feat: new hetzner server

2024-11-26 18:14:27 +01:00 · 2024-11-26 18:14:27 +01:00 · 41710c109b
parent 6fa99bd855
commit 41710c109b
20 changed files with 230 additions and 183 deletions
--- a/README.md
+++ b/README.md
@ -17,15 +17,14 @@ This showcases my end user setup, which I dailydrive on all my hosts.
 | | Programm | Description
 ---|---|---
 🐚 Shell | [ZSH](./users/common/shells/zsh/default.nix) & [Starship](./users/common/shells/starfish.nix) | ZSH with FZF autocomplete, starship prompt, sqlite history and histdb-skim for fancy reverse search
-🪟 WM | [Sway](./users/common/graphical/wayland/sway.nix) & [i3](./users/common/graphical/Xorg/i3.nix) | Tiling window managers with similar behaviour for wayland and xorg
+🪟 WM | [Hyprland](./users/patrick/wayland/hyprland.nix) | Tiling window manager
-🖼️ Styling | [Stylix](./modules/graphical/default.nix) | globally consistent styling 
+🖼️ Styling | [Stylix](./users/patrick/theme.nix) | globally consistent styling 
-📝 Editor | [NeoVim](./users/common/programs/nvim/default.nix) | Extensively configured neovim
+📝 Editor | [NeoVim](./users/patrick/programs/nvim/default.nix) | Extensively configured neovim
-🎮 Gaming | [Bottles](./users/common/programs/bottles.nix) & [Steam](./modules/optional/steam.nix) | Pew, Pew and such
+🎮 Gaming | [Bottles](./users/patrick/programs/bottles.nix) & [Steam](./users/patrick/programs/steam.nix) | Pew, Pew and such
 🌐 Browser | [Firefox](./users/patrick/firefox.nix) | Heavily configured Firefox to still my privacy and security needs
-💻 Terminal | [Kitty](./users/common/programs/kitty.nix) | fast terminal
+💻 Terminal | [Kitty](./users/patrick/programs/kitty.nix) | fast terminal
-🎵 Music | [Spotify](./users/common/programs/spicetify.nix) | Fancy looking spotify using spicetify
+🎵 Music | [Spotify](./users/patrick/programs/spicetify.nix) | Fancy looking spotify using spicetify
 📫 Mail | [Thunderbird](./users/common/programs/thunderbird.nix) | Best email client there is
 🎛️ StreamDeck | [StreamDeck](./users/patrick/streamdeck.nix) | More hotkeys = more better
 ## Service Configuration
 These are services I've set up
@ -64,7 +63,7 @@ These are notable external flakes which this config depend upon
 [impermanence](https://github.com/nix-community/impermanence) | stateless filesystem
 [lanzaboote](https://github.com/nix-community/lanzaboote) | Secure Boot
 [stylix](https://github.com/danth/stylix) | theming
-[spicetify](https://github.com/the-argus/spicetify-nix) | spotify looking fancy
+[spicetify](https://github.com/Gerg-l/spicetify-nix) | spotify looking fancy
@ -82,9 +81,9 @@ These are notable external flakes which this config depend upon
    - This might take multiple minutes(~10)
    - Alternatively boot an official nixos image connect with password
 3. Copy ISO to usb using dd
-3. After booting copy the installer to the live system using `nix copy --to <target> .#nodes.<target-system>.config.system.build.installFromLive`
+3. After booting copy the installer to the live system using `nix copy --to <target> .#minimalConfigurations.<target-system>.config.system.build.installFromLive`
 4. Run the installer script from the nix store of the live system
-    - you can get the path using `nix path-info .#nodes.<target-system>.config.system.build.installFromLive`
+    - you can get the path using `nix path-info .#minimalConfigurations.<target-system>.config.system.build.installFromLive`
 4. Export all zpools and reboot into system
 6. Retrieve hostkeys using `ssh-keyscan <host> | grep -o 'ssh-ed25519.*' > host/<target>/secrets/host.pub`
 5. Deploy system
--- a/hosts/desktopnix/default.nix
+++ b/hosts/desktopnix/default.nix
@ -37,10 +37,10 @@
  services.xserver.xkb = {
    layout = "de";
  };
-  services.logkeys = {
+  # services.logkeys = {
-    enable = true;
+  #   enable = true;
-    device = "/dev/input/event15";
+  #   device = "/dev/input/event15";
-  };
+  # };
  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -38,7 +38,8 @@ let
  ipOf =
    hostName:
    if hostName == "octoprint" then
-      nodes.testienix.config.wireguard.elisabeth.ipv4
+      #nodes.testienix.config.wireguard.elisabeth.ipv4
      "0.0.0.0"
    else
      nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
 in
--- a/hosts/mailnix/default.nix
+++ b/hosts/mailnix/default.nix
@ -0,0 +1,25 @@
 {
  imports = [
    ../../config/basic
    ../../config/support/initrd-ssh.nix
    ../../config/support/zfs.nix
    ./net.nix
    ./fs.nix
  ];
  boot = {
    initrd.availableKernelModules = [
      "virtio_pci"
      "virtio_net"
      "virtio_scsi"
      "virtio_blk"
      "virtio_gpu"
    ];
    kernelParams = [ "console=tty" ];
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
  };
  nixpkgs.hostPlatform = "aarch64-linux";
 }
--- a/hosts/mailnix/fs.nix
+++ b/hosts/mailnix/fs.nix
@ -0,0 +1,32 @@
 { config, lib, ... }:
 {
  disko.devices = {
    disk = {
      drive = rec {
        type = "disk";
        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.drive}";
        content = with lib.disko.gpt; {
          type = "gpt";
          partitions = {
            boot = (partEfi "256M") // {
              device = "${device}-part1";
            };
            rpool = (partLuksZfs "drive" "rpool" "100%") // {
              device = "${device}-part2";
            };
          };
        };
      };
    };
    zpool = with lib.disko.zfs; {
      rpool = mkZpool { datasets = impermanenceZfsDatasets; };
    };
  };
  fileSystems."/state".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;
  boot.initrd.systemd.services."zfs-import-panzer".after = [ "cryptsetup.target" ];
  boot.initrd.systemd.services."zfs-import-rpool".after = [ "cryptsetup.target" ];
 }
--- a/hosts/mailnix/net.nix
+++ b/hosts/mailnix/net.nix
@ -0,0 +1,73 @@
 { config, lib, ... }:
 {
  networking.hostId = config.secrets.secrets.local.networking.hostId;
  networking.domain = config.secrets.secrets.global.domains.mail_public;
  boot.initrd.systemd.network = {
    enable = true;
    networks = {
      inherit (config.systemd.network.networks) "lan01";
    };
  };
  systemd.network.networks = {
    "lan01" =
      let
        icfg = config.secrets.secrets.local.networking.interfaces.lan01;
      in
      {
        address = [
          icfg.hostCidrv4
          (lib.net.cidr.hostCidr 1 icfg.hostCidrv6)
        ];
        gateway = [ "fe80::1" ];
        routes = [
          { Destination = "172.31.1.1"; }
          {
            Gateway = "172.31.1.1";
            GatewayOnLink = true;
          }
        ];
        matchConfig.MACAddress = icfg.mac;
        networkConfig.IPv6PrivacyExtensions = "yes";
        linkConfig.RequiredForOnline = "routable";
      };
  };
  age.secrets.cloudflare_token_acme = {
    rekeyFile = ./secrets/cloudflare_api_token.age;
    mode = "440";
    group = "acme";
  };
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = config.secrets.secrets.global.devEmail;
      dnsProvider = "cloudflare";
      dnsPropagationCheck = true;
      reloadServices = [ "nginx" ];
      credentialFiles = {
        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
      };
    };
  };
  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
  security.acme.certs = {
    # mail_public = {
    #   domain = config.secrets.secrets.global.domains.mail_public;
    #   extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_public}" ];
    # };
    # mail_private = {
    #   domain = config.secrets.secrets.global.domains.mail_private;
    #   extraDomainNames = [ "*.${config.secrets.secrets.global.domains.mail_private}" ];
    # };
  };
  environment.persistence."/state".directories = [
    {
      directory = "/var/lib/acme";
      user = "acme";
      group = "acme";
      mode = "0755";
    }
  ];
 }
--- a/hosts/mailnix/secrets/cloudflare_api_token.age
+++ b/hosts/mailnix/secrets/cloudflare_api_token.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> X25519 uhnRibm92XSz2UcJWT43CrsZfOrSzUyqVFU8nWiYEXs
 QNxh6YGDCgSSoCWLthZlou7F7i9OJpunB+/6J4ogk2k
 -> piv-p256 XTQkUA AzTDTMXLU5jTp54ysvnVIDo5lIb5ED1zkP8659tTH2JJ
 VLO6rtfY5poFGVH/eeD+T/xrlNdPGnlLQ6mK1HytT8A
 -> piv-p256 ZFgiIw AnwL/t0GNZI3/y7KlatHLebToW1pJLfOasODGQ7ogriz
 Wl7xm6+a1qmqLeTZszpO0XG96BcDRO5l8wvpc0atW0Y
 -> piv-p256 5vmPtQ AzC3t9sPdKF/IPkJSqhldnx3Mnkc84DCD13l8tYqZIWd
 GaNzRxPoSOy/kEuLzbXpiRDo5F2hZT8KriXpgqZkQ5Y
 -> piv-p256 ZFgiIw ApFdJVoW4zoWq38fE27TR/OFEDs4Wub1g3q6RiF+fDTR
 IypnQqeluntk31gez5I6eYtlKiY/8sy+dXNkpWhdwPs
 -> wX-grease
 neAQttCOcpQWsfSpI38jdOjODJYK8uOhqjWsZOLWlHZaRUQtoyXI
 --- r44AgWizs6H92oY6hKMs67ARXqr8Je0Z0cIJr9xidBg
 °ß¦Ñ¨â<>ŸîÌªøÙ¤Ph\œdv_µúí¥]’ÀÓšÆÜŠÚ˜ùÄE<C384>Êƒ´¯‹æewI’é‡t.¬²WÃÂ6ZFi
--- a/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age
+++ b/hosts/mailnix/secrets/generated/initrd_host_ed25519_key.age
@ -0,0 +1,18 @@
 age-encryption.org/v1
 -> X25519 ddFv+EKlJUwePVA7CiwFOA/mECyJ9pC328u5r9Bjhz4
 5c05Nlc1ADOpUq5MugDuHJqSz4OW4Yupl0UBl9DxyDk
 -> piv-p256 ZFgiIw AgiBCvmbqRaShnyh+NuDFFESQ9Q5sZZ/YjYXelOzCYyV
 /6/igWsiKPwTlydwiAR1ZECyURFkBiJWCppdXP5GDRk
 -> piv-p256 XTQkUA An4etg/KtGFdnw74QM+QW9vRkrAxEZmMjhexLKENVnV3
 m8UleuJcvy/OZhlZrOEguL+0hWo5n2Ykgboq8BqFrdU
 -> piv-p256 ZFgiIw A1vxQkA8CeZGrXNcvBZo57iL82PiTPm0hP3KODzWnU/z
 USt8rTNK7l9VUUyAiSnDiLVQgLZiFZQgcy04lWdk+nM
 -> piv-p256 5vmPtQ AnAB3M/AWePGjmIUdoH0rSHg+gDnxg62RPy9qgHAgIIN
 7PPd5p4sXrbDvZBITS3zMnG7qNmlj61hdHPlVo5cJDQ
 -> qtLMz'K-grease ?Rtv +~4H. vh
 ZBK1Zs8LKTiGvOSxH/dacE3yc1ouqSylHM5Ahv+HmR89RQX/JR4y3Gtec+G2W0Ty
 Dh9z2wVbCDlJTTt+N+9sLvV/b5+wETpwhPmiSWbh92yvNYH1yLQ
 --- jynsWcgTRZR51+fu9nqHP5yTxxz1BovM1s2YY+0uL2I
 ìS€Ó¿Þ4}°NTÀ (Úë®ƒ+
¬e9•_³qÛã2OÚÂ)=òw¸»/¼/D|šv`ÓàŒ6æXI³/™®””Âˆ‹îw^ÆÇ+hñ¨ˆÃÀ<11>6núrÒå˜q†²ü¢<>@Îf—2
ÇlîÞ/¤Ý“z—7,ôrFÇPÈ6ÎÓ€‰e1Nè4‡F»SÒ©¹<C2A9>ª8»Ì·¯g…]iÏ³}n)ÒM×D¬ªH%ë^28(…«8\Ç`AñCƒÐ½/û•<÷%ûØ8°ú©ÀÚÔ\eÑäÿ=¹ýâ(*6§a ß“‘V\G³ôuIÕø›ÓÓ|•´gÝ—™Õ#<23>²v&@ÞæóÑ…
‡æÉHâ´IhþXÀìñ÷îšÓÈY9ƒÐøÎÛM5%‡ËeÆ6?2º¿<C2BF>—"„¥
 Y<EFBFBD>æíM<EFBFBD>#Žñã‘L*6*!ùJMœ&
Gó%C3ô4s<34>ÇÙ‚<C399>©mÑÛA?—€³9|þMÈº¿OSrÍÍ+ó3†ÇQeþãRLK—Âue–?{=‡ýíîöš™€-±¼[â¾Šˆüôëm
 Û•øœ>¦QT7‰œ™–ô1‹z
--- a/hosts/mailnix/secrets/host.pub
+++ b/hosts/mailnix/secrets/host.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFqG1mU7UX0uNATdPaodHdSm9YYDV4grqmf266D0ajO
--- a/hosts/mailnix/secrets/secrets.nix.age
+++ b/hosts/mailnix/secrets/secrets.nix.age
--- a/hosts/testienix/default.nix
+++ b/hosts/testienix/default.nix
@ -1,26 +0,0 @@
 {
  inputs,
  lib,
  minimal,
  ...
 }:
 {
  imports = [
    inputs.nixos-hardware.nixosModules.common-pc
    inputs.nixos-hardware.nixosModules.common-pc-ssd
    ../../config/basic
    ../../config/support/initrd-ssh.nix
    ../../config/support/physical.nix
    ../../config/support/zfs.nix
    ./net.nix
    ./fs.nix
  ] ++ lib.lists.optionals (!minimal) [ ../../config/services/octoprint.nix ];
  services.xserver.xkb = {
    layout = "de";
  };
  services.thermald.enable = lib.mkForce false;
  nixpkgs.hostPlatform = "x86_64-linux";
 }
--- a/hosts/testienix/fs.nix
+++ b/hosts/testienix/fs.nix
@ -1,83 +0,0 @@
 { config, lib, ... }:
 {
  disko.devices = {
    disk = {
      internal-hdd = {
        type = "disk";
        device = "/dev/disk/by-id/${config.secrets.secrets.local.disko.internal-hdd}";
        content = with lib.disko.gpt; {
          type = "gpt";
          partitions = {
            boot = partEfi "1G";
            swap = partSwap "16G";
            rpool = lib.attrsets.recursiveUpdate (partLuksZfs "rpool" "rpool" "100%") {
              content.extraFormatArgs = [ "--pbkdf pbkdf2" ];
            };
          };
        };
      };
    };
    zpool = with lib.disko.zfs; {
      rpool = mkZpool { datasets = impermanenceZfsDatasets; };
    };
  };
  services.zrepl = {
    enable = true;
    settings = {
      global = {
        logging = [
          {
            type = "syslog";
            level = "info";
            format = "human";
          }
        ];
        # TODO Monitoring
      };
      jobs = [
        #{
        #  type = "push";
        #  name = "push-to-remote";
        #}
        {
          type = "snap";
          name = "mach-schnipp-schusss";
          filesystems = {
            "rpool/local/state<" = true;
            "rpool/safe<" = true;
          };
          snapshotting = {
            type = "periodic";
            prefix = "zrepl-";
            interval = "10m";
            timestamp_format = "iso-8601";
          };
          pruning = {
            keep = [
              {
                type = "regex";
                regex = "^zrepl-.*$";
                negate = true;
              }
              {
                type = "grid";
                grid = lib.concatStringsSep " | " [
                  "1x1d(keep=all)"
                  "142x1h(keep=2)"
                  "90x1d(keep=2)"
                  "500x7d"
                ];
                regex = "^zrepl-.*$";
              }
            ];
          };
        }
      ];
    };
  };
  fileSystems."/state".neededForBoot = true;
  fileSystems."/persist".neededForBoot = true;
 }
--- a/hosts/testienix/net.nix
+++ b/hosts/testienix/net.nix
@ -1,18 +0,0 @@
 { config, ... }:
 {
  networking = {
    inherit (config.secrets.secrets.local.networking) hostId;
  };
  networking.nftables.firewall.zones.untrusted.interfaces = [ "lan01" ];
  systemd.network.networks = {
    "lan01" = {
      address = [ "192.168.178.32/24" ];
      gateway = [ "192.168.178.1" ];
      matchConfig.MACAddress = config.secrets.secrets.local.networking.interfaces.lan01.mac;
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
        MulticastDNS = true;
      };
    };
  };
 }
--- a/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
+++ b/hosts/testienix/secrets/generated/initrd_host_ed25519_key.age
--- a/hosts/testienix/secrets/host.pub
+++ b/hosts/testienix/secrets/host.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTiFpqpCiJaFOcSjFrJWk7YPBiZLwoJRbyy1JgZWFmN
--- a/hosts/testienix/secrets/secrets.nix.age
+++ b/hosts/testienix/secrets/secrets.nix.age
--- a/modules/smb-mounts.nix
+++ b/modules/smb-mounts.nix
@ -6,6 +6,7 @@
 }:
 let
  inherit (lib)
    any
    mkOption
    types
    flip
@ -64,42 +65,48 @@ in
    }
  ];
-  imports = [
+  imports =
