diff --git a/.sops.yaml b/.sops.yaml index a331d98..44b3cd9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44 - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je - - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0 + - &host_magnesium age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8 - &host_weinturm_pretix_prod age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf - &host_copper age1rrut5ntrkqmvttvmpa5jcmjhr2pfpyaqgu9dmtx6v07lgjxx5ppsl7e5v3 creation_rules: diff --git a/flake.lock b/flake.lock index 25a3022..bdf190f 100644 --- a/flake.lock +++ b/flake.lock @@ -238,6 +238,21 @@ "type": "github" } }, + "impermanence": { + "locked": { + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "krops": { "inputs": { "flake-utils": [ @@ -491,6 +506,7 @@ "flake-utils": "flake-utils", "gomod2nix": "gomod2nix", "home-manager": "home-manager", + "impermanence": "impermanence", "krops": "krops", "lanzaboote": "lanzaboote", "nix-pre-commit-hooks": "nix-pre-commit-hooks", diff --git a/flake.nix b/flake.nix index 870a1bd..e671879 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager/release-24.11"; + impermanence.url = "github:nix-community/impermanence"; + krops.inputs.flake-utils.follows = "flake-utils"; krops.inputs.nixpkgs.follows = "nixpkgs"; krops.url = "github:Mic92/krops"; @@ -107,6 +109,7 @@ command = targetPath: '' nixos-rebuild switch --flake ${targetPath}/config -L --keep-going ''; + force = true; } ) self.nixosConfigurations); @@ -173,9 +176,10 @@ ] ++ [ { nixpkgs.overlays = [ nur.overlays.default ]; } home-manager.nixosModules.home-manager - inputs.sops-nix.nixosModules.sops inputs.disko.nixosModules.disko + inputs.impermanence.nixosModules.impermanence inputs.lanzaboote.nixosModules.lanzaboote + inputs.sops-nix.nixosModules.sops ] ++ extraModules; }) (import ./hosts inputs); diff --git a/hosts/default.nix b/hosts/default.nix index 27f156e..bdb1e83 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -4,7 +4,7 @@ let in { aluminium = { - targetHost = "192.168.0.1"; + targetHost = "jalr-k.duckdns.org"; system = "x86_64-linux"; }; jalr-t520 = { @@ -23,8 +23,8 @@ in targetHost = "jalr-bw.duckdns.org"; }; magnesium = { - system = "aarch64"; - targetHost = "162.55.35.199"; + system = "x86_64-linux"; + targetHost = "magnesium.jalr.de"; }; tin = { system = "x86_64-linux"; diff --git a/hosts/magnesium/configuration.nix b/hosts/magnesium/configuration.nix index cf05901..855b1d1 100644 --- a/hosts/magnesium/configuration.nix +++ b/hosts/magnesium/configuration.nix @@ -1,58 +1,24 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: { imports = [ - ./hardware-configuration.nix - ../../users/jalr + ../../modules/providers/hetzner-cloud.nix ./services + ../../users/jalr + ./persistence.nix ]; networking.hostName = "magnesium"; - services.openssh.enable = true; + + disko.devices.disk.virt.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_60640534"; + security.sudo.wheelNeedsPassword = false; - networking.useDHCP = false; + systemd.network.networks."10-wan".address = [ + "2a01:4f8:c013:bab7::1/64" + ]; - systemd.network = { - enable = true; - networks."10-wan" = { - matchConfig.Name = "enp1s0"; - networkConfig.DHCP = "no"; - address = [ - "162.55.35.199/32" - "2a01:4f8:c012:21ba::/64" - ]; - routes = [ - { - Destination = "172.31.1.1"; - } - { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - } - { - Gateway = "fe80::1"; - } - ]; - }; - }; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - jalr = { - bootloader = "systemd-boot"; - uefi.enable = true; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It's perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + system.stateVersion = "24.11"; } - diff --git a/hosts/magnesium/hardware-configuration.nix b/hosts/magnesium/hardware-configuration.nix deleted file mode 100644 index 2c6ccd7..0000000 --- a/hosts/magnesium/hardware-configuration.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; - "/proc" = { - device = "/proc"; - options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; - }; - "/home" = { - device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; - fsType = "btrfs"; - options = [ - "subvol=home" - "compress=zstd" - "nodev" - "nosuid" - ]; - }; - "/nix" = { - device = "/dev/disk/by-uuid/45dcac99-1f65-48ab-b5bf-8a1507f0b75a"; - fsType = "btrfs"; - options = [ - "subvol=nix" - "compress=zstd" - "noatime" - "nodev" - ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/7836-0C48"; - fsType = "vfat"; - options = [ "nodev" "nosuid" "noexec" ]; - }; - }; - - swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/hosts/magnesium/persistence.nix b/hosts/magnesium/persistence.nix new file mode 100644 index 0000000..5fc03d5 --- /dev/null +++ b/hosts/magnesium/persistence.nix @@ -0,0 +1,37 @@ +{ config, lib, ... }: +{ + boot.initrd.postDeviceCommands = + let + device = config.disko.devices.disk.virt.content.partitions.linux.device; + in + lib.mkAfter '' + mkdir /mnt + mount -t btrfs "${device}" /mnt + btrfs subvolume list -o /mnt/root | cut -f9 -d' ' | while read subvolume; do + btrfs subvolume delete "/mnt/$subvolume" + done + btrfs subvolume delete /mnt/root + btrfs subvolume snapshot /mnt/root-blank /mnt/root + ''; + + services.openssh = { + hostKeys = lib.mkForce [{ + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + }; + + services.forgejo.stateDir = "/persist/var/lib/forgejo"; + services.postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + + fileSystems."