From f58e9687560d1f4afd47bdd8ca7c8df13892731d Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Sat, 26 Feb 2022 16:09:12 +0100 Subject: [PATCH] Add various changes --- config/common/services/ssh.nix | 5 +- .../hosts/grondahl/data/secrets/secrets.nix | Bin 961 -> 1045 bytes .../data/secrets/ssh_host_ed25519_key | Bin 0 -> 421 bytes config/hosts/rudiger/configuration.nix | 1 + config/hosts/rudiger/data/secrets/secrets.nix | Bin 370 -> 454 bytes .../rudiger/data/secrets/ssh_host_ed25519_key | Bin 0 -> 421 bytes config/hosts/wind/configuration.nix | 123 +++++++++--------- config/hosts/wind/data/secrets/secrets.nix | Bin 946 -> 1030 bytes .../wind/data/secrets/ssh_host_ed25519_key | Bin 0 -> 421 bytes config/sources/nix/sources.json | 24 ++-- 10 files changed, 77 insertions(+), 76 deletions(-) create mode 100644 config/hosts/grondahl/data/secrets/ssh_host_ed25519_key create mode 100644 config/hosts/rudiger/data/secrets/ssh_host_ed25519_key create mode 100644 config/hosts/wind/data/secrets/ssh_host_ed25519_key diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index 2a918d9..a454669 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -1,13 +1,14 @@ -{ ... }: +{ config, ... }: { services.openssh = { enable = true; permitRootLogin = "no"; passwordAuthentication = false; challengeResponseAuthentication = false; - hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ]; + hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + }; programs.ssh.knownHosts = { diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix index 2b87a11d869139930add82ebfe871e322cc9bcd0..1feacfcb4006c08b8c5ba2be61bdb614710fe5b0 100644 GIT binary patch literal 1045 zcmZQ@_Y83kiVO&0;E|bq@vkoH&W01|`OHG;s~S2}q%F^_+|6GY-?bvzFD)$p`~&^Z zQ+hUjnJX6_@y)2q+GnV`A?xo^~MiTd$fN%5y(*!jK`Gn1_|AKGKE7Rh zgs)v&Q8au>M2zyrLq%HkR_hOK4DACC7(wtH5J{kow)W#ZBO zJC5D%w#k}(G5+3e#r8P4H8DD@@@o435_|8BZzI{U)g$LEWxCthlt*d3A8 z_RIc3K=UR?F_W768ns1l(wSH+ik_@^ELgq3biL=FL$l_ePycX*Y1{2}2RFLx`?*Rn zQBQGFd#~Db-Hf?X@-*jtP{9>u5 zhTEKPeqZ>xz4QFL!~e75?(Mi+*z;q_w>b~gSI=~ zp73i2%N_gXkS$x77CgG$&3NGnYigd&B6W$@g`(3xZrs-J`$o3aY8U61UiV#YnCkJF)LyrMH3qw8cF(%N^g~sSt?!8OS&w(Wx4vCpaW1M` zTWguD;gP4gm!I$4!)V!7!M~!yEpU@wW02F2e`2RJA}IEPB@!YmOxmX(iq{(Emc5Wb;VTUBw%l^iwIviXGtCX?3x zis;BWZz8tc{eP(?E3B=z3t?mU*?=ax0c@QIu^I`o7y^_QiX4xE*vEYciu*|e4NmHKuP-2Wa{K{9$=yT&GzBvpgZ4VcGXrI}V zB6+8ELiVO!;kmNsj|aBr|D54J+wXJvasP%!-)B+(7~Rwx$^=gTy7R5hp}YOXoGnM| z%C;~5Rr2G~Jthw3>r?kKOrPDYer_(Gbai3v9feJm%U73}URYLsCy6=yb@Qp1s1)H0 zIkl@vrm_C38g=Jq-|=q9jcELI??UgK>9W1fT(*XGoA+pD{S4;VZB#u8! znXz%Fd!_unUrAWsytVM4-rNEGt=22QzUisn zRydHibvnm_#qQl(_*ey0Zd|_AQRTQh!pZzhNHojlkA)r&Kk`jqz9ntRKK5zz&RogV z{P1nl+dx0oH`VM6b65XxnVhHa;Bf#0>-*Z9R^C5VjRS!rJ=1HBY6#xKy}SS}S{1-~DaXpZazGq8xc|Ci{Y0a(j!i ze*C{ZpX0<->j?KLMcw(;VFnpYsRxd%%UZWNAXvR|zSq?D#K4q~KV};SZ46+%wB8~r ztXhq=HSeEXX^x`_-`}!FS7fdA#i8mYP6>Jw(ns@|g~H%^DP&u{(FVwrL1nc|w-0}24+$=W4yDH+h?44OXGah|?PeDg!pgMTrGjsg>! zE?XU3z5bc(@0->7(SqGmdh0*hANwl6yyw6DtPI-=Vr%P6cAl}|>b@i$(Zuw_X!qe@ ziJV7QKNdW9lV!iC`RAQt7vo^X|HV20@X3TceUg=yIVa5F8oaMo_ zB1doipZ4=sv(Rcszm*5yw>LEHXPlIFrQ4hJr~8MEYnI2c2(~JI()Rt;dSp&TNs@w? zC|^aO#C|qr;i)Wtf9TokB<}9oAa~4+Z&qw`qD<<&uF30un0(Z})~B#&^{$h(mTM2q zj&0p^VN2!(-Yu%nrs;MGteyIAR;ps;7@ z=JOYytYQ{ymNS3i6?ngCncYSExoJuF^eT6W&HSg*mbrZIzM_e@YC5mHs5o=~@Q;?Q zZ|AU!XB-jizHhM5X@^7nj%X7;!y8r2HLGq`-F<)N%^VBQD`za7mu#6W>vJ)iBjh+^ zXzQdPZNp0sYpM1%`8N@tfYR#T^Z27gw z9c(XSxNk~Gh=uK#tDtw|zMOJSieHi4`{HwQH6{-zOOf)J$Gx5C8y41m->f literal 370 zcmZQ@_Y83kiVO&0xT(5&Hm}^j`e&7o%4M!x<2}SMd&Z$Rm8vt_=PtBy3BP@nxupB= z)Nj@wf3MyC(|+dSO~~bpa>qYS$Ng1gjrby?^7NvA8d?e)Z&n=6m9+oefv6xh%lcZaaOB>C0*X zpC=PqmYK)snrH5pv!1jmM78nK5p`+L2eaJo+UW|gpEmJN>{$ILtHWVWdT~<-+SopDgae`xU&EN diff --git a/config/hosts/rudiger/data/secrets/ssh_host_ed25519_key b/config/hosts/rudiger/data/secrets/ssh_host_ed25519_key new file mode 100644 index 0000000000000000000000000000000000000000..ed3dbe5e513859a91eee2a86f5754ed2db9ff8b8 GIT binary patch literal 421 zcmZQ@_Y83kiVO&0&=v|7z4ZFF)r<|(-*WF^wHFU=xxZCb@bM!C@29b8M(p}KcrC(h z97WB)vkJX>d$Cqnr0u#+Q(eg9<9_q^{xp%6jjZMjzwx`}b=Oo2E|V}*y$jn_u1c7E zQJ=fGdmEpRY)TMg$xgS`r;{0ELKU~wt1@1VY43Vz^S-2L26Ngk!%gaX4E&Z2-q%B! z+1D?W)4020varh6Tb2_J$#Z&5*}4B;sD!M1vf!F&4qFN@uV$J$&&Wj7nXOMcM^)+f zfAu-XgFU|8x^_qQE6?Kick@cPmZi$p6#Y26YK56d?6nn9%NM^m^LE7{6~Py!dwuc+ zb`+XCD%tR|QBUgZm*R)7JQKL5xl7cat~3qOdB1PHpG;=DKjY~et#5^Wqu$PVXUH}6 z?W<3_>iCnMtzM8Au9hBg&B}Rt)`I8xNoJdh<*SR_-iY375a+!W*>ly8E7B}#JzHAL zzJ2c^|G!Le5&nEd=5@l3w>@3%&K-u{QU{thSL;<5EZ=4+Dbji2^rL0w42yoAe0}8i h{I2!;6<0KUH8Y>bv-tAT0^K*!PwrZO*&yq88UR8w#b5vc literal 0 HcmV?d00001 diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index 2e4c450..b909657 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -1,75 +1,74 @@ { config, pkgs, lib, ... }: { - imports = [ - ./hardware-configuration.nix - ../../common/services/ssh.nix + imports = [ + ./hardware-configuration.nix + ../../common/services/ssh.nix ../../common/users.nix - ./services/acme.nix - ./services/coturn.nix - ./services/nginx.nix - ./services/postgres.nix - ./services/synapse.nix - ./services/ttrss.nix - ./services/gitea.nix - ./services/restic.nix - ./services/vaultwarden.nix + ./services/acme.nix + ./services/coturn.nix + ./services/nginx.nix + ./services/postgres.nix + ./services/synapse.nix + ./services/ttrss.nix + ./services/gitea.nix + ./services/restic.nix + ./services/vaultwarden.nix ./services/wireguard.nix - ./data/secrets/secrets.nix - ]; + ./data/secrets/secrets.nix + ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - boot.kernelPackages = pkgs.linuxPackages_5_10; - boot.supportedFilesystems = ["zfs"]; - services.zfs.autoSnapshot.enable = true; - services.zfs.autoScrub.enable = true; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.kernelPackages = pkgs.linuxPackages_5_10; + boot.supportedFilesystems = ["zfs"]; + services.zfs.autoSnapshot.enable = true; + services.zfs.autoScrub.enable = true; - networking.hostName = "wind"; - networking.hostId = "929e7fb7"; - time.timeZone = "Europe/Copenhagen"; - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ]; - networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + networking.hostName = "wind"; + networking.hostId = "929e7fb7"; + time.timeZone = "Europe/Copenhagen"; + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:34cb::1"; prefixLength = 64; } ]; + networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; + + users.users.deploy-web = { + isNormalUser = true; + extraGroups = [ "nginx" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" + ]; + }; + + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + vim + htop + iotop + dig + ]; + + nix = { + autoOptimiseStore = true; + trustedUsers = [ + "root" + "@wheel" + ]; + }; - users.users.deploy-web = { - isNormalUser = true; - extraGroups = [ "nginx" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" - ]; - }; + # Use hetzner firewall instead + networking.firewall.enable = false; + # networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ]; + # networking.firewall.allowedUDPPorts = [ 3478 5349 ] + # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ]; - security.sudo.wheelNeedsPassword = false; + users.groups.acme.members = [ "nginx" "turnserver" "gitea" ]; + users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ]; - environment.systemPackages = with pkgs; [ - vim - htop - iotop - dig - ]; - - nix = { - autoOptimiseStore = true; - trustedUsers = [ - "root" - "@wheel" - ]; - }; - - - # Use hetzner firewall instead - networking.firewall.enable = false; - # networking.firewall.allowedTCPPorts = [ 22 80 443 3478 5349 ]; - # networking.firewall.allowedUDPPorts = [ 3478 5349 ] - # networking.firewall.allowedUDPPortsRanges = [ { from = 49152; to = 49999; } ]; - - users.groups.acme.members = [ "nginx" "turnserver" "gitea" ]; - users.groups.backup.members = [ "matrix-synapse" "postgres" "gitea" "vaultwarden" ]; - - system.stateVersion = "21.05"; + system.stateVersion = "21.05"; } diff --git a/config/hosts/wind/data/secrets/secrets.nix b/config/hosts/wind/data/secrets/secrets.nix index 75790f5334b5fc708c3e04b172965785344026f5..5592aaf52288f4f30d9c3f15c700d2555915670c 100644 GIT binary patch literal 1030 zcmZQ@_Y83kiVO&0xOHJ>iTdyO=NGyD?za7vndqy-A#>L6m)H0Cxo;WDG(KI+*1Pv& zR)pe4n^x)8Cz{tMHQGNvCDs3c@pGV)+O2zS&VolThqh>o@o4_Oy)6ALUqFw%;Ea3H zCVpvWit04wORp?=yW?HKw;+?w8$G+8C;xt7{47X!s)s@E+v;;wWy+J}tq#0Aaeb|P zrNy$PSN=+8e7|C`Yl}jjLQciLzcW;|rGM}F(3;xGekSjM>6yNxdCxNrXW1QNPFt_^ zVK=K8cldW(1zi=r__RpLe;l+-1onn2Db*A!W&xr1tANBgu4`ss* z&84>*X2m9yIO!Zl}K8oK62^k!j@7cI|MZ0=GCVDV5w>oe%q-wLp(8*^-@FX z+w;$po}6x1x-ez6VBc!5{3G28sYa$*sr3&htcZ`$Sp9iXYV>^v=DQCZyh;r-6CRw} zJ8y;UvbQm_gbgp*KfUm%M2ss=di|!Y%$ujrk5g?d5p~PT-hGYhv(k)}M|tPu9p$(b zrt{=ttAwv}vBFf(iGCifiYHAXE_{CH&e`{Me_FyNhbjKdY~SV??3!(Mam#`2&(qiD zI%z+;TDsu;zy6zNCoPU*$zf%Be!}k4%{TwtUR+`+cvznm?(y=VqL+L4M+b-EzO*w> zSI&9T&2&ViA;dW?VP(lz!PNb3Jn|nO|A}IVGUq*Cao6xVGfRLq+oztbGx+WoPrJ96 z-+jy8B`P~I8%`*;E&u5!2M{jpp|L|ZgL*kmcWp(wrk8enXo(?o=PtVX{Fx`W zGS}@nca5XfwYgbAUq4xBX8&mkW1XCD5n5FaM&`~tZhn4NE%fNs4+f@4y%451*E2Q= zidL1k`2TEm71&v_@6F*=C;J#Dn@_8i*y6r#uii=V6~~m8t?@{|dctY(*oViC)QL|x*VDxyV@yBPx^vz(X8*!>UVDZe(;CMS?P^Q! zv-uZ#IAzxxyqa~vHT##o^uCY{YQ6dUgL3D(y$D#dQTfTGy;cTSw`zMVj!`(X-u@2QoT%VVzu6z7?#qR)kHUAHH(S5CM^s{QLGr1WV5V7il|gRvB>N{b zuYY#S-!AxM{d3#W)hWT+8u^PCJh<~}+5~U)2P+%C@2p8=&Jfp>V=r*eP1(`cGg+8J z_e7L;#7TzFwZ~;|f82V}!+6^Zhn9FrhW&>srX;>RAL%4HZEAw>!qvZ?zOP%cHLXtJ zp=528yzSKO4-55frvG3(lb_}`w|bQZYfsxYiDy4=cE_smUHE7;L*~Abz*L?qe5W4i zFUVRVXD@4~8S_TJeC>}s*HaRU>g3-A8gc$YH5Jt#L4!`hj;$To4I~UWy>y|I?jZ& zTQd&LkPTRU^2w`$G(K}bmeSqNf8F`x!8Wz#Nr>&SwuMW+zL0JGC_Xz){HRW==j@xx zZ7ui2*K8|w{3}u^|8nBxIR0~?OS+SsBxC-sXO2E^y2nM>`UJPNQ4Qk^S!O>+;XRfj zf=!mY2>qNh*)S;NH7H{*jQmA?5c5x1>Y;IL$w*L$7g zBYy6%+(E3Gh1c!S1YRXe&4<3*hyoxvujvoo2RLI=cpK{#R zL0*^BW2bt(8pmgIbGfENLfe#EqQ#51K3L!Jc&S0m-lxBpZd+m^=lYMUG&1N`;)Ui~ z)m;vYct7l#@nz;DhJbr7{ycDeote|U!$Hb{%b_gD!BHmR=Wdnr3HRFXCZ#?)BA&_9 zx!A|VN=Mq$H0VL(+3#V0U9TE`j+9+CWzoer$8TG;ZG)A3cAPi#6$uECs9F3!oO$g} h2EAu1FKbzpWiQroi7fHZzrWHrQJ?Y8{*M~#ngAyG%2@ya literal 0 HcmV?d00001 diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index e00fe14..32b4231 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c", - "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm", + "rev": "9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a", + "sha256": "1ajyqr8zka1zlb25jx1v4xys3zqmdy3prbm1vxlid6ah27a8qnzh", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz", + "url": "https://github.com/nmattia/niv/archive/9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,10 +17,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5", - "sha256": "0rxff15a2z9hcs4xkaymdwgqlkjxvyyylcg66qhi23lia995f2ga", + "rev": "c361b954759195c2ac085fbbed5ad7d513e1585b", + "sha256": "0grx60c7qhidnna8d5i6mq4mymwpq8rlkrl275dgchv5yfy451js", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/46df95ca81e7e4cf3458cdb4b7d1714b5fce9da5.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/c361b954759195c2ac085fbbed5ad7d513e1585b.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { @@ -29,10 +29,10 @@ "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6019d8efb5530dcf7ce98086b8e091be5ff900a", - "sha256": "1havpwch8wkbhw0y2q3rnx4z0dz66msxb1agynrgvkw4qmm2hbpj", + "rev": "c28fb0a4671ff2715c1922719797615945e5b6a0", + "sha256": "1qzvhxcsxb6s410xlfs4ggcvm1xbbd4jrazy6cpxc1rkrxbyz0kk", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/c6019d8efb5530dcf7ce98086b8e091be5ff900a.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/c28fb0a4671ff2715c1922719797615945e5b6a0.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "817ef8a9a9e37e9fbf414507daaf8e477640e1c7", - "sha256": "1lrns4lm7kskg7vcdw3m3kpwn669q7qbrmj8n24399ghr699v70h", + "rev": "60ea7eb5e18d58ac7742234855b7192112fd4049", + "sha256": "0c9jkhd6xmgaw2gzbcsf7k1p42sn8dyhla71x1bp902mnfdgjsxx", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/817ef8a9a9e37e9fbf414507daaf8e477640e1c7.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/60ea7eb5e18d58ac7742234855b7192112fd4049.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } }