add agenix

2021-05-31 09:15:44 +01:00 · 2021-05-31 09:15:44 +01:00 · 9f8d4dbf1b
commit 9f8d4dbf1b
parent f2bd00ae70
13 changed files with 369 additions and 35 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,24 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1620877075,
+        "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "ref": "master",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "bisq": {
      "locked": {
        "lastModified": 1620344115,
@ -54,6 +73,35 @@
      }
    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1618628710,
+        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
+        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1622364474,
+        "narHash": "sha256-bRupByHizbCba3/AgaETL+YySowmfssqWl7+p0jwcPU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "eae0cabc124702e04bb2098070ca46d661543d29",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-20.09",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1622282707,
        "narHash": "sha256-+GOrUDsdneUqrOm9d+9bHXjEVoVcU8tm14WGVzbt6gg=",
@ -87,10 +135,12 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "bisq": "bisq",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable",
        "nur": "nur"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -1,5 +1,47 @@
 {
  description = "NixOS configuration with flakes";
+  outputs = { self, flake-utils, home-manager, nixpkgs, nixpkgs-stable, nur, bisq, agenix } @ inputs: {
+    nixosConfigurations = {
+      foureighty = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          (import ./nixos/boxes/foureighty)
+
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.users.cyryl = import ./nixos/home-manager;
+          }
+
+        ];
+        specialArgs = { inherit inputs; };
+      };
+      skinnyv = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          (import ./nixos/boxes/skinnyv)
+
+          home-manager.nixosModules.home-manager
+          {
+            home-manager.useGlobalPkgs = true;
+            home-manager.useUserPackages = true;
+            home-manager.users.cyryl = import ./nixos/home-manager;
+          }
+
+        ];
+        specialArgs = { inherit inputs; };
+      };
+      brix = nixpkgs-stable.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          (import ./nixos/boxes/brix)
+          agenix.nixosModules.age
+        ];
+        specialArgs = { inherit inputs; };
+      };
+    };
+  };
  inputs = {
    nixpkgs = {
      type = "github";
@ -8,6 +50,13 @@
      ref = "nixos-unstable";
    };

+    nixpkgs-stable = {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      ref = "nixos-20.09";
+    };
+
    home-manager = {
      type = "github";
      owner = "nix-community";
@ -38,42 +87,14 @@
      repo = "nixpkgs";
      ref = "3a681b0daaed9841cbd3ea2ebd51f9cca4c836f2";
    };
-  };

-  outputs = { self, flake-utils, home-manager, nixpkgs, nur, bisq } @ inputs: {
-
-    nixosConfigurations = {
-      foureighty = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          (import ./nixos/boxes/foureighty)
-
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.cyryl = import ./nixos/home-manager;
-          }
-
-        ];
-        specialArgs = { inherit inputs; };
-      };
-      skinnyv = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        modules = [
-          (import ./nixos/boxes/skinnyv)
-
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.cyryl = import ./nixos/home-manager;
-          }
-
-        ];
-        specialArgs = { inherit inputs; };
-      };
+    agenix = {
+      type = "github";
+      owner = "ryantm";
+      repo = "agenix";
+      ref = "master";
    };
  };
+
 }

