1
0
Fork 0

Add host ildkule

This commit is contained in:
Felix Albrigtsen 2022-12-17 21:51:43 +01:00
parent 44f2b6d8d8
commit 6b1f0eb090
5 changed files with 132 additions and 0 deletions

View File

@ -1,5 +1,6 @@
keys:
- &user_danio age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
- &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
- &host_jokum age1n4vc3dhv8puqz6ntwrkkpdfj0q002hexqee48wzahll8cmce2ezssrq608
creation_rules:
# Global secrets
@ -15,3 +16,9 @@ creation_rules:
- age:
- *user_danio
- *host_jokum
- path_regex: secrets/ildkule/[^/]+\.yaml$
key_groups:
- age:
- *user_felixalb
- *user_danio

View File

@ -30,6 +30,14 @@
inputs.matrix-next.nixosModules.synapse
];
};
ildkule = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit unstable inputs; };
modules = [
./hosts/ildkule/configuration.nix
sops-nix.nixosModules.sops
];
};
};
devShells = forAllSystems (system: {
default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };

View File

@ -0,0 +1,56 @@
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../base.nix
# Users can just import any configuration they want even for non-user things. Improve the users/default.nix to just load some specific attributes if this isn't wanted
];
sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "ildkule"; # Define your hostname.
networking.interfaces.ens18.useDHCP = false;
networking.defaultGateway = "129.241.210.129";
networking.interfaces.ens18.ipv4 = {
addresses = [
{
address = "129.241.210.187";
prefixLength = 25;
}
];
};
networking.interfaces.ens18.ipv6 = {
addresses = [
{
address = "2001:700:300:1900::187";
prefixLength = 64;
}
];
};
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
# List packages installed in system profile
environment.systemPackages = with pkgs; [
];
# List services that you want to enable:
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

View File

@ -0,0 +1,22 @@
{config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "danio@pvv.ntnu.no";
};
services.nginx = {
enable = true;
defaultListenAddresses = [ "129.241.210.187" "127.0.0.1" "127.0.0.2" "[2001:700:300:1900::187]" "[::1]" ];
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

View File

@ -0,0 +1,39 @@
hello: ENC[AES256_GCM,data:MmbRxfMJf9sbqseEeSWnlGI1/4zmAdlb8ZxWCvOttJ3OlYe4Nng46SCtcSDOQA==,iv:KiD5smLGdIbMg62Q+h/9Gz7ROMdOe2CA02na/f081FM=,tag:tjdO1AzwvQWFR+JGuy4PQg==,type:str]
example_key: ENC[AES256_GCM,data:yAaiu+Rpb4377U8YIQ==,iv:OE4cpTlEVNE73y6bc5TGQvAnYU8P2c2hqnMFxzL0PHI=,tag:G7D5TJdEA+F9UwaIFKC0KA==,type:str]
#ENC[AES256_GCM,data:sGYwXL05D45kmWboJUPzjg==,iv:4nOP8F7kGGl6HhuV5Jxjol12pc3f6UO+pp+IcgUrjGU=,tag:tIf9ozHCOBeDprjEv98F1Q==,type:comment]
example_array:
- ENC[AES256_GCM,data:UQ5w4scNH8E49iQo7gM=,iv:dLT/JlTWvscnYre9g9s3YgznNuvdWDyOFozxW50zdWI=,tag:jqtV8Ebfm4Y4ayIIuYGoeg==,type:str]
- ENC[AES256_GCM,data:Zfm0FeuICoe4mrSoMRM=,iv:I/IakhKYtIclPQBA8nuAouuGylzCR/RbQLSWNWBQZYs=,tag:V1/WomLShKX0yaXkBQW0rQ==,type:str]
example_number: ENC[AES256_GCM,data:9wZEFB7/jOt11Q==,iv:5RVyKZe3D9BgRDDMsxUsMMKdVA5B3Ekm2G4WWt/1EuY=,tag:MSIbensfrWKU1d/XbcNtvg==,type:float]
example_booleans:
- ENC[AES256_GCM,data:LLg+sA==,iv:WQSKdlEaQCjdrsSYz0P+pdRD/pl3QMa01d8XV/EZUzY=,tag:QIH98LcUyPXDvs36XPbyxA==,type:bool]
- ENC[AES256_GCM,data:9ZQqdg==,iv:wWRmZ0nQg76sAKiPfGUX0KG/p41VnTc1wmANv4Wt2+w=,tag:3vmvuMDTZSEeZBpAE2soAA==,type:bool]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM2RidW9wYUVHWHhFTmM1
c1BIazd5MTRMU3dRNEFyWHIxMzhNL21VNURZCnkzKzNNbXgrcmJtNFZjSHQyWHN1
aEpjV1dQVmJTb2F5YXJWazMxTmJUYTAKLS0tIDNRUVlTR1p3eEtRYkVMcjlYS3Ir
bWhUaDA1eTJRTGpEb3FmSTlPTFY4c3cKrrQcomMURB9dqT+aAkWbFMzMqB3AIvEl
t9Fd5puhhto5/SInssCxpH1p4kbqQZWMfDqE+eFFs2whDVuoiM/Tlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNkllWlY4L251Z29qOEVX
Vmh2YU5BNVhwbXhDaEpYcXoxY0hCOHhPYXdNCjROQ2piWFQ2MWYwbnF4cFdKS0tv
dFUveEsrQVRpT1REQ0hib1pla2R5RkUKLS0tIFJOSXNaZitxbWk1cHNGc1k0Zk9m
NHU1elF3L2ZRZlVJZTdZU01qNER4a1EK+pvM24FDok4lbbailCspaA1vsZrtsumH
c8uHITgStobUmdqsdv9ta8gpar0nZ66N0kztyhW15sJh1vZY8Guxxg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-17T20:25:20Z"
mac: ENC[AES256_GCM,data:KKo9xz6vQHKH6tIiU9cTA4ngwbyqeX33QwvJq5dDCJlEDm5CA+akD5Wsqyp+rGuIjiIDi01eRUONA0YRG4DcmmcRWlnmA9hrBfRWJKtV/0gR+yeYCuY95J9twu3pbOODCyMdcLJqB0tLmyqWGHowNk+mIhEw/a+kxZX+kiB8ilY=,iv:3uHmBVnuaTvnNbdtii++8FzFS7SrsO2inTBtzXmhBhU=,tag:OqpHlELdpn6mlUB544HdmA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3