Price/NixOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: initial implementation of orion host

Browse Source
This commit is contained in:
Price Hiller 2024-02-17 14:10:39 -06:00
parent 9dd12bee68
commit 98a20e2829
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
23 changed files with 523 additions and 308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
flake.lock
View File

@ -11,11 +11,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1682237245,
"narHash": "sha256-xbBR7LNK+d5Yi/D6FXQGc1R6u2VV2nwr/Df5iaEbOEQ=",
"lastModified": 1707771926,
"narHash": "sha256-PhWWmby82jm1ddLnQoC4sPcRBnn9tMRmqiwbsYdO8Ec=",
"owner": "yaxitech",
"repo": "ragenix",
"rev": "281f68c3d477904f79ff1cd5807a8c226cd80a50",
"rev": "2d9122fe28c15ca64770f192f7df97e13b1fb098",
"type": "github"
},
"original": {
@ -27,17 +27,19 @@
"agenix_2": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"agenix",
"nixpkgs"
]
],
"systems": "systems"
},
"locked": {
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"type": "github"
},
"original": {
@ -54,11 +56,11 @@
]
},
"locked": {
"lastModified": 1706241694,
"narHash": "sha256-OzgzZTpzNOYJGV3FYE8IXxRIAp4ht1FKMX71JXX/CHg=",
"lastModified": 1708200003,
"narHash": "sha256-F35dKFLG1fs/B6+Zi081mi8x2x8CARgrU/xeWSmY4l4=",
"ref": "refs/heads/Development",
"rev": "bbb3e7d8ff657ec61b7b1c5d745a0eba30d76f4e",
"revCount": 70,
"rev": "acf0f3a8b17b8eb07166a17badde0d2a04cee778",
"revCount": 72,
"type": "git",
"url": "https://git.orion-technologies.io/blog/blog"
},
@ -69,26 +71,17 @@
},
"crane": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"agenix",
"flake-utils"
],
"nixpkgs": [
"agenix",
"nixpkgs"
],
"rust-overlay": [
"agenix",
"rust-overlay"
]
},
"locked": {
"lastModified": 1681680516,
"narHash": "sha256-EB8Adaeg4zgcYDJn9sR6UMjN/OHdIiMMK19+3LmmXQY=",
"lastModified": 1707685877,
"narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=",
"owner": "ipetkov",
"repo": "crane",
"rev": "54b63c8eae4c50172cb50b612946ff1d2bc1c75c",
"rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e",
"type": "github"
},
"original": {
@ -106,11 +99,11 @@
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
@ -122,16 +115,16 @@
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1704875591,
"narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=",
"lastModified": 1708091384,
"narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b",
"rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
"type": "github"
},
"original": {
@ -147,11 +140,11 @@
]
},
"locked": {
"lastModified": 1706491084,
"narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=",
"lastModified": 1708143835,
"narHash": "sha256-SRGi47kleiyNVQlR9mxp9Ux2t2SLy7Nm3L6b3UKjH2c=",
"owner": "nix-community",
"repo": "disko",
"rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9",
"rev": "4d81082b2c37a6e1e181cc9f589b5b657774bd63",
"type": "github"
},
"original": {
@ -161,22 +154,6 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -192,7 +169,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1687265871,
@ -210,14 +187,14 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
@ -228,7 +205,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1705309234,
@ -246,7 +223,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1705309234,
@ -262,6 +239,28 @@
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1706639736,
@ -295,11 +294,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1706550542,
"narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
"lastModified": 1708118438,
"narHash": "sha256-kk9/0nuVgA220FcqH/D2xaN6uGyHp/zoxPNUmPCMmEE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
"rev": "5863c27340ba4de8f83e7e3c023b9599c3cb3c80",
"type": "github"
},
"original": {
@ -315,7 +314,7 @@
"blog": "blog",
"deploy-rs": "deploy-rs",
"disko": "disko",
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3",
"impermanence": "impermanence",
"nixpkgs": "nixpkgs_2"
@ -333,11 +332,11 @@
]
},
"locked": {
"lastModified": 1682129965,
"narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=",
"lastModified": 1707703915,
"narHash": "sha256-Vej69igzNr3eVDca6+32uO+TXjVWx6ZUwwy3iZuzhJ4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "2c417c0460b788328220120c698630947547ee83",
"rev": "e6679d2ff9136d00b3a7168d2bf1dff9e84c5758",
"type": "github"
},
"original": {
@ -406,9 +405,24 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1701680307,