/persist".neededForBoot = true; + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/acme" + "/var/lib/hedgedoc" + "/var/lib/nixos" + "/var/lib/private/ntfy-sh" + ]; + }; +} diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml index 23e5d88..317d48e 100644 --- a/hosts/magnesium/secrets.yaml +++ b/hosts/magnesium/secrets.yaml @@ -9,27 +9,27 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0 + - recipient: age19qkgfaq08kmyxghet48dq4gxwjuy9zpvuyxys9jkmcqa5634537qlxjcd8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNS0svemgzNTVsOEo3cDI5 - QVJ1dDVpK0Zyb3UwTUhWR29RalNPTENiQm1rCjdPbkZBd0hwQ3VvUmRTT2hlZEhp - Snk3cC9OTWZFSFhzMFBoSENMTHB4Qk0KLS0tIEltSEpUWkVmclRKdTA5b09RcGpT - QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q - bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMW5lbkRNQS9Gc0VUWndk + VlJiczFVM1dHUGc2QWZnMHVIVGZzdWJKUUJzCngyNGxaR2JFNG9HbG81c1ZNSlQ3 + MlgvMlNYWVduY1diM3g2U3BiL0J3U2sKLS0tIHBscWxMTzVISkE5WW1CZTNYK1ZM + elNwdVlJS2NCWUlXcEZvZWsvZ29FRnMK/qa6Qj1yQc91PWk9tMKSyFkMfYcHIKpQ + jcPmGWbpi2NPL/F0Xz2X/zQQxWzs9uzlS1VH+y8JRe1EPMYJ78NXZw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-11T15:28:59Z" mac: ENC[AES256_GCM,data:1RnyUrbEI2JKpicmA3QV+5ob+vByahMjc4+ZpLbcMyZv/KXn02VP+OQaLm9NgPfpZmSmRgbdPNQAP4f71z/EjcceyANAhnvql3zuYgSXNp5l/IYo5UFZdWgQa14XTGO518969CDLW1zJnlkBtbtLEVlMJiQ/EraV1eNtgCr5UEU=,iv:0fLjboGiejUI9LxHW80ed+/Lf+jlN5UH7tVqfBptq0w=,tag:4Tyrqy9XwQAm0etooVBNZg==,type:str] pgp: - - created_at: "2024-01-31T01:20:03Z" + - created_at: "2025-04-08T22:53:53Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DY/xpNY5WhB0SAQdAKi5BqRHyG+CaeCKH8KuQWVWS8TbO/Kj38hTzbkBuyF8w - lxCni2VsyI4GDdBwy1jzJpqaqkqCwlzUXh7quHKNjZksHSsb8UTy6aZhDt+sz8Xk - 0l4BM0Dv37SESplctQ4hj8Go48nu3KaYfiE7pyP+HfsZksGn7KTeOWoqC+ET3HX0 - k/w1905xtcxInOalYgCpl2NzowAvKKy1mhzN8+bHW9xJq3ca5nYv0qfT0eFDJE1O - =pqvJ + hF4DY/xpNY5WhB0SAQdAbrDTh/Nvu8ky1ec34AAkKQcTH1G1nDlUCSfobMQsCmAw + XPI7V41rBAY2m6J1P/0oy9cHVfE/LUi4E/yCgNG7YIGdUbb9x29x7A3uoP1NAhE5 + 0l4BZQGZ+GGa69KZ2mOnWhbKfjtOVNDoaxcpgNWHxrtO35c/tNSCxJ2Uj2Q2u3Nj + +SRaHB3tsF8VL85Tn0FEXSWLzL7SfHj78wvaZ/3AxbqdF7WDJkl1hXEnrf2DjBCC + =Gi/Y -----END PGP MESSAGE----- fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 unencrypted_suffix: _unencrypted diff --git a/modules/providers/hetzner-cloud.nix b/modules/providers/hetzner-cloud.nix new file mode 100644 index 0000000..3fb1032 --- /dev/null +++ b/modules/providers/hetzner-cloud.nix @@ -0,0 +1,108 @@ +{ config +, pkgs +, modulesPath +, ... +}: +let + cfg = config.disko; +in +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + config = { + networking.useDHCP = false; + + systemd.network = { + enable = true; + networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig.DHCP = "ipv4"; + routes = [ + { Gateway = "fe80::1"; } + ]; + }; + }; + + boot = { + loader = { + grub.enable = pkgs.hostPlatform.system == "x86_64-linux"; + systemd-boot = { + enable = pkgs.hostPlatform.system == "aarch64-linux"; + configurationLimit = 10; + }; + efi = { + efiSysMountPoint = "/boot"; + canTouchEfiVariables = true; + }; + }; + }; + disko.devices = { + disk = { + virt = { + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + priority = 1; # Needs to be first partition + }; + esp = { + type = "EF00"; + size = "1024M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" "nodev" "nosuid" "noexec" ]; + }; + }; + linux = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + postCreateHook = + let + device = cfg.devices.disk.virt.content.partitions.linux.device; + in + '' + mountpoint="$(mktemp -d)" + mount "${device}" "$mountpoint" -o subvol=/ + trap 'umount "$mountpoint"; rmdir "$mountpoint"' EXIT + btrfs subvolume snapshot -r $mountpoint/root $mountpoint/root-blank + ''; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress-force=zstd:1" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" ]; + }; + "/log" = { + mountpoint = "/var/log"; + mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ]; + }; + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ "compress-force=zstd:1" "noatime" "nodev" "nosuid" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +}