diff --git a/.sops.yaml b/.sops.yaml index d37f814..d005846 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: - &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 - &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608 creation_rules: # Global secrets @@ -15,3 +16,9 @@ creation_rules: - age: - *user_danio - *host_jokum + + - path_regex: secrets/ildkule/[^/]+\.yaml$ + key_groups: + - age: + - *user_felixalb + - *user_danio diff --git a/flake.nix b/flake.nix index 772f4f3..75d91d2 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,14 @@ inputs.matrix-next.nixosModules.synapse ]; }; + ildkule = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit unstable inputs; }; + modules = [ + ./hosts/ildkule/configuration.nix + sops-nix.nixosModules.sops + ]; + }; }; devShells = forAllSystems (system: { default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { }; diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix new file mode 100644 index 0000000..a4259c9 --- /dev/null +++ b/hosts/ildkule/configuration.nix @@ -0,0 +1,56 @@ +{ config, pkgs, ... }: +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + + ../../base.nix + # Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted + ]; + + sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "ildkule"; # Define your hostname. + + networking.interfaces.ens18.useDHCP = false; + + networking.defaultGateway = "129.241.210.129"; + networking.interfaces.ens18.ipv4 = { + addresses = [ + { + address = "129.241.210.187"; + prefixLength = 25; + } + ]; + }; + networking.interfaces.ens18.ipv6 = { + addresses = [ + { + address = "2001:700:300:1900::187"; + prefixLength = 64; + } + ]; + }; + networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; + + # List packages installed in system profile + environment.systemPackages = with pkgs; [ + ]; + + # List services that you want to enable: + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + +} diff --git a/hosts/ildkule/services/nginx/default.nix b/hosts/ildkule/services/nginx/default.nix new file mode 100644 index 0000000..03f3687 --- /dev/null +++ b/hosts/ildkule/services/nginx/default.nix @@ -0,0 +1,22 @@ +{config, ... }: + +{ + + security.acme = { + acceptTerms = true; + defaults.email = "danio@pvv.ntnu.no"; + }; + + services.nginx = { + enable = true; + + defaultListenAddresses = [ "129.241.210.187" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::187]" "[::1]" ]; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/secrets/ildkule/ildkule.yaml b/secrets/ildkule/ildkule.yaml new file mode 100644 index 0000000..805423a --- /dev/null +++ b/secrets/ildkule/ildkule.yaml @@ -0,0 +1,39 @@ +hello: ENC[AES256_GCM,data:MmbRxfMJf9sbqseEeSWnlGI1/4zmAdlb8ZxWCvOttJ3OlYe4Nng46SCtcSDOQA==,iv:KiD5smLGdIbMg62Q+h/9Gz7ROMdOe2CA02na/f081FM=,tag:tjdO1AzwvQWFR+JGuy4PQg==,type:str] +example_key: ENC[AES256_GCM,data:yAaiu+Rpb4377U8YIQ==,iv:OE4cpTlEVNE73y6bc5TGQvAnYU8P2c2hqnMFxzL0PHI=,tag:G7D5TJdEA+F9UwaIFKC0KA==,type:str] +#ENC[AES256_GCM,data:sGYwXL05D45kmWboJUPzjg==,iv:4nOP8F7kGGl6HhuV5Jxjol12pc3f6UO+pp+IcgUrjGU=,tag:tIf9ozHCOBeDprjEv98F1Q==,type:comment] +example_array: + - ENC[AES256_GCM,data:UQ5w4scNH8E49iQo7gM=,iv:dLT/JlTWvscnYre9g9s3YgznNuvdWDyOFozxW50zdWI=,tag:jqtV8Ebfm4Y4ayIIuYGoeg==,type:str] + - ENC[AES256_GCM,data:Zfm0FeuICoe4mrSoMRM=,iv:I/IakhKYtIclPQBA8nuAouuGylzCR/RbQLSWNWBQZYs=,tag:V1/WomLShKX0yaXkBQW0rQ==,type:str] +example_number: ENC[AES256_GCM,data:9wZEFB7/jOt11Q==,iv:5RVyKZe3D9BgRDDMsxUsMMKdVA5B3Ekm2G4WWt/1EuY=,tag:MSIbensfrWKU1d/XbcNtvg==,type:float] +example_booleans: + - ENC[AES256_GCM,data:LLg+sA==,iv:WQSKdlEaQCjdrsSYz0P+pdRD/pl3QMa01d8XV/EZUzY=,tag:QIH98LcUyPXDvs36XPbyxA==,type:bool] + - ENC[AES256_GCM,data:9ZQqdg==,iv:wWRmZ0nQg76sAKiPfGUX0KG/p41VnTc1wmANv4Wt2+w=,tag:3vmvuMDTZSEeZBpAE2soAA==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM2RidW9wYUVHWHhFTmM1 + c1BIazd5MTRMU3dRNEFyWHIxMzhNL21VNURZCnkzKzNNbXgrcmJtNFZjSHQyWHN1 + aEpjV1dQVmJTb2F5YXJWazMxTmJUYTAKLS0tIDNRUVlTR1p3eEtRYkVMcjlYS3Ir + bWhUaDA1eTJRTGpEb3FmSTlPTFY4c3cKrrQcomMURB9dqT+aAkWbFMzMqB3AIvEl + t9Fd5puhhto5/SInssCxpH1p4kbqQZWMfDqE+eFFs2whDVuoiM/Tlg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNkllWlY4L251Z29qOEVX + Vmh2YU5BNVhwbXhDaEpYcXoxY0hCOHhPYXdNCjROQ2piWFQ2MWYwbnF4cFdKS0tv + dFUveEsrQVRpT1REQ0hib1pla2R5RkUKLS0tIFJOSXNaZitxbWk1cHNGc1k0Zk9m + NHU1elF3L2ZRZlVJZTdZU01qNER4a1EK+pvM24FDok4lbbailCspaA1vsZrtsumH + c8uHITgStobUmdqsdv9ta8gpar0nZ66N0kztyhW15sJh1vZY8Guxxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-17T20:25:20Z" + mac: ENC[AES256_GCM,data:KKo9xz6vQHKH6tIiU9cTA4ngwbyqeX33QwvJq5dDCJlEDm5CA+akD5Wsqyp+rGuIjiIDi01eRUONA0YRG4DcmmcRWlnmA9hrBfRWJKtV/0gR+yeYCuY95J9twu3pbOODCyMdcLJqB0tLmyqWGHowNk+mIhEw/a+kxZX+kiB8ilY=,iv:3uHmBVnuaTvnNbdtii++8FzFS7SrsO2inTBtzXmhBhU=,tag:OqpHlELdpn6mlUB544HdmA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3