nki/nix-home
1
0
Fork 0
Code Issues Pull requests 2 Packages Projects Releases Wiki Activity

Set up tinc for framework

Browse source
This commit is contained in:
Natsu Kagami 2024-08-15 18:37:13 +02:00
parent 58a49a71a8
commit f4c514baa6
Signed by: nki
GPG key ID: 55A032EB38B49ADB
11 changed files with 94 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -5,6 +5,7 @@ keys:
- &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5 - &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
- &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36 - &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
- &nki_yoga age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9 - &nki_yoga age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9
- &nki_framework age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
creation_rules: creation_rules:
- path_regex: kagami-air-m1/secrets\.yaml$ - path_regex: kagami-air-m1/secrets\.yaml$
key_groups: key_groups:
@ -17,6 +18,7 @@ creation_rules:
- *nki_pc - *nki_pc
- *nkagami_main - *nkagami_main
- *nkagami_do - *nkagami_do
- *nki_framework
- path_regex: nki-home/secrets/secrets\.yaml$ - path_regex: nki-home/secrets/secrets\.yaml$
key_groups: key_groups:
- age: - age:
@ -28,3 +30,8 @@ creation_rules:
- age: - age:
- *nki_yoga - *nki_yoga
- age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv # The machine itself - age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv # The machine itself
- path_regex: nki-framework/secrets\.yaml$
key_groups:
- age:
- *nki_framework
- age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27 # The machine itself

7
flake.lock
View file

@ -237,15 +237,16 @@
"locked": { "locked": {
"lastModified": 1723470164, "lastModified": 1723470164,
"narHash": "sha256-ZWcDD4HTmFtEJgEA2Ydg2mA+yu0FVcfEHbCGVXDatfw=", "narHash": "sha256-ZWcDD4HTmFtEJgEA2Ydg2mA+yu0FVcfEHbCGVXDatfw=",
"ref": "refs/heads/dtth-fork", "ref": "dtth-fork",
"rev": "c72bd47bbd18523b951b3fa73c789629504d0eb3", "rev": "c72bd47bbd18523b951b3fa73c789629504d0eb3",
"revCount": 2721, "revCount": 2721,
"type": "git", "type": "git",
"url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork" "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
}, },
"original": { "original": {
"ref": "dtth-fork",
"type": "git", "type": "git",
"url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork" "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
} }
}, },
"fenix": { "fenix": {

2
flake.nix
View file

@ -43,7 +43,7 @@
url = github:natsukagami/mpd-mpris; url = github:natsukagami/mpd-mpris;
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork"; dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?ref=dtth-fork";
conduit.url = "gitlab:famedly/conduit/v0.8.0"; conduit.url = "gitlab:famedly/conduit/v0.8.0";
nix-gaming.url = github:fufexan/nix-gaming; nix-gaming.url = github:fufexan/nix-gaming;

14
modules/common/linux/default.nix
View file

@ -115,7 +115,19 @@ let
}; };
in in
{ {
imports = with modules; [ adb ios graphics wlr logitech kwallet virtualisation accounts rt-audio ]; imports = with modules; [
./sops.nix
adb
ios
graphics
wlr
logitech
kwallet
virtualisation
accounts
rt-audio
];
options.common.linux = { options.common.linux = {
enable = mkOption { enable = mkOption {

18
modules/common/linux/sops.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, ... }:
with { inherit (lib) types mkOption mkEnableOption; };
let
cfg = config.common.linux.sops;
in
{
options.common.linux.sops = {
enable = mkEnableOption "Enable sops configuration";
file = mkOption {
type = types.path;
description = "Path to the default sops file";
};
};
config = lib.mkIf cfg.enable {
sops.defaultSopsFile = cfg.file;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

5
modules/my-tinc/hosts/default.nix
View file

@ -27,4 +27,9 @@
subnetAddr = "11.0.0.5"; subnetAddr = "11.0.0.5";
ed25519PublicKey = "n+gIZjuuTPxi0OBqw2oOcmXd3loOHG+GQHBMXNlgyqI"; ed25519PublicKey = "n+gIZjuuTPxi0OBqw2oOcmXd3loOHG+GQHBMXNlgyqI";
}; };
framework = {
subnetAddr = "11.0.0.6";
ed25519PublicKey = "YL7NA6Ydv/3FBfSzOPvyHlGweAViPvsG3b0Zh8L0NzF";
};
} }

