add SOPS, etc.

2024-04-07 17:54:27 -05:00 · 2024-04-07 17:54:27 -05:00 · 10c6af76f2
commit 10c6af76f2
parent e1f0194350
25 changed files with 435 additions and 413 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -1,4 +1,8 @@
-{host, ...}: {
+{
+  pkgs,
+  host,
+  ...
+}: {
  users.groups.plugdev = {}; # Create plugdev group
  networking.hostName = host.hostName;
  users.users.${host.username} = {
@ -9,11 +13,20 @@
      "video"
    ];
  };
+  environment.systemPackages = with pkgs; [vim];
+  programs.nix-index.enableBashIntegration = false;
+  programs.nix-index.enableZshIntegration = false;
+  programs.nix-index-database.comma.enable = true;
  time.timeZone = "America/Chicago";

  # Enable flakes and unfree packages
  nix.settings = {
    auto-optimise-store = true;
+    substituters = ["https://nix-community.cachix.org"];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+    trusted-users = [host.username];
    experimental-features = ["nix-command" "flakes"];
  };
  nix.gc = {
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -4,7 +4,12 @@
  attrs,
  system,
  ...
-}: {
+}: let
+  defaultModules = [
+    inputs.sops-nix.nixosModules.sops
+    inputs.nix-index-database.nixosModules.nix-index
+  ];
+in {
  t14 = inputs.nixpkgs.lib.nixosSystem {
    specialArgs = {
      inherit inputs system pkgs attrs;
@ -13,11 +18,13 @@
        inherit (attrs) username;
      };
    };
-    modules = [
-      ./configuration.nix
-      ./t14/configuration.nix
-      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
-    ];
+    modules =
+      defaultModules
+      ++ [
+        ./configuration.nix
+        ./t14/configuration.nix
+        inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
+      ];
  };
  rknrd = inputs.nixpkgs.lib.nixosSystem {
    specialArgs = {
@ -27,21 +34,17 @@
        inherit (attrs) username;
      };
    };
-    modules = [
-      ./configuration.nix
-      ./racknerd/configuration.nix
-    ];
+    modules =
+      defaultModules
+      ++ [
+        ./configuration.nix
+        ./racknerd/configuration.nix
+      ];
  };
  htz = inputs.nixpkgs.lib.nixosSystem {
    specialArgs = {
      inherit inputs system pkgs;
      addressList = {
-        vm-pool = {
-          name = "vm-pool";
-          ipv4 = "10.0.0.2";
-          subnet = "/24";
-          mac = "02:00:00:00:00:02";
-        };
        vm-k3s = {
          name = "vm-k3s";
          ipv4 = "10.0.0.3";
@ -54,11 +57,13 @@
        inherit (attrs) username;
      };
    };
-    modules = [
-      ./configuration.nix
-      ./htz/configuration.nix
-      inputs.ethereum-nix.nixosModules.default
-      inputs.microvm.nixosModules.host
-    ];
+    modules =
+      defaultModules
+      ++ [
+        ./configuration.nix
+        ./htz/configuration.nix
+        inputs.ethereum-nix.nixosModules.default
+        inputs.microvm.nixosModules.host
+      ];
  };
 }
--- a/nixos/htz/configuration.nix
+++ b/nixos/htz/configuration.nix
@ -10,23 +10,14 @@
    ./eth.nix
  ];
  environment.systemPackages = with pkgs; [
-    vim
    git
    bridge-utils
-    comma
  ];
-  virtualisation = {
-    docker = {
-      enable = true;
-    };
-  };
  networking = {
    hostName = "htz";
-    domain = "";
    firewall = {
      enable = true;
-      allowedTCPPorts = [22 80 443];
-      allowedUDPPorts = [];
+      allowedTCPPorts = [22];
      logRefusedConnections = true;
      trustedInterfaces = ["microvm"];
    };
@ -43,9 +34,8 @@
    device = "/eth1";
    options = ["bind"];
  };
-  services = let
-    domain = "ts.10110110.xyz";
-  in {
+  services = {
+    tailscale.enable = true;
    openssh = {
      enable = true;
      settings = {
@ -53,30 +43,6 @@
        PermitRootLogin = "prohibit-password";
      };
    };
-    tailscale.enable = true;
-    headscale = {
-      enable = true;
-      address = "0.0.0.0";
-      port = 8080;
-      serverUrl = "https://${domain}";
-      dns = {baseDomain = domain;};
-      settings = {logtail.enabled = false;};
-    };
-    nginx = {
-      enable = true;
-      virtualHosts.${domain} = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://localhost:8080";
-          proxyWebsockets = true;
-        };
-      };
-    };
-  };
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "mail@10110110.xyz";
  };
  users.users = {
    root = {
