lib.homelab.mkServiceSubdomain = subdomain: "${subdomain}.${cfg.domain}";
+  };
+}
diff --git a/hostModules/homelab/observability/default.nix b/hostModules/homelab/observability/default.nix
@@ -0,0 +1,3 @@
+{
+  imports = [ ./grafana.nix ];
+}
diff --git a/hostModules/homelab/observability/grafana.nix b/hostModules/homelab/observability/grafana.nix
@@ -0,0 +1,35 @@
+{ lib, config, ... }:
+let
+  cfg = config.homelab.observability.grafana;
+in
+{
+  options.homelab.observability.grafana = {
+    enable = lib.mkEnableOption "Grafana";
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+      default = "grafana";
+      description = "Grafana's subdomain";
+    };
+    domain = lib.mkOption {
+      type = lib.types.str;
+      default = config.lib.homelab.mkServiceSubdomain cfg.subdomain;
+      description = "Grafana's domain";
+      readOnly = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.grafana = {
+      enable = true;
+      settings.server.domain = lib.mkForce cfg.domain;
+    };
+
+    services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
+      locations."/" = {
+          proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+      };
+    };
+  };
+}
diff --git a/hostModules/personal/ssh-server.nix b/hostModules/personal/ssh-server.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, username, keys, ... }:
 let
   cfg = config.personal.ssh-server;
 in
@@ -15,5 +15,7 @@ in
         PasswordAuthentication = lib.mkDefault false;
       };
     };
+
+    users.users.${username}.openssh.authorizedKeys.keys = keys.authorized_keys;
   };
 }
diff --git a/hostModules/personal/tailscale.nix b/hostModules/personal/tailscale.nix
@@ -5,12 +5,14 @@ in
 {
   options.personal.tailscale = {
     enable = lib.mkEnableOption "tailscale configuration";
-    enableSSH = lib.mkEnableOption "enable tailscale ssh";
   };
 
   config = lib.mkIf cfg.enable {
-    services.tailscale.enable = true;
+    services.tailscale = {
+      enable = true;
+      # If SSH server is enabled, enable tailscale ssh
+      extraUpFlags = lib.lists.optional config.personal.ssh-server.enable "--ssh";
+    };
     networking.firewall.checkReversePath = "loose";
-    services.tailscale.extraUpFlags = lib.lists.optional cfg.enableSSH "--ssh";
   };
 }
diff --git a/hostModules/raspi4sd/default.nix b/hostModules/raspi4sd/default.nix
@@ -1,4 +1,4 @@
-{ nixos-hardware, modulesPath, pkgs, ... }:
+{ nixos-hardware, modulesPath, pkgs, lib, ... }:
 {
   imports = [
     nixos-hardware.nixosModules.raspberry-pi-4
@@ -19,7 +19,7 @@
   };
 
   # bzip2 compression takes loads of time with emulation, skip it.
-  sdImage.compressImage = false;
+  sdImage.compressImage = lib.mkDefault true;
 
   # HACK for missing kernel module "sun4i-drm" causing build failure
   # More info here: https://github.com/NixOS/nixpkgs/issues/154163#issuecomment-1350599022
@@ -29,4 +29,9 @@
         super.makeModulesClosure (x // { allowMissing = true; });
     })
   ];
+
+  # Sane default for a new raspberry pi
+  networking.useDHCP = lib.mkDefault true;
+
+  # nixpkgs.crossSystem.system = "armv7l-linux";
 }
diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
@@ -6,12 +6,13 @@
     self.nixosModules.personal
   ];
 
+  # This machine is sometimes used as a build server
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
   personal.zfs.enable = true;
   personal.docker.enable = true;
   personal.nvidia.enable = true;
 
-  personal.tailscale.enableSSH = true;
-
   boot.loader.grub.enable = true;
   boot.loader.grub.efiSupport = true;
   boot.loader.grub.device = "nodev";

diff --git a/hosts/iris/default.nix b/hosts/iris/default.nix
@@ -0,0 +1,12 @@
+{ self, lib, ... }:
+{
+  imports = [
+    self.nixosModules.raspi4sd
+    self.nixosModules.personal
+    self.nixosModules.homelab
+  ];
+
+  sdImage.compressImage = lib.mkForce true;
+
+  homelab.observability.grafana.enable = true;
+}
diff --git a/hosts/voyager/default.nix b/hosts/voyager/default.nix
@@ -19,6 +19,10 @@
   };
   systemd.sleep.extraConfig = "HibernateDelaySec=2h";
 
+  services.fprintd = {
+    enable = true;
+  };
+
   personal.gnome.enable = true;
 
   personal.networkmanager.enable = true;

diff --git a/keys.nix b/keys.nix
@@ -4,6 +4,7 @@ rec {
   nikita_voyager = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyxV6Jx53eFSFkl8z1yHOe0GYuG5SNCgf0s3nfJg/Ih";
   nikita_cochrane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK//BoiABsGP0THb282KhGU0hLqUM2biGCK6qRcbZcMB";
 
+  # Trusted users for decrypting agenix secrets
   trusted_users = [ nikita_voyager ];
 
   # Host keys used for decrypting agenix secrets
@@ -14,4 +15,7 @@ rec {
   cochrane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDG/GfRCnWYx7xhD0k8qxpzOYfVnhlsGiNIkk/TwHx2Q";
 
   systems = [ voyager olympus hades dionysus cochrane ];
+
+  # Keys used for ssh access
+  authorized_keys = [ nikita_yubikey_1 nikita_voyager];
 }