From cdcaef86c56270438b70399747d0e4d4d830dc61 Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Sun, 25 Aug 2024 21:41:42 +0300 Subject: [PATCH] feat: add sqbuilds --- .sops.yaml | 7 ++++ hosts/sqbuilds/default.nix | 17 ++++++++++ lib/util.nix | 1 + secrets/sqbuilds/secrets.yaml | 34 +++++++++++++++++++ systems/hosts/default.nix | 8 +++++ systems/hosts/sqbuilds/default.nix | 7 ++++ .../hosts/sqbuilds/hardware-configuration.nix | 30 ++++++++++++++++ 7 files changed, 104 insertions(+) create mode 100644 hosts/sqbuilds/default.nix create mode 100644 secrets/sqbuilds/secrets.yaml create mode 100644 systems/hosts/sqbuilds/default.nix create mode 100644 systems/hosts/sqbuilds/hardware-configuration.nix diff --git a/.sops.yaml b/.sops.yaml index e729cf1..81d6a38 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw + - &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk creation_rules: - path_regex: secrets/arwen/[^/]+\.yaml$ key_groups: @@ -22,3 +23,9 @@ creation_rules: - *liljamo_gpg age: - *dns + - path_regex: secrets/sqbuilds/[^/]+\.yaml$ + key_groups: + - pgp: + - *liljamo_gpg + age: + - *sqbuilds diff --git a/hosts/sqbuilds/default.nix b/hosts/sqbuilds/default.nix new file mode 100644 index 0000000..d840393 --- /dev/null +++ b/hosts/sqbuilds/default.nix @@ -0,0 +1,17 @@ +{config, ...}: { + sops.secrets.rootPwd.neededForUsers = true; + sops.secrets.liljamoPwd.neededForUsers = true; + + roles.base = { + root.hashedPasswordFile = config.sops.secrets.rootPwd.path; + primaryUser = { + username = "liljamo"; + hashedPasswordFile = config.sops.secrets.liljamoPwd.path; + }; + }; + + roles.tailscale = { + enable = true; + enableSSH = true; + }; +} diff --git a/lib/util.nix b/lib/util.nix index b885844..6e22b50 100644 --- a/lib/util.nix +++ b/lib/util.nix @@ -1,5 +1,6 @@ {...}: let hostNameToIPv4 = { + "sqbuilds" = "10.1.1.50"; "dns" = "10.1.2.3"; "metrics" = "10.1.2.5"; "proxy" = "10.1.2.10"; diff --git a/secrets/sqbuilds/secrets.yaml b/secrets/sqbuilds/secrets.yaml new file mode 100644 index 0000000..0711281 --- /dev/null +++ b/secrets/sqbuilds/secrets.yaml @@ -0,0 +1,34 @@ +rootPwd: ENC[AES256_GCM,data:MQZkunxuLZc0vBOj+vXj3EQgabppTr3+SLcdzr7wCTP6JHm/XIQIVYZJj/BbZiJLSg8x5CKmoQQo7/duKYjELqaHjVUq371h6Leu//xwMunArS1Od663Me3rvPVf84/IfCjRKH1uxZVi/A==,iv:GY3zXrxpINlW4UcHPTmCs2mDvlm3IXtyRrzH4AKnTHI=,tag:84rTfWmJ0tmxkdoHtXj4BA==,type:str] +liljamoPwd: ENC[AES256_GCM,data:y3f+cofbh27klaRoHgxLiPa6iZuIGkSqL9/9HJ5cv8Eq4iRupmvg6l1GezodxpYilh3fkoZX+QjxcMxw9+3yb+ou3sw/tDicOtR1Ly6oBrYaNZWSs8JukMsAZx49g+fGNcmf6E8cd6Qv/w==,iv:mn5mPRhxOAleaSNx2vR5f9vHqC3i1kru1Emfvj9vymQ=,tag:dMGPsrr9AyRzb8GuwfrclA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU1p0MVlqN3RpMTh0UGc1 + WHAyaVdYck5mdjBzNnpCU0lqRFBDOGpydUc0CmpvNDZ1a1JyU1FabnEyTHplWHB1 + a2x1aWpwdHpGcEZiSC9ScmxoMWhIaEUKLS0tIGRZS1JCM3NxTGNFaEpVc2NZZ1FS + VmkrdmhMNThtQXFXTlJ0bDhmMUhFSlEKkzfSaOjBiGrs0ts1TT23UluOFV9lASlz + 8d4SoUSNwP+Nq6XZcp29qbdUL+Mfs3qJEL6Ii6F/jKoGuDno4MGJ5w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-25T15:54:44Z" + mac: ENC[AES256_GCM,data:CQUsMXPcqErOvtr9N8UovbcNfM2qBIpANP989Kryd6urcznupAVcyIY/je/8o56Y/yUT+STridiaPHC68FfS0SG1KtuhgU5ejNr4VJudCpWgsGmkjH89xAKl9/WzFxDaMMAbKa2y+M0xN2yAqy85LavoWXNYfrII2IYwJBFJYeg=,iv:tYVkPYHnd0OZz4NUUIauTqyJZceNpiquB4WwJuSTsW8=,tag:EPLGDBB3JZZNjzg0PX37iw==,type:str] + pgp: + - created_at: "2024-08-25T18:37:14Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D8ab0ENzkR4wSAQdA0QXgYyn86xCBPX9MzXQsaPItFJ7bjn2SyREHsZBewS0w + k6RrfI3tzEtNiffJNYzQtDfNlE1BnPV7sK05gHWpRZfYBBMnTVaGtZfZ0F7ZldUv + 1GgBCQIQt/RD1G0XEq5ZnrTWd6MW9lp9keKchzErsbUpVZcyw3bBsq34jV9OqMhf + b7wON/e8yeW7g0kVoRUCOawxi//82apGJ0CMVAM2SP60/ZHvSrAI+JI4q39tisQ7 + CnO4/RLH07/bMA== + =9D0Z + -----END PGP MESSAGE----- + fp: 848EEBCEE9F0D29D25C321A658577946A65EB712 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index d969f4f..d95da8c 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -2,6 +2,7 @@ desktop, laptop, lxc, + vm, ... }: { alice = { @@ -21,4 +22,11 @@ profile = lxc; modules = []; }; + + # VMs + sqbuilds = { + system = "x86_64-linux"; + profile = vm; + modules = []; + }; } diff --git a/systems/hosts/sqbuilds/default.nix b/systems/hosts/sqbuilds/default.nix new file mode 100644 index 0000000..b240834 --- /dev/null +++ b/systems/hosts/sqbuilds/default.nix @@ -0,0 +1,7 @@ +{...}: { + imports = [ + ./hardware-configuration.nix + ]; + + system.stateVersion = "24.05"; +} diff --git a/systems/hosts/sqbuilds/hardware-configuration.nix b/systems/hosts/sqbuilds/hardware-configuration.nix new file mode 100644 index 0000000..fb7257d --- /dev/null +++ b/systems/hosts/sqbuilds/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + + boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/a557b22c-baff-4444-856e-e032c616f921"; + fsType = "ext4"; + }; + + swapDevices = []; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} -- 2.44.1