nixosonsktrott WIP

.sops.yaml

@@ -104,3 +104,9 @@ creation_rules:
       - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
+
+  - path_regex: secrets/skrott/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *user_danio
+      - *user_eirikwit

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "dibbler": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1747505135,
+        "narHash": "sha256-kfDCvIbNKePKpJCXST2V1bwWHtsgFOL/E7DvQbBygsQ=",
+        "ref": "refs/heads/main",
+        "rev": "0844843e595be617f683fbc245c944edd2bc6aa8",
+        "revCount": 209,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -20,6 +41,23 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
     "gergle": {
       "inputs": {
         "nixpkgs": [
@@ -211,6 +249,7 @@
     },
     "root": {
       "inputs": {
+        "dibbler": "dibbler",
         "disko": "disko",
         "gergle": "gergle",
         "greg-ng": "greg-ng",
@@ -265,6 +304,21 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -31,6 +31,9 @@
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
 
     minecraft-data.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-kartverket.git";
+
+    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git";
+    dibbler.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -159,6 +162,13 @@
           inputs.gergle.overlays.default
         ];
       };
+      skrott = stableNixosConfig "skrott" {
+        modules = [
+          ./hosts/skrott/configuration.nix
+          inputs.dibbler.nixosModules.default
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     nixosModules = {

hosts/skrott/configuration.nix

@@ -0,0 +1,27 @@
+{ fp, config, pkgs, values, ... }:
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    (fp /base)
+    (fp /misc/metrics-exporters.nix)
+    # ./services/dibbler.nix
+  ];
+  
+  sops.defaultSopsFile = ../../secrets/skrott/skrott.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "skrott";
+
+  systemd.network.networks."30-yolo" = values.defaultNetworkConfig // {
+    matchConfig.Name = "*";
+    address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  system.stateVersion = "24.11";
+}

hosts/skrott/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "hpsa" "ohci_pci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/31a67903-dc00-448a-a24a-36e820318fe5";
+      fsType = "ext4";
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/79e93eed-ad95-45c9-b115-4ef92afcc8c0";
+      fsType = "f2fs";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0f3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/skrott/services/dibbler.nix

@@ -0,0 +1,28 @@
+{ config, inputs, ... }:
+{
+  sops.secrets = {
+    "dibbler/config" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+
+  services.dibbler = {
+    enable = true;
+    package = inputs.dibbler.packages.dibbler;
+    settings = {
+      quit_allowed = false;
+      stop_allowed = false;
+      show_tracebacks = true;
+      input_encoding = "utf8";
+
+      low_credit_warning_limit = -100;
+      user_recent_transaction_limit = 20;
+
+      # See https://pypi.org/project/brother_ql/ for label types
+      # Set rotate to False for endless labels
+      label_type = "62";
+      label_rotate = false;
+    };
+  };
+}

secrets/skrott/skrott.yaml

@@ -0,0 +1,41 @@
+hello: ENC[AES256_GCM,data:KRtCZhcS+LMV5oUivFDBjQo7m9XkaGbHKOW6N/SFRiyZA3eXSkVeltttUHhCrw==,iv:AXlyyW5gQvXu//jV/BVb79ASbKsfu5FFNnRmXNBbfg0=,tag:UVLWNgxtSFh4txCDWl5bPg==,type:str]
+example_key: ENC[AES256_GCM,data:7SpSse4uVUzCwCzbdQ==,iv:zUh9qk/T7LNOXMqToQozn2KeHu9HJtAKarU+Xb5xwi0=,tag:AyO1cflpYraiABPApfjL8A==,type:str]
+#ENC[AES256_GCM,data:NnvbBdwOv5xiqArBdyypGg==,iv:iFCVF8EL8xrKNaDcPOcWp65EoilnG0mN/ph/ZaafLS0=,tag:7pQcs8grVPZbbjr/tze4LQ==,type:comment]
+example_array:
+    - ENC[AES256_GCM,data:fd3mltqGVj7bXHEMmcY=,iv:wzTLHEgQ7bDfUlu01qtaU6fe8L1ZTqmDEBJYf1jttxc=,tag:53XJn1OdJBTEC2BvoSIG1A==,type:str]
+    - ENC[AES256_GCM,data:jZffrJgY0C0YuGIwxxk=,iv:PH+x0/4vm40w+YuCO3JlOqw5bdfaBT29m0YjKMRCFXg=,tag:rWSocVW9kimF5Dcs8lBuLQ==,type:str]
+example_number: ENC[AES256_GCM,data:lWYwd7RXk//H/w==,iv:lD62NqHV/o2QJft48l+0MSeoiGRQ1WFKDoD0sXUevqI=,tag:Ov8j/DqbFww27tDJhmaufA==,type:float]
+example_booleans:
+    - ENC[AES256_GCM,data:QEIQzw==,iv:sGfKE8VMl1uElsfG0Cip647jv/i1+eGE0UxgOM3i4uA=,tag:eWKw678aymRGa1fk8d7RSA==,type:bool]
+    - ENC[AES256_GCM,data:9czVwLg=,iv:OEKALhwOl0OcEJe+k9bhxxdZ/bNd/Xfcvrd40fwAwF8=,tag:CWBuPlcO9WgrSUb0BgfL9g==,type:bool]
+dibbler:
+    config: ENC[AES256_GCM,data:SVTe6MOansry+FKwdu3mDZna4vmu+UMwySfKrfImnGozLz2FYHLW+RvjWaRpa7aGInPfE/icYbSxbHrFIPcIGGlJHTKUlCqQ6km/qYh3UxggKGH1JeUEIgkyvgBXvofym8b5CzyfRXpm35fs+1Io7MWTpeDhmNVk1hVoIU/qR6o6NhOCeH00Gy3cqxCGqi4loJYa51BMNczcUMynwP/9lB2OOb7ogl2TbKXZOK2jwSDCTLJ8FrKcCtUcUnGqUp9VwgktxNrRtFwGohW2gAg2Oq2OR+00dpT2VS+gUtHabrcwft7ioZBmb7rrI4KxpJwG96CYqX90iQiltkwA57BqVByvaYhga4nwdVT48e76MIgBYcQX1WDolL8eEU5QPvhnbmU2mVjdD9SmapoHwBm2qM7LqmsMjqnH8ZHMdtETs6kzt227/QZdh7fc7kaIK1x3Lpxpl3whUMc+mrM8D9xFSjuyxSiF0h7tBH6H,iv:oGd6Dnw655bpwXjqW4niU5dN0RfUDY39hFfiiIc9vhQ=,tag:4CL6iqCiALp/k03Ju6OI/Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUlh2azlDTm9PRjJXQ2hO
+            MDlVbTdEN1RIVHkrbjIyY3pVVVlXY3M4eFNjCmJvZUNobVJHdnBhWjFHVVhmVVdX
+            aFloQVRyUXZsQ2g0bENQald6T2F3cEUKLS0tIGRuQjBXb2lzQnJQdDk0SzYwNUsx
+            SnhWdGZaTTVXbm4waW42ZUE0aWFtdDQKFLiRLCBHLAn43q7EPdc/mmQImltIsA5T
+            5ejVVvsva2wznc/pYvAeLb40yAwtszsNwH02SJ19WDz5wEARaQ8+8w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwd2w1YUtHaFZoNEFxMjF4
+            d1V2OFF4ZjFwNnpBWi9Cc3d1SHdqeVh4RDBzCmNLU3VWeVl4Z0ZPOUUvRjlsYzFZ
+            bjEwRlAweVcvME9nZTY1cmM4VHpXWVUKLS0tIHZJRjIveGoyQm02R0xaT2FEclFv
+            ZjhLdUhWdHp2N2krbkxqcHRoZVB6WkEK7uRAXYfI9LMfBXbHwitEVIyhGe6adIFz
+            9at0KEwLXePpR6bO9PM+T4am9V46Ygdq5iS8bSmX03832sK69pF9CA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-16T22:32:52Z"
+    mac: ENC[AES256_GCM,data:A1kg0QtZN3gMnBz1uqllPK4WI4U/CE8yJh8rHJ9CQ9V2kJQA6Kk7XrESVMsBpIazI6GuN1s33v4hNpeXhns5DMSdpWgQdyz8OM4Kj2nGz5h/JxCYwKT0e3R5qy48e0dcM906SG08DVQCCsiBnXAFWymM9Hs2+dPAAWlCNiR0gME=,iv:SookZTJGT7F5vZU6uDr9gO1A6XuDmL1UXlyphYS2dsI=,tag:8S77OX8aJcCn3efY25k4Dw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

values.nix

@@ -72,6 +72,10 @@ in rec {
       ipv4 = pvv-ipv4 240;
       ipv6 = pvv-ipv6 240;
     };
+    skrott = {
+      ipv4 = pvv-ipv4 235;
+      ipv6 = pvv-ipv6 235;
+    };
   };
 
   defaultNetworkConfig = {