159
flake.nix
View File

@ -5,9 +5,7 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
deploy-rs.url = "github:serokell/deploy-rs";
impermanence = {
url = "github:nix-community/impermanence";
};
impermanence = { url = "github:nix-community/impermanence"; };
agenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
@ -27,14 +25,15 @@
};
};
outputs = inputs @ { self, nixpkgs, deploy-rs, impermanence, agenix, disko, flake-utils, blog, ... }:
outputs = inputs@{ self, nixpkgs, deploy-rs, impermanence, agenix, disko
, flake-utils, blog, ... }:
let
lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib;
persist-dir = "/persist";
defaults = {
config = {
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
environment.etc.machine-id.source =
"${persist-dir}/ephemeral/etc/machine-id";
environment.persistence.save = {
hideMounts = true;
persistentStoragePath = "${persist-dir}/save";
@ -42,59 +41,90 @@
environment.persistence.ephemeral = {
persistentStoragePath = "${persist-dir}/ephemeral";
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/etc/nixos"
];
directories = [ "/var/lib" "/var/log" "/etc/nixos" ];
};
};
};
in
{
nixosConfigurations.luna =
let
hostname = "luna";
in
nixpkgs.lib.nixosSystem
{
system = "x86_64-linux";
specialArgs = {
inherit self;
inherit blog;
inherit flake-utils;
inherit inputs;
inherit hostname;
inherit nixpkgs;
inherit lib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
fqdn = "orion-technologies.io";
};
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{ config = (import "${self}/secrets" { agenix = false; inherit lib; }).${hostname}; }
./hosts/${hostname}
];
in {
nixosConfigurations = {
orion = let hostname = "orion";
in nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit self;
inherit inputs;
inherit hostname;
inherit lib;
inherit persist-dir;
root-disk = "/dev/vda";
};
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{
config = (import "${self}/secrets" {
agenix = false;
inherit lib;
}).${hostname};
}
./hosts/${hostname}
];
};
luna = let hostname = "luna";
in nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit self;
inherit blog;
inherit flake-utils;
inherit inputs;
inherit hostname;
inherit nixpkgs;
inherit lib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
fqdn = "orion-technologies.io";
};
modules = [
defaults
impermanence.nixosModules.impermanence
agenix.nixosModules.default
disko.nixosModules.disko
{
config = (import "${self}/secrets" {
agenix = false;
inherit lib;
}).${hostname};
}
./hosts/${hostname}
];
};
};
deploy.nodes = {
luna = {
hostname = "luna.hosts.orion-technologies.io";
fastConnection = true;
profiles = {
system = {
sshUser = "price";
user = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.luna;
};
};
deploy.nodes = {
orion = {
hostname = "boot";
fastConnection = true;
profiles.system = {
sshUser = "price";
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.orion;
};
};
luna = {
hostname = "luna.hosts.orion-technologies.io";
fastConnection = true;
profiles.system = {
sshUser = "price";
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.luna;
};
};
};
} // flake-utils.lib.eachDefaultSystem (system:
let
@ -102,16 +132,19 @@
inherit system;
overlays = [ agenix.overlays.default ];
};
in
{
devShells.default =
pkgs.mkShell
{
packages = with pkgs; [ age age-plugin-yubikey pkgs.agenix nixos-rebuild pkgs.deploy-rs ];
shellHook = ''
export RULES="$PWD/secrets/secrets.nix"
nix eval --json --file ./.nixd.nix > .nixd.json
'';
};
in {
devShells.default = pkgs.mkShell {
packages = with pkgs; [
age
age-plugin-yubikey
pkgs.agenix
nixos-rebuild
pkgs.deploy-rs
];
shellHook = ''
export RULES="$PWD/secrets/secrets.nix"
nix eval --json --file ./.nixd.nix > .nixd.json
'';
};
});
}

2
hosts/luna/os/fs.nix
View File

@ -21,7 +21,7 @@
};
};
fileSystems."/persist".neededForBoot = true;
fileSystems."${persist-dir}".neededForBoot = true;
disko.devices =
{

10
hosts/orion/default.nix
View File

@ -1,9 +1,5 @@
{ config, lib, nixpkgs, ... }:
{
imports = [
./modules
./os/filesystem.nix
];
system.stateVersion = "23.11";
}
imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
system.stateVersion = "24.05";
}

