From 7fc8a4694c9d3d934bd1ca2f66a77b7be4cb4d85 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Wed, 4 Oct 2023 15:15:54 +0200 Subject: [PATCH] nazuna: Init --- .sops.yaml | 6 +++ keys/machines/nazuna.asc | 28 +++++++++++ machines/default.nix | 5 ++ machines/nazuna/README.md | 13 +++++ machines/nazuna/configuration.nix | 16 +++++++ machines/nazuna/hardware-configuration.nix | 56 ++++++++++++++++++++++ machines/nazuna/secrets.yaml | 52 ++++++++++++++++++++ machines/renge/services/prometheus.nix | 1 + modules/ssh.nix | 8 ++++ modules/wireguard/home.nix | 4 ++ 10 files changed, 189 insertions(+) create mode 100644 keys/machines/nazuna.asc create mode 100644 machines/nazuna/README.md create mode 100644 machines/nazuna/configuration.nix create mode 100644 machines/nazuna/hardware-configuration.nix create mode 100644 machines/nazuna/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index f90adc2..82467f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -10,6 +10,7 @@ keys: - &nunotaba 3176be14f468c6d43ab2206b4f273abccd49806b - &okarin 868497ac4266a4d137e0718ae5fc3caa3b8107aa - &shinobu 28677f2e3584b39f528a779caf445ebb39c882b7 + - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c creation_rules: - path_regex: machines/nunotaba/secrets\.yaml$ key_groups: @@ -61,6 +62,11 @@ creation_rules: - pgp: - *simon - *shinobu + - path_regex: machines/nazuna/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *nazuna - path_regex: secrets\.yaml$ key_groups: - pgp: diff --git a/keys/machines/nazuna.asc b/keys/machines/nazuna.asc new file mode 100644 index 0000000..4a21201 --- /dev/null +++ b/keys/machines/nazuna.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEACFObg8AdI3RPFxyl/K0tm3W9jkufQcYk/LwLP1Z2xb38EJZLUy +YEJzdZaJei6HY9rMM8tQjgCzFi7OzTVqw5I1NAs0LGGlVKv/mjuQV99SKtB8ujFF +VcuGBVDLGOx8+6sW63YojMJ6O7eMaKQhO2zSdzsVO0BqYyAy2niJz2gpOknnITB0 +zsj/uliLSgtPyo3zTt+tDD3oPAFFm09G9QNIXiyFBSL8h4pGBiHwSL7VC9JWM7rt +BRB921LtlOt7W8hr29THuRP05tZJAwbN/W3NnLhOxpBXEHrcPe4Yt2Cz+xbLhn27 +h5sw4XcEqewkzLXwbB/CzB3FY97mL3ekoWXS+LZFBtkWx2d00+BVFZe+qTA8bRjO +AEO7HUUw4U9fOwTpQLMqH53FAEB5zDAT67CTXsLW921URHlPTVkm+G1Yy3S2k03H +6erBc0xBHqClnFCm86TZqceebEeqV2PUk/b2oBy2uSoFccI9Da9/dn83ryJD1c3U +V9pfq5oOf77F3Z428Ds6SaWeQb6SY7zbHfu9SNnOxau9NiCJoRXfGp5LUCFhSLm0 +2Oc5tk+w2fMpP27XFccI1nSaAEnSUIb5o8ZHsxILIr/0JMGvxHfoWyiNhYu4mZEZ +Mlfl+GmIONGhEz897KboCYlks5X0Klp2eH/lfgx9ECSHXMnE2kD9GFnX6wARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQLEvvrR+ekVwCGw8CGQEAADz7EAAC36CJfCApYkrLYSY59XUn +tr7Jdl+tFjeYlu1+s/Rm7VgwGV70KfYPJw3nmETTcXK6g91mdVMsf9kUxDN4jYsn +yvRSXRpiqOS0NSYbYgeM9n5uSKIfbCC30UcAmH7iUL/eIjmPe8x8PhsstkuZ9nU3 +OjAQh1mStUs0MELJMLzhY4PRXwOHFHRHvHJr5Ufcm1SOVbiJlDShJp+jAJTSftVc +miwsA6jmM9GR96OskaN058yujzpQA29858/61qMZuyqflKIYW7ti2dHm4WCew5uN +gPmmqUOJNkFavEgtEWLyTARqPb1Q3ptdjePDP07dOxoweB/1XkXauGk81I6cJgJF +WTnZ7+LhqIj9qyQUPHQzb3iWMxWmSM+XFWbuYFTkbIcZNqWwV2kdqr2dl0Hmur9k +WdYGNApGIhaFtMb2iSmz78kMwy/Jhz9i4XhAvAdG3xHxtr3FjJw8DM7iQl76gdJw +fEaM5hLk9M0aZSPKZhxnCBtWgAqw+Wa6aXv6sDw5Y+EY+dW7TAEVEpBrLikO+43D +yzlS7Q8+SZD73O14taPKCGa9H050QHB4R9FNrKBg92Z+W8WBnoxYI5Oefdcgw3sj +qp57wibrJRyf+SmNY1vD/PIYM3dIMnIWsXYTS3/AwhZ9KIl1x2jD+LorMK+MBCub +L72+WUfElaj3SjHJ12Cm1A== +=Fu4f +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/default.nix b/machines/default.nix index ee7bba8..9d68089 