started sops config; got ddclient to work
This commit is contained in:
parent
8bbe2396e4
commit
38e421ac0c
14 changed files with 267 additions and 26 deletions
3
Makefile
3
Makefile
|
@ -28,3 +28,6 @@ setup:
|
|||
ssh:
|
||||
ssh-keygen -R "[localhost]:2223"
|
||||
ssh -o StrictHostKeychecking=no -p 2223 homefree@localhost
|
||||
|
||||
generate-sops-config:
|
||||
./generate-sops-config.sh
|
||||
|
|
7
TODOS.md
7
TODOS.md
|
@ -16,6 +16,11 @@ TODOS
|
|||
* https://blog.josefsson.org/2015/10/26/combining-dnsmasq-and-unbound/
|
||||
|
||||
### Solutions
|
||||
* Firewall
|
||||
* https://www.jjpdev.com/posts/home-router-nixos/
|
||||
* NAS
|
||||
* https://github.com/reckenrode/nixos-configs/tree/c556206df2611af2f9ea83954aae1b51461e44c5/hosts/x86_64-linux/meteion
|
||||
* https://www.reddit.com/r/NixOS/comments/yr21p1/offtheshelf_nas_supporting_nixos/
|
||||
* reverse proxy
|
||||
* Traefik
|
||||
* HAProxy
|
||||
|
@ -52,6 +57,8 @@ TODOS
|
|||
* bacula
|
||||
* kopia
|
||||
* restic
|
||||
* Hypervisor
|
||||
* https://vpsadminos.org/
|
||||
|
||||
### VyOS comparison
|
||||
|
||||
|
|
164
flake.lock
generated
164
flake.lock
generated
|
@ -38,6 +38,49 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"agenix": {
|
||||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703433843,
|
||||
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1700795494,
|
||||
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "lnl7",
|
||||
"ref": "master",
|
||||
"repo": "nix-darwin",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1659877975,
|
||||
|
@ -53,9 +96,30 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"agenix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1703113217,
|
||||
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-editor": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
|
@ -126,20 +190,36 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1675673983,
|
||||
"narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=",
|
||||
"owner": "nixos",
|
||||
"lastModified": 1703013332,
|
||||
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4",
|
||||
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1705033721,
|
||||
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-trunk": {
|
||||
"locked": {
|
||||
"lastModified": 1700973916,
|
||||
|
@ -172,6 +252,22 @@
|
|||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1675673983,
|
||||
"narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1700787330,
|
||||
"narHash": "sha256-4VIBCyfqnEsdVP/SgKZ3rudwzxGdEqpKfgoWETs/I6k=",
|
||||
|
@ -187,15 +283,67 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1704842529,
|
||||
"narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "eabe8d3eface69f5bb16c18f8662a702f50c20d5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"adblock-unbound": "adblock-unbound",
|
||||
"agenix": "agenix",
|
||||
"nix-editor": "nix-editor",
|
||||
"nixos-generators": "nixos-generators",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs": "nixpkgs_3",
|
||||
"nixpkgs-trunk": "nixpkgs-trunk",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_4",
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705201153,
|
||||
"narHash": "sha256-y0/a4IMDZrc7lAkR7Gcm5R3W2iCBiARHnYZe6vkmiNE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "70dd0d521f7849338e487a219c1a07c429a66d77",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
|
|
10
flake.nix
10
flake.nix
|
@ -20,6 +20,10 @@
|
|||
|
||||
nix-editor.url = "github:vlinkz/nix-editor";
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
|
||||
adblock-unbound = {
|
||||
url = "github:MayNiklas/nixos-adblock-unbound";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -41,6 +45,8 @@
|
|||
nixos-generators,
|
||||
nixos-hardware,
|
||||
nixpkgs,
|
||||
agenix,
|
||||
sops-nix,
|
||||
...
|
||||
}@inputs:
|
||||
{
|
||||
|
@ -54,6 +60,8 @@
|
|||
modules = [
|
||||
nixos-hardware.nixosModules.common-cpu-intel
|
||||
nixos-hardware.nixosModules.common-pc-laptop
|
||||
agenix.nixosModules.default
|
||||
sops-nix.nixosModules.sops
|
||||
# inputs.nixos-router.nixosModules.default
|
||||
# inputs.notnft.lib.${system}
|
||||
|
||||
|
@ -62,6 +70,8 @@
|
|||
specialArgs = {
|
||||
inherit inputs;
|
||||
inherit system;
|
||||
inherit agenix;
|
||||
inherit sops-nix;
|
||||
};
|
||||
};
|
||||
lan-client =
|
||||
|
|
30
generate-sops-config.sh
Executable file
30
generate-sops-config.sh
Executable file
|
@ -0,0 +1,30 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
cp ~/.ssh/id_rsa /tmp/id_rsa
|
||||
ssh-keygen -p -N "" -f /tmp/id_rsa
|
||||
USER_GPG_FINGERPRINT=$(nix-shell -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i ~/.ssh/id_rsa | gpg --import --quiet" 2>&1)
|
||||
rm /tmp/id_rsa
|
||||
|
||||
ssh-keygen -R "[localhost]:2223"
|
||||
SERVER_GPG_FINGERPRINT=$(ssh -o StrictHostKeychecking=no -p 2223 homefree@localhost "sudo cat /etc/ssh/ssh_host_rsa_key" | nix-shell -p ssh-to-pgp --run "ssh-to-pgp -o homefree.asc" 2>&1)
|
||||
|
||||
# This example uses YAML anchors which allows reuse of multiple keys
|
||||
# without having to repeat yourself.
|
||||
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
|
||||
# for a more complex example.
|
||||
cat > .sops.yaml << EOF
|
||||
keys:
|
||||
- &user_homefree $USER_GPG_FINGERPRINT
|
||||
- &server_homefree $SERVER_GPG_FINGERPRINT
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *user_homefree
|
||||
- *server_homefree
|
||||
- path_regex: secrets/homefree/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *user_homefree
|
||||
- *server_homefree
|
||||
EOF
|
|
@ -3,6 +3,7 @@
|
|||
{
|
||||
imports = [
|
||||
inputs.nixos-generators.nixosModules.all-formats
|
||||
../../profiles/agenix.nix
|
||||
../../profiles/common.nix
|
||||
../../profiles/config-editor.nix
|
||||
../../profiles/hardware-configuration.nix
|
||||
|
@ -39,10 +40,6 @@
|
|||
|
||||
# Prevent hanging when waiting for network to be up
|
||||
systemd.network.wait-online.anyInterface = true;
|
||||
## @TODO: Any ramifications of this?
|
||||
systemd.network.wait-online.enable = false;
|
||||
systemd.services.NetworkManager-wait-online.enable = false;
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------------------
|
||||
# Device specific
|
||||
|
@ -54,15 +51,26 @@
|
|||
networking = {
|
||||
# @TODO: Make this UI configurable
|
||||
hostName = "homefree";
|
||||
## NetworkManager disabled in favor of networkd
|
||||
useNetworkd = true;
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
};
|
||||
wireless = {
|
||||
# Disable wpa_supplicant
|
||||
enable = false;
|
||||
};
|
||||
interfaces = {
|
||||
ens3.useDHCP = true;
|
||||
};
|
||||
};
|
||||
|
||||
# services.openssh.hostKeys = [
|
||||
# {
|
||||
# bits = 4096;
|
||||
# openSSHFormat = true;
|
||||
# path = "/etc/ssh/ssh_host_rsa_key";
|
||||
# rounds = 100;
|
||||
# type = "rsa";
|
||||
# }
|
||||
# ];
|
||||
|
||||
# --------------------------------------------------------------------------------------
|
||||
# Hardware specific
|
||||
|
|
|
@ -35,9 +35,6 @@
|
|||
|
||||
# Prevent hanging when waiting for network to be up
|
||||
systemd.network.wait-online.anyInterface = true;
|
||||
## @TODO: Any ramifications of this?
|
||||
systemd.network.wait-online.enable = false;
|
||||
systemd.services.NetworkManager-wait-online.enable = false;
|
||||
|
||||
|
||||
# --------------------------------------------------------------------------------------
|
||||
|
@ -49,14 +46,15 @@
|
|||
|
||||
networking = {
|
||||
hostName = "lan-client";
|
||||
## NetworkManager disabled in favor of networkd
|
||||
useNetworkd = true;
|
||||
networkmanager = {
|
||||
enable = true;
|
||||
};
|
||||
wireless = {
|
||||
# Disable wpa_supplicant
|
||||
enable = false;
|
||||
};
|
||||
interfaces = {
|
||||
ens3.useDHCP = true;
|
||||
};
|
||||
};
|
||||
|
||||
# --------------------------------------------------------------------------------------
|
||||
|
|
14
profiles/agenix.nix
Normal file
14
profiles/agenix.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ agenix, options, system, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
agenix.packages.${system}.default
|
||||
];
|
||||
|
||||
age.secrets.ddclient.file = ../secrets/ddclient.age;
|
||||
age.secrets.ddclient-conf.file = ../secrets/ddclient-conf.age;
|
||||
|
||||
# default path is /etc/ssh/ssh_host_rsa_key
|
||||
age.identityPaths = options.age.identityPaths.default ++ [
|
||||
"/home/homefree/.ssh/id_rsa"
|
||||
];
|
||||
}
|
|
@ -100,7 +100,7 @@
|
|||
isNormalUser = true;
|
||||
home = "/home/homefree";
|
||||
description = "Homefree User";
|
||||
extraGroups = [ "wheel" "networkmanager" ];
|
||||
extraGroups = [ "wheel" ];
|
||||
# @TODO: Make this dynamic, not hard coded
|
||||
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ];
|
||||
hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30";
|
||||
|
@ -262,7 +262,6 @@
|
|||
p7zip
|
||||
pciutils
|
||||
powertop
|
||||
networkmanager
|
||||
sshpass
|
||||
steampipe
|
||||
tmux
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
virtualHosts."localhost" = {
|
||||
extraConfig = ''
|
||||
respond "Hello, world!"
|
||||
respond "Hello, my world!"
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, inputs, ... }:
|
||||
{ config, inputs, pkgs, ... }:
|
||||
|
||||
let
|
||||
# @TODO: How to determine interface names?
|
||||
|
@ -337,7 +337,13 @@ in
|
|||
# @TODO: https://discourse.nixos.org/t/ddclient-options/20935
|
||||
services.ddclient = {
|
||||
enable = true;
|
||||
quiet = true;
|
||||
interval = "10m";
|
||||
# protocol = "zoneedit1";
|
||||
# username = "erahhal";
|
||||
# zone = "homefree.host";
|
||||
# passwordFile = config.age.secrets.ddclient.path;
|
||||
# verbose = true;
|
||||
configFile = config.age.secrets.ddclient-conf.path;
|
||||
};
|
||||
|
||||
#-----------------------------------------------------------------------------------------------------
|
||||
|
|
BIN
secrets/ddclient-conf.age
Normal file
BIN
secrets/ddclient-conf.age
Normal file
Binary file not shown.
10
secrets/ddclient.age
Normal file
10
secrets/ddclient.age
Normal file
|
@ -0,0 +1,10 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa I5kVuQ
|
||||
iYzn4Eih+pduA/dTEdIN4KRbz11v7h5y+vc4YVLJzwNq9ehK1yvkMwbqYyufFgpr
|
||||
6HYOhW+gYqD31Go2HFYjC68Lw0sXfsAjP7wAh6xBI5NQxfZO+o2eDYV9c2zGs1oL
|
||||
yM7AC0jBiK8jTIeKrwruL9FM/k9+OO21Cpib+ud3otzNAn6sqK8uWq4ls+nw+M5j
|
||||
9JvoDt7pWsawwXA6mf5zQ9NDi6sBV8hRO+Kd1WmlEvViXjkdNNjIE6tMH5Aa8nTs
|
||||
pJt6sQYfsQgtgFOuCekBGJfJXpwwgnG0q7NNVi1L6shU72SugHUnO6q85qY5vTuV
|
||||
SVVjkfN//hwgoSe5sUYorA
|
||||
--- Sm8ZkBgdgHoPgQ/p2fzn3LSM3umbuK7UNTO1RuVFVk8
|
||||
8¯˜'se"ûa·›$]ͲΜ½l`aZ|…V{[òÊàá–ºô×ÎÙcŠãÿ¥
|
8
secrets/secrets.nix
Normal file
8
secrets/secrets.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
let
|
||||
erahhal = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL";
|
||||
users = [ erahhal ];
|
||||
in
|
||||
{
|
||||
"ddclient.age".publicKeys = users;
|
||||
"ddclient-conf.age".publicKeys = users;
|
||||
}
|
Loading…
Add table
Reference in a new issue