-    {
+    let
-      environment.systemPackages = [ pkgs.cifs-utils ];
+      existingCfg = flip any (attrNames config.home-manager.users) (
-      fileSystems = mkMerge (
+        user: (config.home-manager.users.${user}.home.smb != [ ])
        flip concatMap (attrNames config.home-manager.users) (
          user:
          let
            parentPath = "/home/${user}/smb";
            cfg = config.home-manager.users.${user}.home.smb;
            inherit (config.users.users.${user}) uid;
            inherit (config.users.groups.${user}) gid;
          in
          flip map cfg (cfg: {
            "${parentPath}/${cfg.localPath}" =
              let
                options =
                  baseOptions
                  ++ [
                    "uid=${toString uid}"
                    "gid=${toString gid}"
                    "file_mode=0600"
                    "dir_mode=0700"
                    "credentials=${cfg.credentials}"
                    "x-systemd.automount"
                    "_netdev"
                  ]
                  ++ (optional (!cfg.automatic) "noauto");
              in
              {
                inherit options;
                device = "//${cfg.address}/${cfg.remotePath}";
                fsType = "cifs";
              };
          })
        )
      );
-    }
+    in
-  ];
+    [
      {
        environment.systemPackages = lib.optional existingCfg pkgs.cifs-utils;
        fileSystems = mkMerge (
          flip concatMap (attrNames config.home-manager.users) (
            user:
            let
              parentPath = "/home/${user}/smb";
              cfg = config.home-manager.users.${user}.home.smb;
              inherit (config.users.users.${user}) uid;
              inherit (config.users.groups.${user}) gid;
            in
            flip map cfg (cfg: {
              "${parentPath}/${cfg.localPath}" =
                let
                  options =
                    baseOptions
                    ++ [
                      "uid=${toString uid}"
                      "gid=${toString gid}"
                      "file_mode=0600"
                      "dir_mode=0700"
                      "credentials=${cfg.credentials}"
                      "x-systemd.automount"
                      "_netdev"
                    ]
                    ++ (optional (!cfg.automatic) "noauto");
                in
                {
                  inherit options;
                  device = "//${cfg.address}/${cfg.remotePath}";
                  fsType = "cifs";
                };
            })
          )
        );
      }
    ];
 }
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
--- a/users/patrick/ssh.nix
+++ b/users/patrick/ssh.nix
@ -40,6 +40,10 @@
          hostname = config.secrets.secrets.global.user.hetzner_ip;
          user = "root";
        };
        "mailnix" = {
          hostname = config.secrets.secrets.global.user.mailnix_ip;
          user = "root";
        };
        "desktopnix" = {
          hostname = "desktopnix.local";
--- a/users/root/default.nix
+++ b/users/root/default.nix
@ -1,6 +1,8 @@
 {
  pkgs,
  config,
  lib,
  minimal,
  ...
 }:
 {
@ -10,12 +12,10 @@
      # Patrick
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ"
      # Simon old yubikey
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFmees72GMKG/rsQQRhs2I/lQnJa0uW5KmZlNBeriCh0"
    ];
    hashedPassword = config.secrets.secrets.global.users.root.passwordHash;
  };
-  imports = [
+  imports = lib.optionals (!minimal) [
    ../patrick/alias.nix
    ../patrick/theme.nix
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFqG1mU7UX0uNATdPaodHdSm9YYDV4grqmf266D0ajO`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTiFpqpCiJaFOcSjFrJWk7YPBiZLwoJRbyy1JgZWFmN`