Impermanence for orangepihole
This commit is contained in:
parent
d2ea32a84a
commit
1dfb5d1b68
5 changed files with 50 additions and 14 deletions
|
@ -60,7 +60,10 @@
|
||||||
orangepihole = nixpkgs.lib.nixosSystem {
|
orangepihole = nixpkgs.lib.nixosSystem {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
specialArgs = { inherit inputs; };
|
specialArgs = { inherit inputs; };
|
||||||
modules = [ ./systems/orangepihole/configuration.nix ];
|
modules = [
|
||||||
|
impermanence.nixosModules.impermanence
|
||||||
|
./systems/orangepihole/configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
deploy = {
|
deploy = {
|
||||||
|
|
|
@ -2,6 +2,8 @@ root:
|
||||||
password: ENC[AES256_GCM,data:u8vkGrHjAq2tDIJEbEMNPrPe7GCQNixVRRPxYPyPLvTzEApiBwsgaHp8QbMeDYGSGGkzh7EOBVeFVjUsxUtwzuYXPFILeDniUw==,iv:AoRZB3GMrn/qXgu/CMghXuu0ReHDmLdRNHAcKPgirnQ=,tag:7jlaBeKHuCa1JfV7sHo05Q==,type:str]
|
password: ENC[AES256_GCM,data:u8vkGrHjAq2tDIJEbEMNPrPe7GCQNixVRRPxYPyPLvTzEApiBwsgaHp8QbMeDYGSGGkzh7EOBVeFVjUsxUtwzuYXPFILeDniUw==,iv:AoRZB3GMrn/qXgu/CMghXuu0ReHDmLdRNHAcKPgirnQ=,tag:7jlaBeKHuCa1JfV7sHo05Q==,type:str]
|
||||||
gmail:
|
gmail:
|
||||||
password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str]
|
password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str]
|
||||||
|
nixremote:
|
||||||
|
sshkey: ENC[AES256_GCM,data:6pAJWLYtor326Z9fuWSLGPg3FNW2blYAN/h+lL5MgOxkPC9i8yAcUfcnel2sZdX/9pcCAPF2xZvdfpqdsq5Yorc7fZqD1JnACp2rPgJxJ7yb/Rh0fsYaxx2g27AQFrFKluygoHynLTwwzIZcChdopsMUsdppQKGhxtIqlZ15bpwfoxnJAEGx5F2DhXQQ4RjuDLH6lwhP43wxZyhLnq8Kwlb2asn1snfWq2CuuB2rkGIIdyHPGtVuJ8JLmY2LqG9gIgtxy7PqRz041wgUxcFkKI8yDrgIuzDV/3XTglYRk4uASWSTfeaH7GyaYuwCTGE7RYPFZCLz8gHGkSdiVre/Ahjx/z3/Gwt6j5GVvfMis/7UiNdu8gIhXWRQwuXO+APRdelcxjViztg+YKj1cH91ORyy4ZDUsggRWhQEoH3xeoYJwWLG+PqbSm0QNzIF4eV9k8HUS6bpuu6qfyksKyPpe3NDs44lokPSY+8h8k6Ng5eK84n4f1jz0UGhergPhVcNHyTSK12tLoz/u6WLXo5JPwA1eZ5zylj40mCm,iv:kgf480Q2uBqgIQZ72mN/OKMwmUEZ0fYYdv6oufSJbYw=,tag:QkuR5slR2EhY3uDB1FLF9A==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -44,8 +46,8 @@ sops:
|
||||||
OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM
|
OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM
|
||||||
IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA==
|
IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-05-04T17:38:46Z"
|
lastmodified: "2024-05-11T15:37:59Z"
|
||||||
mac: ENC[AES256_GCM,data:lN2Dk5GXInYbxuq1POt6DSoPDuxIHKeyA5lPwlVKZHRHTrFmatzIMEYVqHvMgSOML/fuKThhPFhlvC8iUGCy5/qja2P49cFi3EDOSrxR9e9SmEG6FHaoJpNGMjEWNER6J1b8GRmVCvIxFA3t6/LK5zbIodbqWwwzdyNeacr07ag=,iv:5j5gv4OOSPx2x7NugGMNg4dfBPAOEY4xbZNuMhrVRVg=,tag:BFABLQz9R6vM6MbA01ZYLQ==,type:str]
|
mac: ENC[AES256_GCM,data:FaV8fj4E0YmNRLu6IskpnZMVo5CRcLutZ8et6+b1nYSN5E8LaZCBAh+l0dDtShXob7MVdhUE+HJMSKbEH02ZpZgvCnU6eNCujtLreojg11RqG63vkp+6ZPRIqQ3TUOMJMgOVxT/Dv5lTxRQAG6u1HJGh47SNsl1Aap2ZHeQIcKg=,iv:0DIbkCllaEPI3dTbU99PG8k3j1twnH2i5LoNfLcJpew=,tag:t/pXkGjzohKc9z9NXp6wmQ==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, sops, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
boot.loader.generic-extlinux-compatible.enable = true;
|
boot.loader.generic-extlinux-compatible.enable = true;
|
||||||
boot.loader.timeout = 1;
|
boot.loader.timeout = 1;
|
||||||
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
boot.kernelPackages = pkgs.linuxPackages_6_6;
|
||||||
|
boot.tmp.cleanOnBoot = true;
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "orangepihole"; # Define your hostname.