--- a/nixos/boxes/brix/brix-boot.nix
+++ b/nixos/boxes/brix/brix-boot.nix
@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+{
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest_hardened;
+    initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "btrfs" ];
+    initrd.kernelModules = [ "dm-snapshot" ];
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = false;
+  };
+
+  services.btrfs.autoScrub.enable = true;
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/78e8e5b5-9068-4381-8e85-b4297607f9ea";
+    fsType = "btrfs";
+    options = [ "autodefrag" "space_cache" "inode_cache" "noatime" "nodiratime" ];
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/68bb21bd-90da-4da4-b97e-c6da3b1f8235";
+    fsType = "ext4";
+    options = [ "noatime" "nodiratime" ];
+  };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/0129-8152";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/5f635052-a940-466e-a7cf-4799adace60e"; }
+  ];
+
+  zramSwap = {
+    enable = true;
+    algorithm = "zstd";
+    memoryPercent = 50;
+  };
+}
--- a/nixos/boxes/brix/cli.nix
+++ b/nixos/boxes/brix/cli.nix
@ -0,0 +1,6 @@
+{ config, pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    vim tmux atop btrfs-progs
+  ];
+}
--- a/nixos/boxes/brix/default.nix
+++ b/nixos/boxes/brix/default.nix
@ -0,0 +1,26 @@
+{ config, pkgs, inputs, lib, ... }:
+{
+  imports = [
+    ./brix-boot.nix
+    ./real-hardware.nix
+    ./security.nix
+    ./cli.nix
+    ./vpn.nix
+    ./prometheus-node.nix
+    ./restic-server.nix
+    ./i2p.nix
+    ./print-server.nix
+    ./matrix-server.nix
+  ];
+  networking = {
+    hostName = "brix";
+    useDHCP = false;
+    interfaces.enp3s0.useDHCP = true;
+  };
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  security.allowUserNamespaces = true;
+
+  time.timeZone = "Europe/London";
+
+}
--- a/nixos/boxes/brix/i2p.nix
+++ b/nixos/boxes/brix/i2p.nix
@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+{
+  services.i2pd = {
+    enable = true;
+    bandwidth = 1024; # kb/s
+    proto.http.enable = true;
+    proto.httpProxy.enable = true;
+  };
+}
--- a/nixos/boxes/brix/matrix-server.nix
+++ b/nixos/boxes/brix/matrix-server.nix
@ -0,0 +1,42 @@
+{ config, pkgs, inputs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "cyplo.dev";
+    enable_registration = false;
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "brix.vpn";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+    app_service_config_files = [
+    ];
+    extraConfig = ''
+      experimental_features: { spaces_enabled: true }
+    '';
+    package = inputs.nixpkgs.legacyPackages."x86_64-linux".matrix-synapse;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8008 ];
+}
--- a/nixos/boxes/brix/print-server.nix
+++ b/nixos/boxes/brix/print-server.nix
@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+{
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 631 6566 ];
+  networking.firewall.allowedUDPPorts = [ 631 6566 ];
+  services.printing = {
+    enable = true;
+    drivers = with pkgs; [ epson-escpr ];
+    listenAddresses = [ "*:631" ];
+    defaultShared = true;
+    browsing = true;
+    allowFrom = [ "all" ];
+    extraConf = ''
+      ServerAlias *
+      DefaultEncryption Never
+    '';
+  };
+
+  hardware.printers.ensurePrinters = [{
+    description = "Epson XP-540";
+    location = "connected to brix";
+    name = "epson_xp540";
+    deviceUri = "usb://EPSON/XP-540%20Series?serial=583245393030303936&interface=1";
+    model = "raw";
+    ppdOptions = { PageSize = "A4"; };
+  }];
+
+  hardware.sane = {
+    enable = true;
+    extraBackends = with pkgs; [ epkowa utsushi sane-airscan gawk ];
+    snapshot = true;
+  };
+
+  services.udev.packages = [ pkgs.utsushi ];
+
+  environment.systemPackages = with pkgs; [ gawk ];
+  services.saned = {
+    enable = true;
+    extraConfig = ''
+      10.0.0.0/24
+      172.23.153.159
+      172.23.28.139
+      172.23.206.88
+      [fd77:8f2a:9a44::1]/60
+    '';
+  };
+
+}
--- a/nixos/boxes/brix/prometheus-node.nix
+++ b/nixos/boxes/brix/prometheus-node.nix
@ -0,0 +1,8 @@
+{ config, pkgs, lib, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 9100 ];
+  services.prometheus = {
+    enable = true;
+    exporters.node.enable = true;
+  };
+}
--- a/nixos/boxes/brix/real-hardware.nix
+++ b/nixos/boxes/brix/real-hardware.nix
@ -0,0 +1,11 @@
+{ config, pkgs, lib, ... }:
+{
+  hardware.enableRedistributableFirmware = true;
+  services.smartd.enable = true;
+  services.fstrim.enable = true;
+  environment.systemPackages = with pkgs; [
+    smartmontools
+  ];
+  services.fwupd.enable = true;
+  services.thermald.enable = true;
+}
--- a/nixos/boxes/brix/restic-server.nix
+++ b/nixos/boxes/brix/restic-server.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+  services.restic.server = {
+    enable = true;
+    dataDir = "/data/restic";
+    appendOnly = true;
+    prometheus = true;
+  };
+
+}
--- a/nixos/boxes/brix/security.nix
+++ b/nixos/boxes/brix/security.nix
@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+  ];
+  security.acme.email = "admin@cyplo.dev";
+  security.acme.acceptTerms = true;
+  security.forcePageTableIsolation = true;
+  security.protectKernelImage = true;
+  security.apparmor.enable = true;
+  security.lockKernelModules = true;
+
+  services.haveged.enable = true;
+  services.fail2ban.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    knockknock
+  ];
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+    passwordAuthentication = false;
+  };
+
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlCoSJ/2BHt0RqQUn2L9DPcCEJBJQWpq+74cpmeaGJL cyryl@foureighty"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNEUIxbENTdhSWzYupGFn/q+AGe0diBOTMyiZAmv7F nix-builder@vultr1"
+  ];
+
+  users.users.nix-builder = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlCoSJ/2BHt0RqQUn2L9DPcCEJBJQWpq+74cpmeaGJL cyryl@foureighty"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNEUIxbENTdhSWzYupGFn/q+AGe0diBOTMyiZAmv7F nix-builder@vultr1"
+    ];
+  };
+
+  nix.trustedUsers = [ "root" "nix-builder" ];
+}
--- a/nixos/boxes/brix/vpn.nix
+++ b/nixos/boxes/brix/vpn.nix
@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+{
+  nixpkgs.config = {
+    allowUnfree = true;
+  };
+
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "d3ecf5726d580b5a" ];
+  };
+
+  networking.hosts = {
+    "172.23.153.159" = [ "brix.vpn" ];
+    "172.23.28.139" = [ "vultr1.vpn" ];
+  };
+}