diff --git a/.sops.yaml b/.sops.yaml index 0edc748..0faaed1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &host_rico2 age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf - &host_wynne age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0 - &host_layne age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d + - &host_bifrost age1jt8uleg4auf0h8ftl4ykq73epvgqml29q8ty0lz6kasta5h6td3shgxvrr creation_rules: - path_regex: secrets.yaml key_groups: @@ -17,3 +18,4 @@ creation_rules: - *host_rico2 - *host_wynne - *host_layne + - *host_bifrost diff --git a/flake.nix b/flake.nix index e8229e0..cf9c93a 100644 --- a/flake.nix +++ b/flake.nix @@ -201,6 +201,28 @@ ./hosts/layne ]; }; + Bifrost = + let + hostname = "Bifrost"; + system = "x86_64-linux"; + username = "adtya"; + in + nixpkgs.lib.nixosSystem { + inherit system; + pkgs = packages system; + specialArgs = { inherit inputs username; }; + modules = [ + { + system.configurationRevision = lib.mkIf (self ? rev) self.rev; + networking.hostName = lib.mkForce hostname; + nixpkgs.hostPlatform = lib.mkDefault system; + } + sops-nix.nixosModules.sops + self.nixosModules.default + ./common + ./hosts/bifrost + ]; + }; }; deploy.nodes = { @@ -244,6 +266,14 @@ path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.Layne; }; }; + Bifrost = { + hostname = "Biforst"; + sshUser = "adtya"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.Bifrost; + }; + }; }; } // flake-utils.lib.eachDefaultSystem (system: @@ -264,6 +294,7 @@ ]; }; packages.getpaper = pkgs.callPackage ./extra-packages/scripts/getpaper { }; + packages.digitalOceanImage = (pkgs.nixos { imports = [ "${nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix" ]; system.stateVersion = "24.11"; }).digitalOceanImage; } ); } diff --git a/hosts/bifrost/default.nix b/hosts/bifrost/default.nix new file mode 100644 index 0000000..dcc924d --- /dev/null +++ b/hosts/bifrost/default.nix @@ -0,0 +1,40 @@ +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/digital-ocean-config.nix") + ./network.nix + ./programs + ./services + ./security.nix + ]; + + nodeconfig = { + minimize = true; + nix.auto-gc = true; + }; + + i18n = { + defaultLocale = "en_US.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + LC_ALL = "en_US.UTF-8"; + }; + supportedLocales = [ "en_US.UTF-8/UTF-8" ]; + }; + + time.timeZone = "Asia/Kolkata"; + system = { + switch = { + enable = false; + enableNg = true; + }; + stateVersion = "24.11"; + }; +} diff --git a/hosts/bifrost/network.nix b/hosts/bifrost/network.nix new file mode 100644 index 0000000..e3eb9cd --- /dev/null +++ b/hosts/bifrost/network.nix @@ -0,0 +1,12 @@ +{ lib, ... }: { + imports = [ + ../shared/network.nix + ../shared/networkd.nix + ]; + networking = { + nameservers = lib.mkForce [ + "1.1.1.1" + "1.0.0.1" + ]; + }; +} diff --git a/hosts/bifrost/programs/default.nix b/hosts/bifrost/programs/default.nix new file mode 100644 index 0000000..4c7faaa --- /dev/null +++ b/hosts/bifrost/programs/default.