13
hosts/orion/modules/default.nix
View File

@ -1,13 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports = [
./audio.nix
./bluetooth.nix
./hardware.nix
./networking.nix
./nix.nix
./power.nix
./user.nix
];
}

4
hosts/orion/modules/networking.nix
View File

@ -66,7 +66,6 @@ in
UseDNS = networks_dhcp_use_dns;
};
};
};
};
@ -87,6 +86,7 @@ in
networking = {
hostName = "${hostname}";
wireless.iwd.enable = true;
useNetworkd = true;
};
}
}

62
hosts/orion/modules/services/openssh.nix Normal file
View File

@ -0,0 +1,62 @@
{ config, ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
# We set the hostkeys manually so they persist through reboots
hostKeys = [
{
path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}
];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
extraConfig = ''
AllowUsers price
'';
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
GatewayPorts = "yes";
LogLevel = "VERBOSE";
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
};
ports = [
2200
];
banner = ''
Orion Technologies - Security Notice
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have written, explicit, authorized
permission to access or configure this device.
Unauthorized attempts and actions to access or use
this system may result in civil and/or criminal
penalties. All activities performed on this device
are logged and monitored.
'';
};
}

37
hosts/orion/modules/user.nix
View File

@ -1,37 +0,0 @@
{ pkgs, user, ... }:
let
user = "price";
in
{
programs = {
zsh.enable = true;
};
nixpkgs.config.allowUnfree = true;
users.users = {
root.initialPassword = "pass";
"${user}" = {
initialPassword = "pass";
shell = pkgs.zsh;
isNormalUser = true;
description = "${user}";
extraGroups = [
"wheel"
"docker"
"nix-users"
"libvirt"
"log"
];
};
};
environment.systemPackages = with pkgs; [
ungoogled-chromium
wezterm
yamllint
stylua
eza
];
}

19
hosts/orion/modules/users.nix Normal file
View File

@ -0,0 +1,19 @@
{ pkgs, user, config, ... }: {
security.sudo.wheelNeedsPassword = false;
users.users = {
root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
price = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.bash;
hashedPasswordFile = config.age.secrets.users-price-pw.path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkWsSntg1ufF40cALcIBA7WZhiU/f0cncqq0pcp+DZY openpgp:0x15993C90"
];
};
};
environment.persistence.ephemeral.users = {
price = { files = [ ".bash_history" ]; };
root = { home = "/root"; files = [ ".bash_history" ]; };
};
}

73
hosts/orion/os/boot.nix Normal file
View File

@ -0,0 +1,73 @@
{ modulesPath, pkgs, ... }: {
# imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelModules = [ "kvm-intel" ];
kernelParams = [ "audit=1" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
# availableKernelModules =
# [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ];
# kernelModules = [ ];
systemd = {
enable = true;
initrdBin = [ pkgs.libuuid pkgs.gawk ];
services.rollback = {
description = "Rollback btrfs root subvolume";
wantedBy = [ "initrd.target" ];
before = [ "sysroot.mount" ];
after = [ "initrd-root-device.target" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
DISK_LABEL="NixOS-Primary"
FOUND_DISK=0
ATTEMPTS=50
printf "Attempting to find disk with label '%s'\n" "$DISK_LABEL"
while ((ATTEMPTS > 0)); do
if findfs LABEL="$DISK_LABEL"; then
FOUND_DISK=1
printf "Found disk!\n"
break;
fi
((ATTEMPTS--))
sleep .1
printf "Remaining disk discovery attempts: %s\n" "$ATTEMPTS"
done
if (( FOUND_DISK == 0 )); then
printf "Discovery of disk with label '%s' failed! Cannot rollback!\n" "$DISK_LABEL"
exit 1
fi
mount -t btrfs -o subvol=/ $(findfs LABEL="$DISK_LABEL") /mnt
btrfs subvolume list -to /mnt/root \
| awk 'NR>2 { printf $4"\n" }' \
| while read subvol; do
printf "Removing Subvolume: %s\n" "$subvol";
btrfs subvolume delete "/mnt/$subvol"
done
printf "Removing /root subvolume\n"
btrfs subvolume delete /mnt/root
printf "Restoring base /root subvolume\n"
btrfs subvolume snapshot /mnt/root-base /mnt/root
umount /mnt
'';
};
};
};
};
}

6
hosts/orion/os/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ modulesPath, ... }:
{
zramSwap.enable = true;
}

78
hosts/orion/os/filesystem.nix
View File

@ -1,78 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
kernelModules = [ ];
luks.devices = {
"luksroot" = {
device = "/dev/disk/by-label/NixOS-Crypt";
allowDiscards = true;
};
};
};
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
zramSwap.enable = true;
fileSystems = {
"/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "noatime" "mode=755" ];
};
"/boot" = {
device = "/dev/disk/by-label/NixOS-Boot";
fsType = "vfat";
options = [ "defaults" "noatime" ];
depends = [ "/" ];
};
"/nix" = {
device = "/dev/disk/by-label/NixOS-Primary";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
};
};
environment.persistence = {
"/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib"
"/var/log"
"/etc/nixos"
];
files = [
"/etc/machine-id"
"/etc/nix/id_rsa"
];
users.price = {
directories = [
"Git"
"ISOs"
"Downloads"
"Keep"
"Notes"
".local/share"
{ directory = ".gnupg"; mode = "0700"; }
{ directory = ".ssh"; mode = "0700"; }
];
files = [
".zsh_history"
];
};
};
};
}

75
hosts/orion/os/fs.nix Normal file
View File

@ -0,0 +1,75 @@
{ modulesPath, config, lib, root-disk, persist-dir, ... }: {
services = {
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [ "/" "/nix" "/persist" ];
};
snapper = {
# NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10
# (see TIMELINE_LIMIT_HOURLY, ...DAILY, etc.)
configs.persist = {
TIMELINE_CREATE = true;
TIMELINE_CLEANUP = true;
SUBVOLUME = "${persist-dir}";
};
};
};
fileSystems."${persist-dir}".neededForBoot = true;
disko.devices = {
disk.${lib.removePrefix "/dev/" root-disk} = {
type = "disk";
device = "${root-disk}";
content = {
type = "gpt";
partitions = {
esp = let label = "NixOS-Boot";
in {
priority = 1;
size = "512M";
type = "EF00";
content = {
extraArgs = [ "-n ${label}" "-F 32" ];
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" "defaults" ];
};
};
root = let label = "NixOS-Primary";
in {
size = "100%";
content = {
type = "luks";
name = "crypted";
settings = { allowDiscards = true; };
content = {
type = "btrfs";
extraArgs = [ "-f" "--label ${label}" ];
postCreateHook = ''
MOUNT="$(mktemp -d)"
mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/
trap 'umount $MOUNT; rm -rf $MOUNT' EXIT
btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base"
'';
subvolumes = {
"/root" = { mountpoint = "/"; };
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" ];
};
};
};
};
};
};
};
};
};
}

6
hosts/orion/os/hardware.nix Normal file
View File

@ -0,0 +1,6 @@
{ lib, config, ... }: {
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
services.fstrim.enable = true;
}

1
hosts/orion/pubkey.nix Normal file
View File

@ -0,0 +1 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion"

8
secrets/default.nix
View File

@ -15,6 +15,14 @@ let
gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age";
};
orion =
let
secrets = "orion";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
};
};
in
if agenix then

23
secrets/luna/gitea-db-pass.age
View File

@ -1,8 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 1fG0ow ItVCvyKKXcmZVvuomgGsRw91c1jQCLXGPkIh2VXvGFg
NjOqD/+g+6FvOqurcaKw5LrZpmc2Tlo277ZYkv3loWU
-> piv-p256 rJs1HA AuseeP2+foV1YzNuU85cqXN/t/MxL1CSMfev9EBnn547
ErXvkp3KKibgLNbOQmE3iM1CjgooVs/Nsup84i4U8ds
--- lWtn0ntT2K5N9LlQR69UYGyJvELufjKuEqnWceJWZdQ
~eàt!ß„¦®…p`±8ÙîÓïó&nS ØW?§JåÎKY°U Ÿ”6?|I´Œ£MÇQ0ÿÛ¸ssêR,=¡??O²e{)^ŸiöœÇ÷
 åéAg</綵ñsºÝØ<1F>ÔêSjœŠýÁÐB—'áÕÙ§ <0B>¿~PTQ—¯Öy“ئkœ>ªnò4}(ˆóe£QHU"ð^ؘ?ไ}'*ò¼%†,Pˆ¤ªg½A Iêy9“15<35>ëU¿ôt
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyB5Sm54
eEZVbVJZeENxVm5YWjBzNHlSRG1FTEJvRm5QU0pnU0RSSkVPMlFJCk1mTHQ2eUVs
WUFTa3hwM0Ivc0JnWjJPdUJLWTJxUnIrcVkxV29jQmF1R0EKLT4gcGl2LXAyNTYg
ckpzMUhBIEF5T2FReDJ6akp1MjBCMWlKTnV0NnFyZVY3b1hnbVhwZmhVN3c5TDVP
YW9DCkxUNk1lR1N4TzFHSGdLNERaQ2wxdXd4bjVtUWFKT1h1QWYwUVpjazZPUlEK
LT4gJjVRQU8tZ3JlYXNlIDpICkxWSHdOT0EwSVpXdzJoQmVEeHdIdGlxVEdXUk1w
MkoraTB5anIrUStOMGpMbEdpYkhadUliZTA1R0N1d3h1Y1IKWkc2NzVRCi0tLSBR
Y2cxTnB6bElHWHlMeXhxajhjeDF2TTJqMndJbjlNUWVUQ1c3QjhJTVdnChQsSDjC
IWGSOJD8wfLlou/BFvp7x/e/dobgW3FMazunhUqV5K09jp1Ak7nTeeyRDUz+Mpv5
HaZqL6aCWNn6ZhprF+ZBZfYVyw7EdaCWNAFrR25DP8/JQrQ3lrJIoJZ3VF1a4y+l
55rLJIfBkho6HHycZ6hde8fo4lGUMhsSC2cKviMwa4FvMH3QpodOuN0h5PAX20mg
19uVVQnw4AOUgzm7QZ32Gesj8vORnQHQbFhERlooDuxTSrvnkpBztaxSTVPcv5d+
wDf/rxP05UA=
-----END AGE ENCRYPTED FILE-----

22
secrets/luna/gitea-runner-token.age
View File

@ -1,13 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBlUHdp
cVNLL1JFQklDckkzL0U3a0FDUVZOZWhwZG1naVJqNVpoRVd5cmpZCmwwQ2ZvaUNj
Nlh1MFNGYU1JYlAxT0pUdkoxci9FTmJsZ1lSRDZkY3pPWjAKLT4gcGl2LXAyNTYg
ckpzMUhBIEFocExaRzlJRTBraGExcU1SeDlwc0doeFg0bVM2UTcyMmM5M0dCd0FW
RWdhCnQxRkxTMGsrR3NCMXpUK1cwWnloL21qUHZqSFU3bWxFS0VkclpYWXBnbFEK
LT4gTShmXXkvUS1ncmVhc2UgNzVuKF4mMyArPCV3eUcgMmBERXtCKFIKSDF3bC9S
ck12T2hJTVpoR0svcnlqVVBMYk1zc0tSdGlQL012T1hZYm1veGJSSVAveU15dFJH
V3FRK0NmZXF1UwpaR25sTUhEZUJRaFQxbTF2cGFCUUJIdEZ4a1l1NFlGRHlzQ0RO
NkFOcnhvVAotLS0geGp3WVlLUjg1RnB0cnB2MGJoRk9rRkFDcmFsUnpXRWhkekpP
cWRpLzZiQQrrB7VhL4u7FMMZeSI9ruONPo9wpa77+JH8y/g8Dm5ORaxp+OAOihAP
D25jGbe5+KgTU/wQb5piJLAB2PyBl+2z57RXPXquZ9eJ85L+rb00
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBYTndG
b3pCWDA0T3hnMC9mOXlEaWRLMVpSbzhmeWliMVc2MElsekJhc2dVCmFicFY1WXAv
ZEZNaUNLcE11V3pqZHBBWHZXTzRXTnBHN2h3a1R5ZkhzaFEKLT4gcGl2LXAyNTYg
ckpzMUhBIEE3V2dzUkhYYmFTSHAvdlNmeUgvRENzbmV1N05QQUNoMlRMMjZPVy9w
WmV0CjJsZFowa3d5dEpZTXF2c05tSkJEalc5bFJUNmxGdUZwQTlTQjVEQXJxSkUK
LT4gQUZ3c2BxRS1ncmVhc2UKa0dwbElwS2NYaU5ubzdUSHpQR1RTWmFXOUxweStD
Y0Z4emdFNHpIb2ViQnZmWFdnUVB3YU9CL3I2Vk1Nc2Y1MgpGdTFLeHNwVlBzd2la
NTdNT1c2T05uQkpUT0t4c2ZSeFNiZ3ZXSzhzUXNHOUtUMDRKQyttQVF5QXB3Ci0t
LSBqYUdhdGdqckRRcE5IS0EwTlZ1dEZlRm90TStiYkxzdTZabGV0VjlSK0N3Cu+b
4KRcjCda0CxdH4Z2pw3ndhUU596wdGT7Py92uIiV3kdPLFgaUXHL8qMiAoC74o9T
BzCx4IobN6ysTTSqT3awzFpJGt8Mqt4sjt1zEz4=
-----END AGE ENCRYPTED FILE-----