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -62,4 +62,9 @@ in targetHost = "shinobu.home.sbruder.de"; }; + nazuna = { + system = "x86_64-linux"; + + targetHost = "nazuna.sbruder.de"; + }; } diff --git a/machines/nazuna/README.md b/machines/nazuna/README.md new file mode 100644 index 0000000..0291f30 --- /dev/null +++ b/machines/nazuna/README.md @@ -0,0 +1,13 @@ +# nazuna + +## Hardware + +[Alwyzon](https://www.alwyzon.com) Storage Server 1T (1 Xeon Silver 4416+ vCore, 2 GB RAM, 1 TB HDD). + +## Purpose + +It provides services that need large storage and a fast network connection. + +## Name + +Nazuna Nanakusa is a character from *Call of the Night* diff --git a/machines/nazuna/configuration.nix b/machines/nazuna/configuration.nix new file mode 100644 index 0000000..2d37171 --- /dev/null +++ b/machines/nazuna/configuration.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../modules + ]; + + sbruder = { + wireguard.home.enable = true; + }; + + networking.hostName = "nazuna"; + + system.stateVersion = "23.05"; +} diff --git a/machines/nazuna/hardware-configuration.nix b/machines/nazuna/hardware-configuration.nix new file mode 100644 index 0000000..8b1fcbf --- /dev/null +++ b/machines/nazuna/hardware-configuration.nix @@ -0,0 +1,56 @@ +{ lib, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + kernelParams = [ "ip=86.106.183.111/26::86.106.183.65::nazuna" ]; + initrd = { + availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + kernelModules = [ "dm-snapshot" ]; + network.enable = true; # remote unlocking + luks.devices."root".device = "/dev/disk/by-uuid/b20be409-adb6-47fc-ba9b-c07e61503070"; + }; + loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/05b0918e-3c24-45bf-950e-4af9d89d3be2"; + fsType = "btrfs"; + options = [ "compress=zstd" ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7e93d8ba-516b-424e-a8e5-149c1654212a"; + fsType = "ext2"; + }; + }; + + swapDevices = [ + { + device = "/dev/disk/by-partuuid/08140a4b-38d7-4af3-b302-ccc952b085eb"; + randomEncryption.enable = true; + } + ]; + + networking = { + useDHCP = false; + usePredictableInterfaceNames = false; + }; + systemd.network = { + enable = true; + networks = { + eth0 = { + name = "eth0"; + domains = [ "sbruder.de" ]; + address = [ "86.106.183.111/26" "2a0d:f302:123:8d61::1/48" ]; + gateway = [ "86.106.183.65" "2a0d:f302:123::1" ]; + }; + }; + }; + + # no smart on qemu disk + services.smartd.enable = false; +} diff --git a/machines/nazuna/secrets.yaml b/machines/nazuna/secrets.yaml new file mode 100644 index 0000000..f2a3f8d --- /dev/null +++ b/machines/nazuna/secrets.yaml @@ -0,0 +1,52 @@ +wg-home-private-key: ENC[AES256_GCM,data:fqdPyTa/0Ixr0sO8m06Q1xoAFYBA3q2P4Ho7k6AZBakcKvaXyqFiaISsIuk=,iv:tFANTuH8NHs7cHGduzn66njpCfK1tyydRlBCwv/ffyQ=,tag:Q+dBhMjjHG0cZlfindxBhQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-10-04T14:03:02Z" + mac: ENC[AES256_GCM,data:hq5V3kGoTgox9/tJRvLk6hhfG4b9V31ACMOhWVI4kEdWUKJ+o5NvRfh7ITgkNpwR1LYMGQBl/b2bhQEGt6QLYG7zd0QL/htOY8rT7u9QAp6EnZxpIYMzEkDjLzT6xLdSiUVl1XgmObkoHagkZARkBk2IWrzsrdxFklS5vjaWzEA=,iv:pM2qoSHOojQ8PaYKoWOagsZol+bNEUDJeuPh+T6v5HM=,tag:rOMaP5hSEzCNm98Vei1jdQ==,type:str] + pgp: + - created_at: "2023-10-04T14:02:47Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAwDgSONkM+d4AQ//fbn9ndkcj/KuMA7xnVgfM9M1TGxcT3g/yz4WljwfBbrz + D9ZNEkw0x2HihRyKC22HLKk9tKc02tXyDFnebx+ygQCqmXgQ+uv7kirNw7HK/cBM + DM2Iuy9nXQ5eToF4IvhNay1iQZ83EjAbA7NkcU799VA1iZK6ysjB5ytONQQmc3m7 + tKKmOyLZJGOWSENWXcjSJ79UJgBqwvMndUSbNEdkeR7zuRMqBNpBkcXmzpwdyKPk + qYnepM4DRPhkLEd1x70Ygm5KOiQOIq4ck+rSEwnW3Cd2oAeu6LYWF10y+vl+hL/r + lUkaFyjxXT4kkZERF1ehX1LIg9k/DuxqQhM5aUqiDTAdEOyHqg9gP2JnhpMwMplc + 5UhwxDB6lDtAdHlDF45c1E269JFokEAt6TJYwAllkSaSG6luNkylR02mEUGG7psy + 78VEFdSjmjwEJYGJiMaffeDgwBX5Vh8KLFQH1U9DcOsZBEDlIEPWWlM8YOKMWgI/ + q5nhVBypdAobXV1Hpp8WFMyvW6TeU0VUWqNQ5ffWewuoq2MMehH+ScoIHEcbqXkp + z06HylKGL2kXioTYkPEjSeWbgh1kPHmkDUU1sIXPMLgwPUtUuK1bu4qku5LOuef/ + 1HL0olT8YB1F14QEhqmpnL2Ylxee9ceQR1SrW9wa9ewEjoW9WUzGByodOLZPim3S + UQEDjF7H2ITDmx2ig+CwK9q1hsSKFLppmpBV+16MchCajHNlsH9f3i9heUpRo3CC + Gb9vZF5ceq+YaVCACBJX3Q0VBKAagv/cOijg1Im17us/Rw== + =HIlx + -----END PGP MESSAGE----- + fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC + - created_at: "2023-10-04T14:02:47Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAyxL760fnpFcAQ/+OY1aC531MJoPAL9tfrg7nEusshgk7FV6kv5xehB7KM4j + ENPpV3XtIfxktxWuddLS6nw4l0m7TCcd85Ggwg3LqdqRLj2e+0mNCpV2h0xRrpiz + OgKS3Vm9aWpGkkfhP2vFafs2GrSfPcV7JfCjQRh3IfCYwYUrkxbGHI3vYBIvm92W + vwHuF//K3fvt/QcnXJUjHomoCaDfkYFiU6YmZLrXBgIXydAFm9iYg+QmamlUGGZe + SBs3Uo3bEegUcY0/v4B0FfRUWkG5w1G3lHH+cHjiYu13/C85ePDKIooRFrGGjjGT + iPp9XXw0sjK+x3Cx6PUYh4aopMHx16j6cpoZf7w7hnchC4fAneI5otTp/fMAOX3P + LVoY1Hq9FPkSelg2E3jvgvUS9sD5iwCUKRKDiZa1cJeY7HG38pin1BIdlcquqsSg + kmeSwT32jTUF/PXKvh8uLmpydkfFdHkmwaeAaSaZLQdOlFLprZ+jeD5xbS/1FMlc + 7VS5ogHApXZJWmwteuwmepecF6EsuzZsRsZUtoEHxNdtyOIs86nVwdw/C67XqyD2 + Cy1z9lVrJl68u7x6alSLdaLai0ksOlTAqGPi9+R5e3X/PvwN+3jNtds+peCaxvbw + 2LchLh1+xF1WzMKZwERN5VgB6dgAW+9GSMADyTF72X6b1HIZGo9T0JDuVl6zbuvS + VgGmxZQt65l2akTeMpgogJ1jIl+x/+TQNubacEdF928W5ncGyP0WKym5ljPJt+j3 + /kEYpD+nlOKgTblX8NuaHqn1PT/M5wMdyTRHHKUD2LM4+RjmpuV3 + =jXpQ + -----END PGP MESSAGE----- + fp: 0b8be5d87a10a0e68dda97212c4befad1f9e915c + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/machines/renge/services/prometheus.nix b/machines/renge/services/prometheus.nix index 8f91fa4..8d6d3c0 100644 --- a/machines/renge/services/prometheus.nix +++ b/machines/renge/services/prometheus.nix @@ -69,6 +69,7 @@ in "vueko.vpn.sbruder.de:9100" "okarin.vpn.sbruder.de:9100" "shinobu.vpn.sbruder.de:9100" + "nazuna.vpn.sbruder.de:9100" ]; } { diff --git a/modules/ssh.nix b/modules/ssh.nix index 612846f..eb9123d 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -67,5 +67,13 @@ hostNames = [ "shinobu" "shinobu.home.sbruder.de" "shinobu.vpn.sbruder.de" ]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJJNZPT2Mmys2nw/ovX6Z1Cb4WDAaWBWanycNwF9IEjl"; }; + nazuna = { + hostNames = [ "nazuna" "nazuna.sbruder.de" "nazuna.vpn.sbruder.de" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCdrgQuomT1YDXCguxSpyn0ovegcpBjZ+kOhukIr9n/"; + }; + nazuna-initrd = { + hostNames = [ "[nazuna.sbruder.de]:2222" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/VDiagTEI5BIjTrPRkGWAH3YurcMEV8i6Q8PSnxlg3"; + }; }; } diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index 29e57e3..9cbed29 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -36,6 +36,10 @@ let address = "10.80.0.12"; publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk="; }; + nazuna = { + address = "10.80.0.13"; + publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ="; + }; }; cfg = config.sbruder.wireguard.home;