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: { + imports = [ + ./neovim.nix + ./starship.nix + ./zsh.nix + ]; + + programs = { + git.enable = true; + }; + + environment.systemPackages = with pkgs; [ + sops + age + ]; +} diff --git a/hosts/bifrost/programs/neovim.nix b/hosts/bifrost/programs/neovim.nix new file mode 100644 index 0000000..a70af6e --- /dev/null +++ b/hosts/bifrost/programs/neovim.nix @@ -0,0 +1,8 @@ +_: { + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + }; +} diff --git a/hosts/bifrost/programs/starship.nix b/hosts/bifrost/programs/starship.nix new file mode 100644 index 0000000..3de1b05 --- /dev/null +++ b/hosts/bifrost/programs/starship.nix @@ -0,0 +1,8 @@ +_: { + programs.starship = { + enable = true; + settings = { + add_newline = false; + }; + }; +} diff --git a/hosts/bifrost/programs/zsh.nix b/hosts/bifrost/programs/zsh.nix new file mode 100644 index 0000000..53468ac --- /dev/null +++ b/hosts/bifrost/programs/zsh.nix @@ -0,0 +1,10 @@ +_: { + programs = { + zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + }; + }; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/hosts/bifrost/security.nix b/hosts/bifrost/security.nix new file mode 100644 index 0000000..e95f8d2 --- /dev/null +++ b/hosts/bifrost/security.nix @@ -0,0 +1,9 @@ +_: { + security = { + sudo = { + wheelNeedsPassword = false; + }; + polkit.enable = true; + }; +} + diff --git a/hosts/bifrost/services/default.nix b/hosts/bifrost/services/default.nix new file mode 100644 index 0000000..53cf156 --- /dev/null +++ b/hosts/bifrost/services/default.nix @@ -0,0 +1,5 @@ +_: { + imports = [ + ./ssh.nix + ]; +} diff --git a/hosts/bifrost/services/ssh.nix b/hosts/bifrost/services/ssh.nix new file mode 100644 index 0000000..7cba6eb --- /dev/null +++ b/hosts/bifrost/services/ssh.nix @@ -0,0 +1,21 @@ +_: { + services.openssh = { + enable = true; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + hostKeys = [ + { + path = "/persist/secrets/ssh/keys/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/secrets/ssh/keys/ssh_host_rsa_key"; + type = "rsa"; + bits = "4096"; + } + ]; + }; +} diff --git a/hosts/rico2/services/apps/forgejo-actions-runner.nix b/hosts/rico2/services/apps/forgejo-actions-runner.nix index 459fa4e..37c6916 100644 --- a/hosts/rico2/services/apps/forgejo-actions-runner.nix +++ b/hosts/rico2/services/apps/forgejo-actions-runner.nix @@ -6,7 +6,7 @@ group = config.users.users.root.group; }; }; - services.gitea-actions-runner = { + services.gitea-actions-runner = { package = pkgs.forgejo-runner; instances = { aarch64-runner = { diff --git a/hosts/shared/networkd.nix b/hosts/shared/networkd.nix index c91ec8a..6d3c181 100644 --- a/hosts/shared/networkd.nix +++ b/hosts/shared/networkd.nix @@ -1,4 +1,4 @@ -_: { +{ lib, config, ... }: { networking = { useNetworkd = true; }; @@ -26,7 +26,7 @@ _: { linkConfig = { RequiredForOnline = "yes"; }; - routes = [ + routes = lib.mkIf ((lib.strings.toLower config.networking.hostName) != "bifrost") [ { Destination = "165.232.180.97"; Gateway = "_dhcp4"; diff --git a/secrets.yaml b/secrets.yaml index b699eef..5a687bd 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -37,65 +37,74 @@ sops: - recipient: age1w5rvr4nl8xvjjxpct4e2a2eajvm79v4r9nyxrcn40fm8d7h9l9cqkk0jtt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMWpGcmtXcVp5dmxSUWQ0 - RTBQd0RxNVdPODQrOVJOTjNiTkh4YjNVNzF3Cm5YUkxoT3ZPUmV2Q2xwbXBsSGl0 - c2drMXY3UnE2cHJjSjdHdW53TWUzaTgKLS0tIHJSdmQ2ZXF1NnJqTGtCUER3NEtY - ejBNdEltL252RXN6M2VlZ3IyNkgyMk0K76RGGt1tXnm76nm/k6V3OObgDEnQG0eP - DDJKBQiUOqFan5Yu83CgkOFpFw+2eMFw23RFDoLmCMi8/dqAbQAqvw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ2NPRVZxUlFZbVArSlNz + aGxBMCszb0JRbWJFNFhkcVJoa00xV3BJQ1JZCmcvZUpRODBkLzVWTDVqUWtCR3V3 + ektBTkprdzFENTIxaEZZQ0RpZGRrUm8KLS0tIFc0aVhuZVh6dW4wbnZ1ajNDazdk + aXRQZUI4RVlEeGdUMXoya2RCRnMxRDQKWxogRGGH5dP8w80xBBchjxs0Hhw0o+BX + uxNQZoSYENIPESR7ydO7642r8xjLdQdfMEjKz/rnooCgB1Zy7X7kGw== -----END AGE ENCRYPTED FILE----- - recipient: age1mhks8qmhjrtc2u5ufvp3pv2hn7tkadvmscnp7wd0ywmnse0szctqsnpy0a enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WEl5MDNuY2VvRTh5eU5N - dFZsOEVmMklkZ3lHSG9SRTdzeTFmdGp0YURnCkxjOWJrRTA4MWh1Y0UvVDNMSFov - b1Zmc2R2MkNTUDVmVlU5c2J5Q0R5OVEKLS0tIE1HYk1veEg1NUpkQzZmWE5NeVM2 - Rk5sYy85VkhLb1hpRXB2M3Ntb1BocWsKy82qsGfMLs8HSJ5yHm0TmxQQL+JYNXDs - KjUeabcRK5Y5tE/z/axYAFz+y9ib7gfVQ7O1rb7Wa78OnxbeZxZYTA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeDZYeTNtczE4eWVYcTcy + ZDZmeU8xZlppMHlQUlkyb3h2cWRGbXpBeUFNCjUzNGs1endaZ2tzTzE2SE1CYWg2 + aHU0dnlpeU9aRTYyc2hCMU1YYlBFQ1UKLS0tIERsS2VUSVllcVhUNzExOEJqSlF4 + SVNNaHl0ckt4bmtSazloUnREM3VWZ28K2/DfdwYi7iMiNrHn/9FMEJX5aaL/PLoR + GYtO9JpFHFWngDSVsJm013NlsvAtCY1ep382EWK8Z/I+QahkoyBW2w== -----END AGE ENCRYPTED FILE----- - recipient: age106k9u5ns9h7smh3gqc40k9fft5emknvq669qdv8a29ak3ah4j38s5ng2gt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QnlsNk03OFpEUzgzNVRD - RTJzR3dPV1hRTTNxeWU0dDA4L2lEZWQ4ank0CkdmdjM1SytORWg3VWUvdEtqQkRZ - NzNTWWd3bzhncFFpNC9WQ3RMR1ZGRVEKLS0tIENmSWNibkxXS3p6NTVLczVrZDQ0 - ZVFSb3JMNHZPWnFuRTZteXJPK2x1RDAKgcCvJcOerFinIkxZMscYpIzm2DRR/Iqe - hkzGGyiL++jb5pii9FjOk0IyWmRajWxSopbixNF0EpFZB7SvuywM6w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZOVBSdllDeWlaSWIvbWNq + ZVU3SDAvUlhOK0NXZWpDK1g2YlhBbnJoNEZZCnVMb2lRVjlIZDdQaDZONVRlSUJa + VElXOGl1T1ZseUFBY3ppUUZocGwyR3cKLS0tIG0xZE9BSlcxazRHQXZnNHl2RXRm + bjVsNkk5MGxHVW15RHF0ZGE1czgrQlUK43DGYjIydqND7bSG/9fE8HMm3jzJ7KzI + tS94Djek5QSY2xQxXVdLQ3g9Rnbm7HF8bTjDlOhBM7drryuraLEBlg== -----END AGE ENCRYPTED FILE----- - recipient: age1829x4l8vdhcn97af0zq898tupll0smrqywxka4pswkt6mtn8qp7qqnnnl4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcGRmZHJYU3BxRUNZcStS - Q3RQcncxWjNOcVgzOGFuRDJDMGRKUXgxZld3CnVvY0ZFSHp4Q01wQlpsWHBOeGhs - TEdudVg2RVRLT1A0VngvbFlORXg5U2sKLS0tIFhkVnkzaVdxWlptTDE0N3cvZ3Ft - Zy93VlBLOU9lRm1JU2Q1WUNOY0UwYXcKRXB/cx+C1RI/KTPhBSAX6WYJfTZeT0fJ - i9syUWhIxpozsaXhN4wRw3fdQCFtDI8zXqqqpWoV9Pc3mU1SakWI+A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVW03RVlVUlZYOW5VdWdT + K1NjaWswK0xSUzduUHgra1ZON3dsTVBFSWxjCkt0NnRVVXA3TnYwTlBQNXZTdG1t + YVRQTWcySVRrQitOQjNlc2JBWmNXME0KLS0tIFhUa1IzY0dSSWJRR0FIOGZ5QkQv + dXQzNXkyTlVPdzhGMXdjRS9ENnFHL0EKB4YiqGAcL0VlRRj0TPwfgSKHKTEnGBsO + cbSd3iKO9TDxWQwz46cpY6NmRTORlq4j0kzPAm4k5JLHUVwulgwb0g== -----END AGE ENCRYPTED FILE----- - recipient: age19uy6xerll6st3s3ftfpy7075m9eetm2288l2w07k7ek6z2l3ef6qfw34cf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RkE3dGVBUW5zTmdnSGd1 - ZkhDVTFNSkFQUDZvMjdObXdOTk1BMDBFM0FzCi9hTjUwdmQ5dytmUEdlN0VJRzAw - NWs3b2Z6L21QMTVZRGM1dm5GS0ZmdzAKLS0tIHpsbGk2N1RGRmtZMTR2MTFYTWRs - Z2d5cEczcFZUZTVGUFdiY2hKOEV5T1kKoJm8Y0yqY/Zxu/WMlnGsLZNEeAnXPLgz - kKmcVecpz/mOJ4rrnx+PsrPLhnL2ZW5ZavcmMaUJy7QNZ/XBgEZhCA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSU40amdyMzZ6Wm9TUHc2 + VXcwN3Q1azQwaEtxZDZpdW8xemMwcVZJb1E4ClVHRjY1TEFMZXdtWVExYmRVWkJk + NmhHZysyUkI4VnJOZzVSQlRwbXI2QU0KLS0tIFJpbmRFRUM5MzlSNDF2RC9Fd0dY + VlByaWhmemc1WWxCQmkyQUxVOEc1SDAK42kD7infmLQKLjZUcsu6EHAMV5zRzGRb + E6hv2YYUHF7uLgEcPEq4hJZ72kjMyyqyebv0qLQB5VIylifrMJrO2g== -----END AGE ENCRYPTED FILE----- - recipient: age1jyaf9rn5d5pqjh60shs2q5hs98fwugak8z6cs6qs7yuc3wntugmsumxmv0 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV2NNOFAvOWlESGJRN29w - cFBTR0JBY295c2drbm1LSVA2MXhGNDcrcmlvCk1WU3ltMmJuOXdYVkJacmJmeExH - ZU1YSnhDaXVqa1ZmcmdIYXJKS2o5VjAKLS0tIFlGVHFJTC9hQy9EWTJhWU4rdkdS - S2ZBMDNpMTdTQWtzc1o0dm9JRnU4SXMK/jC+w8/yeGuFOyWzDnPJI19+oNleiwDw - qtRbjD8+hCTDPUB78nZYSEKVWB4lcLEhT846W8V8xF4vM+EyCEbiHw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQU3ZTOGtIamlOQzNrTDg0 + SHUzR1F6RTBtZU1zNDVFUFFFejBlUFRYUkVJCnkxZWFuVGJCV1Nzb29Sa3lxU2x2 + bm4zSFp3Q0hHUEJUTEpuem9rYmE3YnMKLS0tIHUxSEZQV1B3ek5KYUZjbG03c1Rh + Zm10bjJwWkQwcVVVVjVxWGFRVGwrOFkK/LmuPpecWWHnTa4DXY2UiCUOfsxUG04Z + dKZ9GAyA6QPsBJgrEHxNd/PHmLIEA/Vhw12ZsSKCksaFD2at8q513w== -----END AGE ENCRYPTED FILE----- - recipient: age1k2wpm88wms6hx3ldvu0n2je7pag9fexs9eq0e8hlkfcs2dx9eg9qlkf95d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUCtlRnRtK0tZOGpQOTlk - MzRaRFhXV2kzUHVYYlFQcm93UVllVVFyY1dVCmFLNlRvNjJBaW5GWmJ6eFhsWmtY - N2trOERxTmNHWXUwNk9BcmVleEpXTVUKLS0tIFYzL005bDZaUVVQWW1nd2JKWlFk - YzdpTitkMHh6VUFtV2FodVF6OWJkTU0KBjC+esgHZ8hTWXwZ+cy4++jLP+gsruHM - fmRDhvQu0MNHkjQ8q4VmwRVl10uc8CyTDFTuyDoAhvmnzXHtrg1wpA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaVpYU3JJQ05iNGdYNHMv + MjFIcEw4bk9UdWVaSnhncUJkYmlaaHlxSnpRClJMemtIcklGUzE0ZzZaVXNiS0dO + SGdxWVpjRzdHSDROcVl2bTNxVzlwTmsKLS0tIFE4cHFpOWpSYlRLYnZjVmlTc1V2 + UVV6WlpRbzk0UjZVL2RMQmNnNnlvZ1UKhrTqF6vq1c2jsrvjtMv+03fwj5MZIVTn + uPY7OHqm0scOxARNIW7nVYeTIxNYFEPvfZiriydrOtXfrVZB4u82IQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jt8uleg4auf0h8ftl4ykq73epvgqml29q8ty0lz6kasta5h6td3shgxvrr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ajFvYVJxejJkcTM0Rm5n + a0tOWFE4Q1R6ZS9qZE1BTVZybnRSTS94Y0NFCjJIUjRwODMvcmFKN3VvYUNVOFB3 + V1lJZW56STFra0JsRXF0RVM3eWtLaTQKLS0tIC95SmtrRTFRbW0raCtZWTN4RkFJ + UXJhWFFnQnFvOEF0M0JFb3E4UVB4UU0KSUq4d8eudY03p/fd8S8f1wk0OU4BlNYB + tldkOx2DhSvcVr/FcIJIR2PFbU8o50kYj9R0HR2sHJ5C5fJ0cDXY4A== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-10-31T05:28:50Z" mac: ENC[AES256_GCM,data:PbyhjXr/IZw+5q0PqTjXowHaiB31NjZzYpKhVV5s43+XrdMpVhcaqr9Gs7yTsqNsSc36uZ1YRymwYr8i+bF1k81lvDgyEr38Pl3vcEoIy+jNPaVnxXBRW6CL69cKfC058GmuPRYIyevorw3G3DtpLsCT5lGiMS9XedmBMf3rsw0=,iv:lHO27bURe7apOq/2KQXttou/OJMRM4uBrpqH26hBIDE=,tag:1ulMCx3/UCWCplUv+NJqNA==,type:str]