21
secrets/luna/gitlab-runner-reg-config.age
View File

@ -1,7 +1,14 @@
age-encryption.org/v1
-> ssh-ed25519 1fG0ow oP4nP83S4Hjf4MScoNCBbE3i4Vnzz5XiuJqaLXzRbw0
rNOkeT8FfDLCoUnghLs8/Fpzy4qINhhIhtgB3Ep3REc
-> piv-p256 rJs1HA AiyT5IFnxwxoONmRezlvneUSYSEjglGeXYav8x7Xt+HB
JWAyCMNQNe0+LSRqdQV+f5PGixWMXFMf/wQmyoMEKNE
--- ZnfbHqBM/51+BXYGhcSzBN6k1UtZpKJshgmxrr2eFGo
ô<EFBFBD>™?f èÇíÇ$®À<08>Æb t,ñ$åÌ<C3A5>á€o8R«¸ûò­;¾Øn!õchzg•ý‰—lÁ= 5îOcâÀ—¯BNJð½„ÉaH1Ïýuƒ?ÙQCþfºN{†$ûM¨wLbs¾€:+•Ãá?ZC0™òÚ
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBEUlZU
ckVzR0ZKTlBXREpNa050RWtXMUtPRkMxWmNTTWRDUGgwckdSZUFrCmUwMGIyZ0dn
a2k2UGszRkNScXFCTmJYbDBybHpyU3BVVUdCdFZtMU1sQUkKLT4gcGl2LXAyNTYg
ckpzMUhBIEEwbWdxYkhDaWdmcXV3QmwvSEV3WlR5Yy9manVkQllTVjhFcjdNcWRF
bldOCnFHbkdoZGZKMUQrMXNRSGMvalpMTHBkMm1kZTV1S1NmNndUVHVnUkhxVlUK
LT4gezRJVzwwVC1ncmVhc2UgNFhtO09BJG8KU0N0K2c0c1NUaHhFeTdQb1lnMlZL
K0ppVkpEU3M2R3dGWUxIdkE4OFBhZ2pwRmF3d1NERVB1QUhrVk9yYVZxcQo1bEpP
OTBpdW9rc3RwWGpOV0NCakJiZGhEdXFvQUIzNVg0WlJkZysybGlNCi0tLSBjOEUz
ZUNxQXJ1WWk2R1BWQUpLemJkTXZkYmhLYkJpMitVbHJVUWl0SzEwCh1AImuieRv+
7+iqnBDVtJWT2qTv3X9wTRe0eyOWiYSpeXKiaIpUOf8K09n20dVHBFFSWZ5aRMhZ
pDqcj5ibodPGY7eJMgQhiAfzOVTxZo2oWyA4vmO9RRYbFKM6L6KHVP0vb+1n9cYp
GumKH5zthkXJmPNJECwTQ2Bf15ggbA+K
-----END AGE ENCRYPTED FILE-----