|
hostName = "orangepihole"; # Define your hostname.
|
||||||
};
|
};
|
||||||
|
@ -36,9 +36,9 @@
|
||||||
ipv6SendRAConfig.EmitDNS = false;
|
ipv6SendRAConfig.EmitDNS = false;
|
||||||
ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
|
ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
|
||||||
};
|
};
|
||||||
|
sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
swapDevices = [ {device="/swapfile"; size=1024;}];
|
swapDevices = [ {device="/persist/swapfile"; size=1024;}];
|
||||||
services.unbound = {
|
services.unbound = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -69,10 +69,29 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment = {
|
||||||
|
systemPackages = with pkgs; [
|
||||||
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||||
wget
|
wget
|
||||||
];
|
];
|
||||||
|
persistence."/persist" = {
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/var/lib/nixos"
|
||||||
|
"/var/log"
|
||||||
|
"/var/lib/systemd"
|
||||||
|
"/tmp"
|
||||||
|
];
|
||||||
|
files = [
|
||||||
|
"/etc/machine-id"
|
||||||
|
"/etc/adjtime"
|
||||||
|
"/etc/ssh/ssh_host_rsa_key"
|
||||||
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key"
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedUDPPorts = [ 53 67 68 ];
|
allowedUDPPorts = [ 53 67 68 ];
|
||||||
|
@ -80,14 +99,21 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "23.11"; # Did you read the comment?
|
system.stateVersion = "23.11"; # Did you read the comment?
|
||||||
|
sops.secrets."nixremote/sshkey" = {};
|
||||||
nix.buildMachines = [ {
|
nix.buildMachines = [ {
|
||||||
hostName = "zeus";
|
hostName = "zeus";
|
||||||
systems = [ "x86_64-linux" "aarch64-linux" ];
|
systems = [ "x86_64-linux" "aarch64-linux" ];
|
||||||
protocol = "ssh-ng";
|
protocol = "ssh-ng";
|
||||||
sshKey = "/root/.ssh/nixremote";
|
sshKey = config.sops.secrets."nixremote/sshkey".path;
|
||||||
sshUser = "nixremote";
|
sshUser = "nixremote";
|
||||||
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
|
||||||
}];
|
}];
|
||||||
|
programs.ssh.extraConfig = ''
|
||||||
|
Host zeus
|
||||||
|
User nixremote
|
||||||
|
IdentitiesOnly yes
|
||||||
|
IdentityFile ${config.sops.secrets."nixremote/sshkey".path}
|
||||||
|
'';
|
||||||
nix.distributedBuilds = true;
|
nix.distributedBuilds = true;
|
||||||
nix.settings.max-jobs = 0;
|
nix.settings.max-jobs = 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,9 +5,15 @@
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
|
device = "none";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = [ "defaults" "mode=755" ];
|
||||||
|
};
|
||||||
|
fileSystems."/persist" =
|
||||||
{ device = "/dev/disk/by-uuid/6df53c4f-42b6-478b-8be4-f7887ad18b5b";
|
{ device = "/dev/disk/by-uuid/6df53c4f-42b6-478b-8be4-f7887ad18b5b";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
|
neededForBoot = true;
|
||||||
options = [ "compress=lzo" "autodefrag" "defaults" "subvol=@nixos/root" ];
|
options = [ "compress=lzo" "autodefrag" "defaults" "subvol=@nixos/root" ];
|
||||||
};
|
};
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
|
|
|
@ -130,7 +130,6 @@
|
||||||
cifs-utils
|
cifs-utils
|
||||||
tio
|
tio
|
||||||
];
|
];
|
||||||
pathsToLink = [ "/share/bash-completion" ];
|
|
||||||
persistence."/persist" = {
|
persistence."/persist" = {
|
||||||
hideMounts = true;
|
hideMounts = true;
|
||||||
directories = [
|
directories = [
|
||||||
|
|
Loading…
Reference in a new issue