14
nki-framework/configuration.nix
View file

@ -17,6 +17,10 @@
./wireless.nix ./wireless.nix
]; ];
# Sops
common.linux.sops.enable = true;
common.linux.sops.file = ./secrets.yaml;
# services.xserver.enable = true; # services.xserver.enable = true;
# services.xserver.displayManager.sddm.enable = true; # services.xserver.displayManager.sddm.enable = true;
# services.xserver.displayManager.sddm.wayland.enable = true; # services.xserver.displayManager.sddm.wayland.enable = true;
@ -77,6 +81,16 @@
security.pam.services.swaylock.fprintAuth = true; security.pam.services.swaylock.fprintAuth = true;
security.pam.services.login.fprintAuth = true; security.pam.services.login.fprintAuth = true;
# tinc network
sops.secrets."tinc-private-key" = { };
services.my-tinc = {
enable = true;
hostName = "framework";
ed25519PrivateKey = config.sops.secrets."tinc-private-key".path;
bindPort = 6565;
};
# Secrets # Secrets
# sops.defaultSopsFile = ./secrets.yaml; # sops.defaultSopsFile = ./secrets.yaml;
# sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

30
nki-framework/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
tinc-private-key: ENC[AES256_GCM,data:cKtOFrF5FRSHWxe/QxH5O9GAba1WcWeCwW1IOzmbgdtFufRoWbCtYeaLP+WQhQ70z6xobiY9DN8Jrh7mDptKSsfKrrx2SH5JrdpsoINhLMbetXq7E29+q6CkS8NlLgE/KyV8eFjQySNsYiA/+Efq9xj9e1wOmHBDsND/jgiJDkA1qsEIFZg/vuv8LdoRY3TV/oKJ4pao9+70G4H+8Ef1sMZHGNe9qJ94Wa71nNX2fTSjKH5YBbRijMAePWr/IeCpZ9Phs7RqjBs=,iv:l0iB136X7nLVblQjFi7K4f42JKSxdsiLIRy5GPzK1nc=,tag:HAgkvWkl0Rx62ejGZckdKA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL2Z1RzBWaTI1TDl6WDNa
NTNVdEhTSFU5enNlTGVNWTI5anBZb1BtaVhjCm1BRnJDSXl1cWdBRUs1VnREVjBU
QWZxdkgzdm9JL0k5WmhDL1RCNTltdm8KLS0tIFhvQTlKMDZiVklTRWd4TzVmc2ll
bmpjcWdBV1doZml2NjlzQzdQczJ3alEKBMRP3POxtPIqBWnrvxY/++5jtVE70Uxa
EVfhsUO76A/hzyxfzpLEy1QGFE+DB/zlU0CK7HkNGPD2TrBHbzkPJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MUxQU0dZOGRaekF4MWdo
T0krcERtRTJndFR1RHZmL0t6MjBxMW5PSENNCkR6SUhxQ0FoaEhuaWpiUzJ0MnJE
RXRERzVhL0lRVW1iRUlac0c5OHZsckEKLS0tIC9VM1dNZTNzdkFnMWk2YUwvcDNB
TDZnVjBaVzZBem5lZDB1MW4xQ0RmZ28K6d7mF+f3ZyilXlSIQGT2pBrTWuYLccE1
rYIJjHjFft/2wPX2gAW9VTiwfMT3lKJhJRqNdoie5phV5BZhkb3D9w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-15T16:27:40Z"
mac: ENC[AES256_GCM,data:T1dTmWEY1c5QFzROnzFc1/dnfXN96B/OisPObZiwXQLHeh29AWjfqpd6eoYdAZW1Iipih7Nn1VUMxkf5xDuWziDrJhun2PaU3UOg/U6VrRIScnySV/VTQGyaJLJZuJmvgvyAV+G8KqxC4Biv7k0PBSZn6uvTg36D4f+IfItReE8=,iv:dgiDux8AxbWFtTd2jzd+XJ0eBMALcI8moDUDlgdnBiE=,tag:cYzL71xT8DBMn9j4pPUBpA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

3
nki-home/configuration.nix
View file

@ -27,10 +27,11 @@ with lib;
# Plasma! # Plasma!
services.desktopManager.plasma6.enable = true; services.desktopManager.plasma6.enable = true;
## Encryption ## Encryption
# Kernel modules needed for mounting USB VFAT devices in initrd stage # Kernel modules needed for mounting USB VFAT devices in initrd stage
common.linux.luksDevices.root = "/dev/disk/by-uuid/7c6e40a8-900b-4f85-9712-2b872caf1892"; common.linux.luksDevices.root = "/dev/disk/by-uuid/7c6e40a8-900b-4f85-9712-2b872caf1892";
common.linux.sops.enable = true;
common.linux.sops.file = ./secrets.yaml;
# Networking # Networking
common.linux.networking = common.linux.networking =

0
nki-home/secrets/secrets.yaml → nki-home/secrets.yaml
View file

6
nki-home/secrets/default.nix
View file

@ -1,6 +0,0 @@
{ config, pkgs, ... }:
{
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}