--- a/nixos/htz/eth.nix
+++ b/nixos/htz/eth.nix
@ -9,8 +9,37 @@
      allowedUDPPorts = [9000 30303];
      logRefusedConnections = true;
      trustedInterfaces = ["microvm"];
+      interfaces."tailscale0".allowedTCPPorts = [5052 8545];
    };
  };
+  # virtualisation.oci-containers.containers = {
+  # besu = {
+  #   image = "hyperledger/besu:24.3-graalvm";
+  #   ports = [
+  #     "0.0.0.0:30303:30303"
+  #     "0.0.0.0:30303:30303/udp"
+  #     "100.79.221.28:8551:8551"
+  #   ];
+  #   volumes = [
+  #     "/eth1/besu:/var/lib/besu"
+  #     "/etc/nixos/eth_jwt:/var/lib/jwtsecret/jwt.hex"
+  #   ];
+  #   environment = {
+  #     JAVA_OPTS = "\"-Xmx16192m\"";
+  #   };
+  #   cmd = [
+  #     "--Xsnapsync-synchronizer-flat-db-healing-enabled=true"
+  #     "--data-path=/var/lib/besu"
+  #     "--data-storage-format=bonsai"
+  #     "--engine-jwt-secret=/var/lib/jwtsecret/jwt.hex"
+  #     "--engine-rpc-enabled"
+  #     "--engine-rpc-port=8551"
+  #     "--fast-sync-min-peers=3"
+  #     "--nat-method=docker"
+  #     "--network=mainnet"
+  #     "--sync-mode=X_SNAP"
+  #   ];
+  # };
  services.ethereum.geth.mainnet = {
    enable = true;
    package = inputs.ethereum-nix.packages.${system}.geth;
@ -18,7 +47,8 @@
    args = {
      http = {
        enable = true;
-        addr = "10.0.0.1";
+        addr = "0.0.0.0";
+        vhosts = ["htz.tailc353f.ts.net"];
      };
      authrpc.jwtsecret = "/etc/nixos/eth_jwt";
    };
@ -34,7 +64,7 @@
      enr-auto-update = true;
      rest = {
        enable = true;
-        address = "10.0.0.1";
+        address = "0.0.0.0";
      };
      light-client-data.max-periods = "3";
    };
--- a/nixos/htz/vms/default.nix
+++ b/nixos/htz/vms/default.nix
@ -1,8 +1,6 @@
 {
-  inputs,
  lib,
  pkgs,
-  system,
  addressList,
  ...
 }: let
@ -93,10 +91,6 @@
  };
 in {
  microvm.vms = {
-    vm-pool = genVMConfig {
-      name = "vm-pool";
-      config = import ./pool.nix {inherit pkgs system inputs;};
-    };
    vm-k3s = genVMConfig {
      name = "vm-k3s";
      config = import ./k3s.nix {inherit pkgs;};
--- a/nixos/htz/vms/k3s.nix
+++ b/nixos/htz/vms/k3s.nix
@ -7,6 +7,7 @@
    role = "server";
    extraFlags = toString [
      "--disable traefik"
+      "--tls-san vm-k3s.tailc353f.ts.net"
    ];
  };
  networking.firewall = {
@ -21,7 +22,7 @@
        image = "/var/lib/microvms/vm-k3s/vm-k3s-root.img";
        label = "vm-pool-root";
        mountPoint = "/";
-        size = 10000;
+        size = 100000;
      }
    ];
  };
--- a/nixos/racknerd/configuration.nix
+++ b/nixos/racknerd/configuration.nix
@ -1,41 +1,83 @@
 {
+  inputs,
  pkgs,
-  system,
+  config,
  ...
 }: {
  imports = [
    ./hardware-configuration.nix
    ./minecraft.nix
+    inputs.ethereum-nix.nixosModules.default
  ];
  environment.systemPackages = with pkgs; [
    nfs-utils
+    vim
+    inputs.ethereum-nix.packages.${system}.rocketpool
+    docker-compose
  ];
+  environment.interactiveShellInit = ''
+    alias rp='rocketpool --allow-root'
+  '';
+  virtualisation = {
+    docker = {
+      enable = true;
+    };
+  };
+
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = false;
-  networking.hostName = "rknrd";
-  networking.domain = "";
-  networking.firewall = {
-    enable = true;
-    allowedTCPPorts = [22];
-    allowedUDPPorts = [];
-    logRefusedConnections = true;
+
+  networking = {
+    hostName = "rknrd";
+    nameservers = [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [22];
+      allowedUDPPorts = [];
+      logRefusedConnections = true;
+    };
  };
+
  services.openssh.enable = true;
+  services.tailscale.enable = true;
  users.users = {
    root = {
      openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU2TUxKyGKoZ68IG4hw23RmxVf72u5K9W0StkgTr0b2 e@t14''];
    };
    e = {
      isNormalUser = true;
-      extraGroups = ["wheel"];
-      packages = with pkgs; [
-        vim
-        htop
-        tree
-      ];
+      extraGroups = ["wheel" "docker"];
      openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU2TUxKyGKoZ68IG4hw23RmxVf72u5K9W0StkgTr0b2 e@t14''];
    };
  };
+  virtualisation.oci-containers.containers = {
+    signal-api = {
+      image = "bbernhard/signal-cli-rest-api:latest";
+      ports = ["100.73.10.99:8080:8080"];
+      volumes = [
+        "/root/signal-cli:/home/.local/share/signal-cli"
