From e2f8656c67dd428d7484d6332ecb17cbc3c15ad8 Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Sat, 11 May 2024 11:44:00 -0400 Subject: [PATCH] Impermanence for orangepihole --- secrets/secret.yaml | 6 ++- systems/orangepihole/configuration.nix | 42 +++++++++++++++---- .../orangepihole/hardware-configuration.nix | 7 +++- systems/smolboi/configuration.nix | 1 - 4 files changed, 44 insertions(+), 12 deletions(-) diff --git a/secrets/secret.yaml b/secrets/secret.yaml index 986117b..705086f 100644 --- a/secrets/secret.yaml +++ b/secrets/secret.yaml @@ -2,6 +2,8 @@ root: password: ENC[AES256_GCM,data:u8vkGrHjAq2tDIJEbEMNPrPe7GCQNixVRRPxYPyPLvTzEApiBwsgaHp8QbMeDYGSGGkzh7EOBVeFVjUsxUtwzuYXPFILeDniUw==,iv:AoRZB3GMrn/qXgu/CMghXuu0ReHDmLdRNHAcKPgirnQ=,tag:7jlaBeKHuCa1JfV7sHo05Q==,type:str] gmail: password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str] +nixremote: + sshkey: ENC[AES256_GCM,data:6pAJWLYtor326Z9fuWSLGPg3FNW2blYAN/h+lL5MgOxkPC9i8yAcUfcnel2sZdX/9pcCAPF2xZvdfpqdsq5Yorc7fZqD1JnACp2rPgJxJ7yb/Rh0fsYaxx2g27AQFrFKluygoHynLTwwzIZcChdopsMUsdppQKGhxtIqlZ15bpwfoxnJAEGx5F2DhXQQ4RjuDLH6lwhP43wxZyhLnq8Kwlb2asn1snfWq2CuuB2rkGIIdyHPGtVuJ8JLmY2LqG9gIgtxy7PqRz041wgUxcFkKI8yDrgIuzDV/3XTglYRk4uASWSTfeaH7GyaYuwCTGE7RYPFZCLz8gHGkSdiVre/Ahjx/z3/Gwt6j5GVvfMis/7UiNdu8gIhXWRQwuXO+APRdelcxjViztg+YKj1cH91ORyy4ZDUsggRWhQEoH3xeoYJwWLG+PqbSm0QNzIF4eV9k8HUS6bpuu6qfyksKyPpe3NDs44lokPSY+8h8k6Ng5eK84n4f1jz0UGhergPhVcNHyTSK12tLoz/u6WLXo5JPwA1eZ5zylj40mCm,iv:kgf480Q2uBqgIQZ72mN/OKMwmUEZ0fYYdv6oufSJbYw=,tag:QkuR5slR2EhY3uDB1FLF9A==,type:str] sops: kms: [] gcp_kms: [] @@ -44,8 +46,8 @@ sops: OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-04T17:38:46Z" - mac: ENC[AES256_GCM,data:lN2Dk5GXInYbxuq1POt6DSoPDuxIHKeyA5lPwlVKZHRHTrFmatzIMEYVqHvMgSOML/fuKThhPFhlvC8iUGCy5/qja2P49cFi3EDOSrxR9e9SmEG6FHaoJpNGMjEWNER6J1b8GRmVCvIxFA3t6/LK5zbIodbqWwwzdyNeacr07ag=,iv:5j5gv4OOSPx2x7NugGMNg4dfBPAOEY4xbZNuMhrVRVg=,tag:BFABLQz9R6vM6MbA01ZYLQ==,type:str] + lastmodified: "2024-05-11T15:37:59Z" + mac: ENC[AES256_GCM,data:FaV8fj4E0YmNRLu6IskpnZMVo5CRcLutZ8et6+b1nYSN5E8LaZCBAh+l0dDtShXob7MVdhUE+HJMSKbEH02ZpZgvCnU6eNCujtLreojg11RqG63vkp+6ZPRIqQ3TUOMJMgOVxT/Dv5lTxRQAG6u1HJGh47SNsl1Aap2ZHeQIcKg=,iv:0DIbkCllaEPI3dTbU99PG8k3j1twnH2i5LoNfLcJpew=,tag:t/pXkGjzohKc9z9NXp6wmQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/systems/orangepihole/configuration.nix b/systems/orangepihole/configuration.nix index ae6a2a3..31f5d6a 100644 --- a/systems/orangepihole/configuration.nix +++ b/systems/orangepihole/configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, sops, ... }: { imports = @@ -36,9 +36,9 @@ ipv6SendRAConfig.EmitDNS = false; ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ]; }; - + sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; zramSwap.enable = true; - swapDevices = [ {device="/swapfile"; size=1024;}]; + swapDevices = [ {device="/persist/swapfile"; size=1024;}]; services.unbound = { enable = true; settings = { @@ -69,10 +69,29 @@ }; - environment.systemPackages = with pkgs; [ - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget - ]; + environment = { + systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget + ]; + persistence."/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos" + "/var/log" + "/var/lib/systemd" + "/tmp" + ]; + files = [ + "/etc/machine-id" + "/etc/adjtime" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + ]; + }; + }; networking.firewall = { allowedUDPPorts = [ 53 67 68 ]; @@ -80,14 +99,21 @@ }; system.stateVersion = "23.11"; # Did you read the comment? + sops.secrets."nixremote/sshkey" = {}; nix.buildMachines = [ { hostName = "zeus"; systems = [ "x86_64-linux" "aarch64-linux" ]; protocol = "ssh-ng"; - sshKey = "/root/.ssh/nixremote"; + sshKey = config.sops.secrets."nixremote/sshkey".path; sshUser = "nixremote"; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; }]; + programs.ssh.extraConfig = '' + Host zeus + User nixremote + IdentitiesOnly yes + IdentityFile ${config.sops.secrets."nixremote/sshkey".path} + ''; nix.distributedBuilds = true; nix.settings.max-jobs = 0; } diff --git a/systems/orangepihole/hardware-configuration.nix b/systems/orangepihole/hardware-configuration.nix index 3ec8ca3..5ed8fc0 100644 --- a/systems/orangepihole/hardware-configuration.nix +++ b/systems/orangepihole/hardware-configuration.nix @@ -5,7 +5,12 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - fileSystems."/" = + fileSystems."/" = { + device = "none"; + fstype = "tmpfs"; + options = [ "defaults" "mode=755" ]; + }; + fileSystems."/persist" = { device = "/dev/disk/by-uuid/6df53c4f-42b6-478b-8be4-f7887ad18b5b"; fsType = "btrfs"; options = [ "compress=lzo" "autodefrag" "defaults" "subvol=@nixos/root" ]; diff --git a/systems/smolboi/configuration.nix b/systems/smolboi/configuration.nix index cc882b1..f4a0d86 100644 --- a/systems/smolboi/configuration.nix +++ b/systems/smolboi/configuration.nix @@ -130,7 +130,6 @@ cifs-utils tio ]; - pathsToLink = [ "/share/bash-completion" ]; persistence."/persist" = { hideMounts = true; directories = [