diff --git a/flake.lock b/flake.lock index 97db651..9a46a8b 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "auto-cpufreq": { "inputs": { "nixpkgs": [ @@ -7,11 +30,11 @@ ] }, "locked": { - "lastModified": 1752998173, - "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=", + "lastModified": 1758056808, + "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd", + "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c", "type": "github" }, "original": { @@ -27,11 +50,11 @@ ] }, "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "lastModified": 1757508292, + "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=", "owner": "nix-community", "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a", "type": "github" }, "original": { @@ -96,15 +119,36 @@ "home-manager": { "inputs": { "nixpkgs": [ + "agenix", "nixpkgs" ] }, "locked": { - "lastModified": 1753592768, - "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "fc3add429f21450359369af74c2375cb34a2d204", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1757808926, + "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "f21d9167782c086a33ad53e2311854a8f13c281e", "type": "github" }, "original": { @@ -137,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1754564048, - "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", + "lastModified": 1757943327, + "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", + "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05", "type": "github" }, "original": { @@ -153,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754767907, - "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", + "lastModified": 1758070117, + "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", + "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d", "type": "github" }, "original": { @@ -260,14 +304,32 @@ }, "root": { "inputs": { + "agenix": "agenix", "auto-cpufreq": "auto-cpufreq", "disko": "disko", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "proxmox-nixos": "proxmox-nixos", - "systems": "systems_2" + "secrets": "secrets", + "systems": "systems_3" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1758149260, + "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=", + "ref": "refs/heads/main", + "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692", + "revCount": 5, + "type": "git", + "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" + }, + "original": { + "type": "git", + "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" } }, "systems": { @@ -286,6 +348,21 @@ } }, "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -302,7 +379,7 @@ }, "utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, diff --git a/flake.nix b/flake.nix index a4ec7a2..fab5bf0 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,17 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + darwin.follows = ""; + }; + }; + secrets = { + url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"; + flake = false; + }; systems.url = "github:nix-systems/default-linux"; }; @@ -34,6 +44,7 @@ home-manager, auto-cpufreq, proxmox-nixos, + agenix, disko, systems, ... @@ -126,6 +137,7 @@ modules = [ disko.nixosModules.disko + agenix.nixosModules.default ./hosts/srv01.hf ]; }; diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 193fe35..feb2183 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -4,8 +4,10 @@ imports = [ ../../modules/disko/efi-full-btrfs.nix + ./secrets.nix ../../users/julius/nixos-server.nix + ../../users/nixremote.nix ../../modules/nix.nix ../../modules/network-server.nix ../../modules/locale.nix @@ -13,11 +15,24 @@ ../../modules/sshd.nix ../../modules/qemu-guest.nix ../../modules/docker.nix + ../../modules/teleport.nix + ../../modules/portainer_agent.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; + services.openssh.openFirewall = false; + services.teleport = { + enable = true; + settings.teleport = { + ca_pin = config.age.secrets."teleport-ca_pin".path; + auth_token = config.age.secrets."teleport-join_token".path; + }; + }; + + virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ]; + systemd.network = { enable = true; networks."10-wan" = { diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix new file mode 100644 index 0000000..8697e77 --- /dev/null +++ b/hosts/srv01.hf/secrets.nix @@ -0,0 +1,8 @@ +{ inputs, ... }: +{ + age.secrets = { + teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin"; + teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; + portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token"; + }; +} diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 5ed134e..3dc9849 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,5 +1,6 @@ { inputs, + pkgs, ... }: { system.autoUpgrade = { @@ -11,5 +12,26 @@ flake = inputs.self.outPath; dates = "02:00"; randomizedDelaySec = "45min"; + allowReboot = true; + rebootWindow = { + lower = "01:00"; + upper = "05:00"; + }; + }; + + # Also needs access to the nix-private repo which contains the encrypted secrets + programs.ssh = { + extraConfig = " + Host git.jfreudenberger.de + Port 222 + User git + IdentityFile /etc/ssh/ssh_host_ed25519_key + "; + knownHostsFiles = [ + (pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+ +[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD +[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8= + '') + ]; }; } diff --git a/modules/docker.nix b/modules/docker.nix index b9f7aa1..d216ec2 100644 --- a/modules/docker.nix +++ b/modules/docker.nix @@ -4,8 +4,11 @@ ... }: { - virtualisation.docker = { - enable = true; + virtualisation = { + docker = { + enable = true; + }; + oci-containers.backend = "docker"; }; } diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix new file mode 100644 index 0000000..8bebd6c --- /dev/null +++ b/modules/portainer_agent.nix @@ -0,0 +1,21 @@ +{ + ... +}: { + virtualisation.oci-containers.containers = { + portainer_agent = { + image = "portainer/agent:2.33.1"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/volumes:/var/lib/docker/volumes" + "/:/host" + ]; + environment = { + EDGE = "1"; + CAP_HOST_MANAGEMENT = "1"; + }; + extraOptions = [ + ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local'' + ]; + }; + }; +} diff --git a/users/nixremote.nix b/users/nixremote.nix new file mode 100644 index 0000000..b0075cb --- /dev/null +++ b/users/nixremote.nix @@ -0,0 +1,13 @@ +{ + ... +}: { + users.users = { + nixremote = { + isNormalUser = true; + uid = 1100; + group = "users"; + }; + }; + + nix.settings.trusted-users = [ "nixremote" ]; +}