+      ];
+    };
+  };
+  systemd.timers."signal-upload" = {
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnCalendar = "*:0/5";
+      Unit = "signal-upload.service";
+    };
+  };
+  systemd.services."signal-upload" = {
+    script = ''
+      ${pkgs.curl}/bin/curl -X GET -H "Content-Type application/json" 'http://rknrd.tailc353f.ts.net:8080/v1/receive/+14145029897' && ${pkgs.docker}/bin/docker run --rm --env-file=${config.sops.secrets."b2-photos-s3/env".path} -v /root/signal-cli/attachments:/root/data public.ecr.aws/aws-cli/aws-cli s3 mv /root/data/ s3://iofq-photos/signal --endpoint-url=https://s3.us-west-004.backblazeb2.com --recursive
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
  security.sudo.wheelNeedsPassword = false;
  nix.settings.trusted-users = ["e"];
  system.stateVersion = "22.11";
--- a/nixos/racknerd/minecraft.nix
+++ b/nixos/racknerd/minecraft.nix
@ -1,4 +1,38 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops = {
+    defaultSopsFile = ../../secrets/restic.yaml;
+    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    secrets = {
+      "b2-minecraft/env" = {};
+      "b2-minecraft/repo" = {};
+      "b2-minecraft/password" = {};
+      "b2-photos-s3/env" = {};
+    };
+  };
+  services.restic.backups = {
+    b2-minecraft = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-minecraft/env".path;
+      repositoryFile = config.sops.secrets."b2-minecraft/repo".path;
+      passwordFile = config.sops.secrets."b2-minecraft/password".path;
+
+      paths = [
+        "/var/lib/minecraft"
+      ];
+      timerConfig = {
+        OnCalendar = "00:05";
+      };
+      pruneOpts = [
+        "--keep-daily 3"
+        "--keep-weekly 1"
+        "--keep-monthly 1"
+      ];
+    };
+  };
  services.minecraft-server = {
    enable = true;
    eula = true;
--- a/nixos/t14/backups.nix
+++ b/nixos/t14/backups.nix
@ -0,0 +1,32 @@
+{config, ...}: {
+  sops = {
+    defaultSopsFile = ../../secrets/restic.yaml;
+    age.keyFile = "/home/e/.config/sops/age/keys.txt";
+    secrets = {
+      "b2-home/env" = {};
+      "b2-home/repo" = {};
+      "b2-home/password" = {};
+    };
+  };
+  services.restic.backups = {
+    b2-home = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-home/env".path;
+      repositoryFile = config.sops.secrets."b2-home/repo".path;
+      passwordFile = config.sops.secrets."b2-home/password".path;
+
+      paths = [
+        "/home/e/backmeup"
+        "/home/e/.ssh"
+        "/home/e/.librewolf"
+        "/home/e/.runelite"
+      ];
+      timerConfig = {
+        OnCalendar = "01:00";
+      };
+      pruneOpts = [
+        "--keep-last 14"
+      ];
+    };
+  };
+}
--- a/nixos/t14/configuration.nix
+++ b/nixos/t14/configuration.nix
@ -9,6 +9,7 @@ in {
  imports = [
    ./hardware-configuration.nix
    ./nano.nix
+    ./backups.nix
  ];
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -16,7 +17,6 @@ in {
  environment.systemPackages = with pkgs; [
    cryptsetup
    nfs-utils
-    comma
  ];
  environment.extraInit = "[[ -f ${homeManagerSessionVars} ]] && source ${homeManagerSessionVars} && echo 'x' > /tmp/test";

@ -48,7 +48,6 @@ in {

  # Services
  virtualisation = {
-    libvirtd.enable = true;
    podman = {
      enable = true;
      dockerCompat = true;
@ -77,29 +76,8 @@ in {
    enable = true;
    settings = {
      WIFI_PWR_ON_BAT = "off";
-      CPU_BOOST_ON_BAT = "0";
-      CPU_BOOST_ON_AC = "1";
-
-      PLATFORM_PROFILE_ON_AC = "low-power";
-      PLATFORM_PROFILE_ON_BAT = "low-power";
-      CPU_SCALING_GOVERNOR_ON_AC = "powersave";
-      CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
-
-      CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
-      CPU_ENERGY_PERF_POLICY_ON_AC = "power";
-
-      CPU_MIN_PERF_ON_AC = 0;
-      CPU_MAX_PERF_ON_AC = 100;
-      CPU_MIN_PERF_ON_BAT = 0;
-      CPU_MAX_PERF_ON_BAT = 25;
-      RADEON_DPM_STATE_ON_AC = "performance";
-      RADEON_DPM_STATE_ON_BAT = "battery";
-      RADEON_POWER_PROFILE_ON_AC = "high";
-      RADEON_POWER_PROFILE_ON_BAT = "low";
-
-      #Optional helps save long term battery health
-      START_CHARGE_THRESH_BAT0 = 80; # bellow it starts to charge
-      STOP_CHARGE_THRESH_BAT0 = 95; # above it stops charging
+      START_CHARGE_THRESH_BAT0 = 80;
+      STOP_CHARGE_THRESH_BAT0 = 85;
    };
  };