22
secrets/luna/users-price-pw.age
View File

@ -1,12 +1,14 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBxWWpi
V2c2RkxLanlGYjZ6L2dPYmRHRWwxK0Q0aVNCakNzdFdtZ0k4dW1vCjcrQmptaGgz
SmpOb2RFTUlYM1ZWc2U2RkF5eGJzWkI3ekk5RTJXLytHYmcKLT4gcGl2LXAyNTYg
ckpzMUhBIEF4enp2K0FvSFlEWWowT3JSaGV0Rkd6WTlrMlRlZUlhK1B0bFRyWkhD
dTJ1CklMcFlLYTMwQ2YyZUdEaHZ2ZW10VEN0NCsxWGJQL2JvZG40NGtobVE0TXcK
LT4gZmtMNilcfS1ncmVhc2UgI3ZZX243IEkrUSRdblp6IC8KTC9FRERrUGNLTlJs
SEEKLS0tIFVHQlovUTVTMk9WY0NwN0cycjJEa0p1L0h0R1BpNFh4am5TVWp4WU5L
eGcKXXflLkUPB2sSYVNl+4O1QsWXEKtBItZbM7RP+glsuWQfHJBY133UzVMgXTy0
4yvEcD/ixQaKpSIkeOM+bz0IWjyU0y+zL8opR5xX0AMGJZfeNemIZAo8KpmQsoXC
7U0McvbgHkfakV1ONxYCgurPZPDW97Mk146oyU9bE/amgKh2MvNM14RmY4y2uw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyA4VGhH
VVZrUUE3SUg3SGNMTWdYUDROZFRqRW13WHVjQmpmWHVOdHFtakE0CkRiQ0VnQ215
bU9XZDlMYWVtcEd1c09BYlFkcVZnL0xYLzd3akREdkxoMTQKLT4gcGl2LXAyNTYg
ckpzMUhBIEEvSytKaU45NC9Pa3d2OWtFUWltdjdpM3cwRmhCOU5YRWlSNUFFZThP
NWp3CjF5YzlYaU9jOFlsZ0xBWHdXS09TVHc4VVBxOGdoR3kxcjZnczY0cWhJRG8K
LT4gOXN0LWdyZWFzZSAnSnVjMGpPdyBWbXN8WEkgcX1eQmFpClY3NlhUMFRyMURJ
Wmw4d0plM3R4VzNCeXZnK29jbVl1NHc2ZjdCb1R5M2xEYlhXMFBTbVlHdngxb3hJ
Y2lIdlAKVTF3Ci0tLSBZR216cXRYNmJ1ZHJ4RHlmaWdTcmpSR0cwMVpDVTh4QjBl
Z013Uktsbjg4CnXf38il0oLVMjg7GwLmE6GCh4R3EJ7Bs6fPZLf7ktcCmy3FAiVQ
nZ3nndURKmcvawZHCnnANYKxzILcwgF1eQrtV4Mf/giBJGQASu8zx/F7NIR1vXnt
IOXiboxism7lhh2Za+qK0hdxaDsmXvB46kuxgtG0x2E3jC0NaANKFEmE+aS3iMTl
q1cdOuM=
-----END AGE ENCRYPTED FILE-----

19
secrets/luna/users-root-pw.age
View File

@ -1,7 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 1fG0ow +SBbIzQJWyDWdD0tj2OWJ3dRLL2gHQsIGiAInsPwyBQ
GoWyi5Gnh19JavszjXPzAspL9aHzdoJSvYCIWMfaSEY
-> piv-p256 rJs1HA A6Yi0bpMERl4TtMhIrJcqpr8Wp9kGwVcam4UFERNhWVz
PHzAZ115Ua58SKtTNIpVvNOwSJGvedwn7EozWCDnh7I
--- D0hr9/p2mwX7QizZ8UvEEttJZDwW9z4aTqrEOOc2m9s
úJ‡x<Åc1À„ÐjÙÁ÷ëlˆ!qVŸ°øàªÍ¡t­ïð¿?ß<-÷hÉ"´êbÉbǨHƒaŒUÙ<55> ™Èô¢ó݆ ¤jÏS©çF`!Aªˆ¥gkz´•‰wWQÐ_°VU•íâˆÓâYm±>\]úÀ^ÍüMŒžÖîghk>­ñ8¤´b
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDFmRzBvdyBJbnRJ
MTl2TGR4OTQyV0VVSm9CQ0F3K24yZmRpK0xrODdHWDZTTUtyRFFvCjB1dnAzdkxu
REREamdiZmRqdmxSQm1ONHZiKzVpZnZBczFrcklJRnZzSDQKLT4gcGl2LXAyNTYg
ckpzMUhBIEFzMFRXOEJPUDIrb2N5MzdoQmZmR0VlQ285SnBxRk9heGh1SmxaYTJR
MmhECmhFV1BiL00xMFdpOHlublJHamhmOVVaODB5TE5uT2NCVE5Uc0l2SURWU1UK
LT4gWnxYO3RGLWdyZWFzZSBxVQoKLS0tIE13WGJqR0dpY0p3UlBkeWFVVm96M0Qw
Y0ttK0FGTHZDa1I2b0xCeE1aT1UK7DcEAWPiclnaKA9MZNtiIf89clLK3aADLgA1
Dj3VvSYQbC2/GlS8KKpnB5KrwuMHEiCFk8QNzP3u5kmxtoxR88mxGgOczNoQu8Fd
2rDXEQGmt+1xt8mO4nj0THABrxvQTr1lYappdvmuT1w8py1ip4qTZWw2hv9kiCQ1
Lu6rJssCAUEs/NWAWfD2Mg==
-----END AGE ENCRYPTED FILE-----

