diff --git a/hosts/common/hardware/cloud.nix b/hosts/common/hardware/cloud.nix deleted file mode 100644 index 87b6526..0000000 --- a/hosts/common/hardware/cloud.nix +++ /dev/null @@ -1,4 +0,0 @@ -# Configuration for cloud-servers machines -{ - services.smartd.enable = true; -} diff --git a/hosts/common/hardware/intel.nix b/hosts/common/hardware/intel.nix index 78008db..fbe9be5 100644 --- a/hosts/common/hardware/intel.nix +++ b/hosts/common/hardware/intel.nix @@ -1,3 +1,3 @@ -{pkgs, ...}: { +{ powerManagement.cpuFreqGovernor = "powersave"; } diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix new file mode 100644 index 0000000..3ab2d0b --- /dev/null +++ b/hosts/sentinel/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + ... +}: { + imports = [ + ../common/core + ../common/initrd-ssh.nix + ../common/zfs.nix + + ./fs.nix + ./net.nix + ./nginx.nix + ]; + + boot.loader.timeout = lib.mkDefault 2; + boot.loader.grub = { + enable = true; + efiSupport = false; + devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"]; + }; + console.earlySetup = true; +} diff --git a/hosts/sentinel/fs.nix b/hosts/sentinel/fs.nix new file mode 100644 index 0000000..e6b759f --- /dev/null +++ b/hosts/sentinel/fs.nix @@ -0,0 +1,55 @@ +{ + config, + lib, + extraLib, + pkgs, + ... +}: { + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/disk/by-id/${config.repo.secrets.local.disk.main}"; + content = with extraLib.disko.gpt; { + type = "table"; + format = "gpt"; + partitions = [ + (partEfi "efi" "0%" "512MiB") + (partLuksZfs "rpool" "512MiB" "100%") + ]; + }; + }; + }; + zpool = with extraLib.disko.zfs; { + rpool = + defaultZpoolOptions + // { + datasets = { + "local" = unmountable; + "local/root" = + filesystem "/" + // { + postCreateHook = "zfs snapshot rpool/local/root@blank"; + }; + "local/nix" = filesystem "/nix"; + "safe" = unmountable; + "safe/persist" = filesystem "/persist"; + }; + }; + }; + }; + + fileSystems."/persist".neededForBoot = true; + + # After importing the rpool, rollback the root system to be empty. + boot.initrd.systemd.services.impermanence-root = { + wantedBy = ["initrd.target"]; + after = ["zfs-import-rpool.service"]; + before = ["sysroot.mount"]; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank"; + }; + }; +} diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix new file mode 100644 index 0000000..c2369ca --- /dev/null +++ b/hosts/sentinel/net.nix @@ -0,0 +1,42 @@ +{ + config, + lib, + utils, + ... +}: { + networking.hostId = config.repo.secrets.local.networking.hostId; + + boot.initrd.systemd.network = { + enable = true; + networks = {inherit (config.systemd.network.networks) "10-wan";}; + }; + + systemd.network.networks = { + "10-wan" = let + icfg = config.repo.secrets.local.networking.interfaces.wan; + in { + address = [ + icfg.hostCidrv4 + icfg.hostCidrv6 + ]; + gateway = ["fe80::1"]; + matchConfig.MACAddress = icfg.mac; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + + # TODO mkForce nftables + networking.nftables.firewall = { + zones = lib.mkForce { + untrusted.interfaces = ["wan"]; + }; + }; + + extra.wireguard.proxy-sentinel.server = { + host = config.networking.fqdn; + port = 51443; + reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"]; + openFirewallRules = ["untrusted-to-local"]; + }; +} diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix new file mode 100644 index 0000000..6aa4e54 --- /dev/null +++ b/hosts/sentinel/nginx.nix @@ -0,0 +1,51 @@ +{config, ...}: let + inherit (config.repo.secrets.local) acme personalDomain; +in { + networking.domain = personalDomain; + + rekey.secrets."dhparams.pem" = { + file = ./secrets/dhparams.pem.age; + mode = "440"; + group = "nginx"; + }; + + rekey.secrets.acme-credentials = { + file = ./secrets/acme-credentials.age; + mode = "440"; + group = "acme"; + }; + + #security.acme = { + # acceptTerms = true; + # defaults = { + # inherit (acme) email; + # credentialsFile = config.rekey.secrets.acme-credentials.path; + # dnsProvider = "cloudflare"; + # dnsPropagationCheck = true; + # reloadServices = ["nginx"]; + # }; + #}; + #extra.acme.wildcardDomains = acme.domains; + #users.groups.acme.members = ["nginx"]; + + #services.nginx = { + # enable = true; + # upstreams."kanidm" = { + # servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {}; + # extraConfig = '' + # zone kanidm 64k; + # keepalive 2; + # ''; + # }; + # virtualHosts.${authDomain} = { + # forceSSL = true; + # useACMEHost = config.lib.extra.matchingWildcardCert authDomain; + # locations."/".proxyPass = "https://kanidm"; + # # Allow using self-signed certs to satisfy kanidm's requirement + # # for TLS connections. (This is over wireguard anyway) + # extraConfig = '' + # proxy_ssl_verify off; + # ''; + # }; + #}; +} diff --git a/hosts/sentinel/secrets/acme-credentials.age b/hosts/sentinel/secrets/acme-credentials.age new file mode 100644 index 0000000..2bbf452 Binary files /dev/null and b/hosts/sentinel/secrets/acme-credentials.age differ diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/hosts/sentinel/secrets/dhparams.pem.age new file mode 100644 index 0000000..abadc29 Binary files /dev/null and b/hosts/sentinel/secrets/dhparams.pem.age differ diff --git a/hosts/sentinel/secrets/host.pub b/hosts/sentinel/secrets/host.pub new file mode 100644 index 0000000..e69de29 diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age new file mode 100644 index 0000000..aab7048 Binary files /dev/null and b/hosts/sentinel/secrets/local.nix.age differ diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 9f1fe06..54b21dd 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -49,6 +49,6 @@ boot.kernelParams = ["console=ttyAML0,115200n8" "console=tty0"]; console.earlySetup = true; - # Fails if there are not SMART devices + # Fails if there are no SMART devices services.smartd.enable = lib.mkForce false; }