15
secrets/orion/users-price-pw.age Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA3UHl3
QmhOR0tjcFErNVpJd1JNbzZoWmRmVEtiNFR3d0xia1dNOXd2WURVClc2S1laWDZ2
Q2E0dU56RUVoN1RmS2lpazlnVFhEUkJyUnE4WmZ5OGNnL00KLT4gcGl2LXAyNTYg
ckpzMUhBIEF0emdpQTkvaHoxakRIUHFNZnBKNzZoRkpmYzM3L09yeko5SW91ajRH
dy9iCklwTFB5Z01pc1A0ZnRKVEFoYlZsQjBiL0l0cVVwcm13cnNHTEN1ZDZnV0UK
LT4gfDZrMWtaPXEtZ3JlYXNlIHwrfV8geFY1Mz53Ogp3QTdqM0wyMGx4ZTNicEtP
UktIYkpMLzhSaC9JSG9FeWNvNGlvQUF6VDE0bW5HSEUvVCs3L01FU2lnNVNqNysy
Ckt0WFg5REJRdnZ0ZDF4T2I1eFRkb1ZLcjliWjNNNytxYk5RcWpKSDR6MUpsWURu
OWdDQWlBQU9rWTk5RU9sQ28KblEKLS0tIEF6Skh4N0NWMVlZOXcyWVhiMUtWRXcv
dUpNS2xnMHBRd1djbC92TUI5bFUK1ZM/H3yxgBVHspKrfNM6sag7ZiT+ZypSDouI
RoNZBcEjQUarcS2Dxn4G9amAUor0gZcl9hlx3OQnG8HLrFLhryu/550aKeVJZxtV
9AJdDMV2XuEqSEx+mjNeUwAc1nvO9nTC0YKwvFILtvJPPateLZhbGfOzba2UO4EM
aoX5QgifkfqJx7ZZ9Qmb3Q==
-----END AGE ENCRYPTED FILE-----

14
secrets/orion/users-root-pw.age Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGNmNCtpdyA0T2Y3
RjdlVHRGVzdTa2VmQ05tNFUvc2xVV1NxZ0xRV0JXOXRCa0V6ZHowCnVsaERWYjN5
c2J3V3A1LzRqZUNUQWU0Y0ZMSkQ2OHRkRzJIY045L2VjQW8KLT4gcGl2LXAyNTYg
ckpzMUhBIEFsMnJ3ZGhkNHRaTi9BNjk2MnBsMnprNE5CdEhTVGJJMHR4aG1CbVZJ
WnhYClVvNUh6L1AvaERGb0pZVU1kUzZLWGNLSVo3NWZSQ0dZSFI2WDlxcFlpNDAK
LT4gPmZIbidXYi4tZ3JlYXNlIEdLKDI4cmggSgpOWDVqak1iald1ZlRPcm05VVEv
ZXhzMHE3RGo3SEs3blRMSHpoRU9QeFVpdENERXFnNE04NDBuMzEzSUhhRUw5Cjh3
bUNYRkl4L1plQk5mRzZHSmtPUTZaMCswR052bndrbWpNL3lYRQotLS0gQ2pMTVBx
VlZyaUFvc0NJOTFkZGVsZnJUYUlnVmdlem5SdFV4OGMvYUhvQQocxqI0TBwKWsSJ
amGmeBJsUze1Rhlg9ErW7ei+dA//DuPIEK4nqCpwTNyhJGbBUBJKOW3plX2NyQwH
ReC0GvHQRSxQWUyzPdDRefAhJpbFX/TB/TlB5k/iq3/BgXacLOuUtbkUWtPu0X+R
jdYtCHiJGY5IuXrfhP4OZcPbVhVGEx67e5ca0RMbsAqJ
-----END AGE ENCRYPTED FILE-----