From 70604b5bbac79d211fc0e63099e00dcde02ba864 Mon Sep 17 00:00:00 2001 From: Lauren Lagarde Date: Thu, 21 Aug 2025 23:08:20 -0500 Subject: [PATCH] Reinstall Outpost --- flake.nix | 6 +++ systems/outpost.nix | 84 ------------------------------ systems/outpost/.sops.yaml | 10 ++++ systems/outpost/configuration.nix | 86 +++++++++++++++++++++++++++++++ systems/outpost/secrets.yaml | 78 ++++++++++++++++++++++++++++ 5 files changed, 180 insertions(+), 84 deletions(-) delete mode 100644 systems/outpost.nix create mode 100644 systems/outpost/.sops.yaml create mode 100644 systems/outpost/configuration.nix create mode 100644 systems/outpost/secrets.yaml diff --git a/flake.nix b/flake.nix index dd248c8..27ff7e0 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,12 @@ modules = [ ./systems/ll-nixos-live/configuration.nix ]; }; + outpost = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit self inputs pkgs-unstable; }; + modules = [ ./systems/outpost/configuration.nix ]; + }; + redoubt = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit self inputs pkgs-unstable; }; diff --git a/systems/outpost.nix b/systems/outpost.nix deleted file mode 100644 index 7ad1c2b..0000000 --- a/systems/outpost.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ pkgs, ... }: { - networking.hostName = "outpost"; - networking.hostId = "373a7023"; - - imports = [ - # Base Config - ../features/base.nix - ../features/headless.nix - - # Features - ../features/tui-apps.nix - ../features/openssh-server.nix - ../features/hardware/yubikey.nix - ../features/virtualization/dockge.nix - ../features/virtualization/docker.nix - - # Tweaks - ../tweaks/zfs.nix - ../tweaks/zram.nix - ../tweaks/enable_flakes.nix - ../tweaks/disable_firewall.nix - ../tweaks/systemd-resolved_nonsense.nix - - # Dotspace - ../../dotspace/configuration.nix - - # Users - ../../users/lauren_lagarde/configuration.nix - - # Outpost - ../../nixos/tweaks/disable_firewall.nix - ]; - - ############################################################################## - ############################################################################## - ############################################################################## - # Networking - - networking.useNetworkd = true; - - systemd.network = { - enable = true; - networks = { - "30-end0" = { - matchConfig.Name = "end0"; - linkConfig = { - RequiredForOnline = "routable"; - }; - networkConfig = { - DHCP = "ipv4"; - IPv6AcceptRA = true; - }; - }; - - "90-tinc" = { - matchConfig.Name = "tinc.dotspace"; - address = [ "10.86.84.106/32" ]; - routes = [ { Destination = "10.86.84.0/24"; } ]; - }; - }; - }; - - services.tinc.networks.dotspace = { - name = "outpost"; - ed25519PrivateKeyFile = "/root/tinc/dotspace_ed25519_key.priv"; - - chroot = false; - settings.ConnectTo = [ "fortress" "stronghold" ]; - }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Services - - # TODO: Put scripts into version control - services.cron = { - enable = true; - mailto = ""; - systemCronJobs = [ - "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null" - ]; - }; -} diff --git a/systems/outpost/.sops.yaml b/systems/outpost/.sops.yaml new file mode 100644 index 0000000..da7781a --- /dev/null +++ b/systems/outpost/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - pgp: + - *yubikey_lauren_primary + age: + - *system_ll_latitude diff --git a/systems/outpost/configuration.nix b/systems/outpost/configuration.nix new file mode 100644 index 0000000..e2676bb --- /dev/null +++ b/systems/outpost/configuration.nix @@ -0,0 +1,86 @@ +{ lib, inputs, self, pkgs, pkgs-unstable, ... }: let + hostName = "outpost"; + hostId = "373a7023"; + tinc-ip = "10.86.84.106/32"; + + stateVersion = "25.05"; +in { + networking.hostId = hostId; + networking.hostName = hostName; + system.stateVersion = stateVersion; + + home-manager = { + users."lauren_lagarde" = { + home.stateVersion = stateVersion; + imports = self.homeManagerModules."lauren_lagarde@tui.mlaga97.space"; + }; + extraSpecialArgs = { inherit self pkgs-unstable; }; + }; + + time.timeZone = "America/Chicago"; + sops.defaultSopsFile = ../../secrets.yaml; + + imports = [ + inputs.sops-nix.nixosModules.sops + inputs.home-manager.nixosModules.home-manager + + ../../nixos/features/pi.nix + + # Core Features + ../../nixos/features/base.nix + ../../nixos/features/tui-apps.nix + ../../nixos/features/openssh-server.nix + + # Core Tweaks + ../../nixos/tweaks/zram.nix + ../../nixos/tweaks/enable_flakes.nix + ../../nixos/tweaks/systemd-resolved_nonsense.nix + + # Dotspace + ../../dotspace/configuration.nix + + # Users + ../../users/lauren_lagarde/configuration.nix + ../../users/ashley_funkhouser/ashley_funkhouser.nix + + # Outpost + ../../nixos/tweaks/disable_firewall.nix + ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Services + + services.smartd.enable = lib.mkForce false; + + ############################################################################## + ############################################################################## + ############################################################################## + # Networking + + networking.useNetworkd = true; + systemd.network = { + enable = true; + }; + + ############################################################################## + # Tinc + + sops.secrets."dotspace/${hostName}/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; }; + sops.secrets."dotspace/${hostName}/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; }; + + systemd.network.networks."90-tinc" = { + matchConfig.Name = "tinc.dotspace"; + address = [ "${tinc-ip}/32" ]; + routes = [ { Destination = "10.86.84.0/24"; } ]; + }; + + services.tinc.networks.dotspace = { + name = hostName; + ed25519PrivateKeyFile = "/run/secrets/dotspace/${hostName}/keys/tinc/ed25519_key.priv"; + + chroot = false; + settings.ConnectTo = [ "fortress" ]; + }; +} diff --git a/systems/outpost/secrets.yaml b/systems/outpost/secrets.yaml new file mode 100644 index 0000000..5338191 --- /dev/null +++ b/systems/outpost/secrets.yaml @@ -0,0 +1,78 @@ +dotspace: + outpost: + keys: + tinc: + ed25519_key.priv: ENC[AES256_GCM,data:gQ17aLaRXgItUfoR9ZjvoU0nh/8rbPoFrgjGJ6XacaixYZp2J7evD5QKbJQpAn2vrVnOU1CEsLZngIR4DCXBek6XiqQsPOTA47E/8nNwB74go3VIdx/jCSWU0ObLm32Z27zKKkUwd62yOmyuYZIWpGrSWlEwlQj+Xf+lPlHEZGHLHahXvsuiA28wJ6ZYhNgQC9zjx5yi2SK0tnnfR68q4d57yVEe3I3KTruh01nVH86Vm1sR9Vum/KWViko/rIHNqwdKtzE2qQ==,iv:SZYQofepeR+Uq6mdlleYNbhHg72aB3i4GwY2Xdgriq8=,tag:Xf2BL6qLhwRqmNLkNtQY4Q==,type:str] + rsa_key.priv: ENC[AES256_GCM,data:ofZzGqt+OfmzWPJfRY9OaHoS264OwsuI8St0ldAnB55tcA/WZu0MHpOzsFlR8ibAhYpMN7Qvj2Hjmw/Fq0tt1V9hrpiIWkyJ2SxrlPtNrVRSPxJaqBkOtm42r/L5we/wZO/xr6JAUV3ZXrNbpBv/Y58YLpvg/YCnjCYtUgzeZdwxRlRjUcx4rOEWI9GgbSraVlehG6EQiQLcrSENeZRnDAyrThuy1RgX/fduXnzHfHkNGqAepK9IfC1ffletWK+1xhRVfLrq9bSCKI2085PJIR8xLDk2/Saq6o2V/+xZEBRO8ISAvk9ZZ48XcjD0a/incyKKLXXbdUrGuS4BXGeIqdN7anG1BmrjlMNwajpc6hHTXiXb79B0bReQ2QR+8T0jK0hDPjC/6d+q32xm42jsHcXPaPP2R29+tf8N4ry2N9RYmxLPM48jOKrsAD4l7iF7d23HfvPHoYk6LknAEq3jXtDkqyNW5RTVfoSZtinHdijM6zvuGiyKl0kK88/EXTOZrjym2kHxN9gPPlk2neg5aKJ1Y0qHTbkh9BP6D7nPBz+ecjRx7CL+pGAyyfhwO/HFMX2Zyz0oog2Y+teErFVjg0p/WhMxlz/5KtslG5aSM0Q6+fMwcLmE46yb/VpuJCnNu8m3OwqInQS4Hpq7h2oIEnB+ptGaL3iDy2FdCZxsLN4ABatSaxDtjOnwaxWNHHtl1KaCRz+WU4MF8Me6u6xTQxj4GxHPKi9tV1sLRJgW1gA7ioMT8nhOlc9DKw6vZU7mZRGNHYiJMGII0LrrSr3pNN1qH4DpuLR5RDzYAFClsIKi6ZH73JPU0EhEPgrSO0xjqpje/vpf29haS6xaMn3djzuDKgkqDpqW5lDOrJvP8sHeNNYB5fkYbhPZbz1R79PnEQWW3zq9Z9iPK0/q5NiTy9rkqJp8vNmUXiwvP7/9nugTAHFDpt8fvImTA5Mxoy3r8y8+QUeZQvayVMuspBVmLrcpV0PEeZvoTU+G2/8Rx5CMLG2OMfdGUvpM4gHPlHWb+U4GsgCc7bTA7Ob7+sqXbKyGC9UudVnD8mtONtkngUqR7rT+TbQFVwid9DPmgnl17UVs8/qpcGJ+gbmjEbBmQ3ucZ9u0vdwBe+IK+tPmnCtQFnWpHRUvdTp6g0asLN/kYn1Y5nZ6VAOLXc/ANfq02jqTmBKQQXnR28OVXgM7pCJKufUTmfzDnRfszl83ILpUI3EHuiFzXw6Eb67HySajMKGGYrSRK8wSlr9bJSTN9I6k7ij3VvhSOEEsTO5coSmf5SNRWBkfCEDl0Oa3rsWhpAHcWZGcMEOEqKv2OsQ7IVnS8JRzJ8w3v7Ddy8Uu3D1uFZXKP779D8XvbUowKk1GD71fgRNWn027cl814OpLD8ncEjx3lGd0/PWH1+OK39ZYlmXZx9fBvUYnVoNT6XevTouW2c/VAkZR+D4SdTXEp+EZNscihPPW5vIb1xj59K96kqM6TS49VDOPQGritCHu2xDGJ0Wqxw0Pbd4c9yTfPu5Y8A5EeDXUA1/2UpxgpjC1fpXkztTGM2tVStbOcqeB+HieBNRUdUzexcuwKFC5aZ3ES8SXt4kEjiMlyHPyneMbd7LmGLaHwBHH+VXnyHXap8c26guXsjgNqO5IufW3pdGjZ77BUanzwVCRZySmO+SLSs5a63dXnXoGq4Resh6gKiwJGJGCgQ6xvBljzZkaPxjSk/gUOhdfG33/0ytgCfNS8pHxI9w1Ddb44VNL5M1LOlqx6akaPa4gqd1ORlgUjR7dbJ8d9ZNPzX3zH9gfAOLjrNY/xgo3LUQEnSRqmvtw/UfH+zbxYGKzskolE2JCxankuoe8XWnqz6KTyrPMLzjJuXfqepZi23jvRe7M+/Z1G5xp0YGAmU6Qq2EeFjQ2SLcHI1uJnt4AU+NNMMl4Uop4nxc0CSCFI3k4cg+JY6meYlLZs4BA/FKdk+VenKYVwpY/tsO1GbrsxlrEFjOO1OmQgjL2AsNQnjkHcveZCRqcq19LreRMvxCfGl7Cfcq34T7uwvvXmDrti/GWDhll4iSTsRGWxobY8HiNV929duXwiymqD/tdjUzTa3l3T0t6AXkEVW25y89qFtMlI9AH3oz6RC4YvB/ZYbZBn4UQAJsAYIm8x8Ox0Y4I1npxRa6HZnz9Pjyt+tL+wMsvCgqbGljLdvh1b2uRf/YFEDAoEUT6DyfHelSpuS7YN7o+1joR0tA9Lvli5+ZCgwN+KLkI3g==,iv:+ajn2mfJWvKCVYPa52jmIZ6Q4uX5ZuJG+EoaDjKtJXc=,tag:Zrgud6tf7fhw1Rw3d5Dy7Q==,type:str] +sops: + age: + - recipient: age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWWtLdDUzOU0zTTFoRnBM + SnFlWGNiUzVGNlBsVG54QTFYVFY1OFQ4RFhvClgwTE93dk1YalFaNmJDNlFqTThB + dzFwT285aHE4bjdIWXowRGxoR0ptS0EKLS0tIHNuK2tIbVlwbkpWcU9WVnNNLzlS + bG0vb1I0NzM1UWxlWTVPWlhQOGwzaFkKeMRVoOsZM8aaI36/zQUSRXwTJz0XUfA4 + KmbEgR19YfPq2+EoPtGjdTFvtpZybBIf3E4YcIXAYy5BwJg22o4BUw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSXo5ZUhpalpraUdNdGxt + bjFqSjd3U3k2VTdQVk9XbDNnSCttdVBJQm1VCmU2V3VXcU9JRnVwWk5TRHVuTE1F + M084MmVIM2VtUFUydkY0czFmWmw0dkEKLS0tIERDd0drY2RxdWYraVpaSmFkQlZO + bDZjd1lnUGZ5V1gyMkE1L2hNdzFSU2sKU2gBfOG0eeWw093lOwyjW8WZKJwVR3dk + d/Uc9tujyDUXsBmhXsUtEuGWS/ZDpwfhxYK/wZtL7ZkGsbUio/gWxw== + -----END AGE ENCRYPTED FILE----- + - recipient: age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoa2tEVEY3MENjRlRMNExW + Y05nbnZmMnVuSi8xV2FEZUdLbXloeEFEVjFzCmQwSEpKQ0RvK0FUUU1oMFcydnU2 + TExkNGVOZS9TQUhQbXZLeVd4enh1cHcKLS0tIFRjR3JwVkI3WjhkNXhHSVpScVF4 + MGs1LzFVdXpiaXRWOFNJTit4WmR1QnMKq3W4cMAjHsFjlrDbdLf+0GvAU0t5Trcx + dBZwE0OsrHqEc+1sFitACdgeGj5uWf34f7Vx4UxoVvQRiszjLcsZiw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1kmt2khucyvscmwvrjnt0v90zggttuap9utx7rw54g9amhtrkzdlq94fe4j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RmdNcUtzRXFsM01NTEFN + ZWRzQlU1NFVSTjR0WXpUY2thTi9hM3RreWw0ClpyYnpDc0FSYWhwbCthQW1sYTdl + VG16U255ZHZIeWlDUjUwQUJvcldEejgKLS0tIFV1Wmo0ampvY0k1bnpFNUdkM0tq + bkV1TU5kM1l4UlhVeUxOVnYyVlBXbFEKCsPqfT4n03vLgWmAOr0zRsTt7xd4Fy8X + zJPGt+Pr+GRyVDyFcvYO0hfFQ0rwi5IxL1Ee4HlMguOA0yguyeEQjQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRVFNejF3MzVKZG5KVmh1 + d0dBV0ZidEJVOVBuc0tQOFluWU83OElEOWpjCmxjVGc3MHl4WnVCUElCM240aUxP + ZGtONkhVZUtpQ3JvWU8wOXp1ZGhZbDQKLS0tIGUraWJ3Rlc2cGdiTFhIc1o0Nk5r + cUJyaW9RY2gyblRaTWdocmNVcE0vM0EK85ML4yYRTP8PqjiVTRW6U62Vm5EvExUx + tMKC4T8AJ/bYaJNy0mFH/MhmPkYHThHNxurIiGDLrzohTYy/D74xhQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-22T03:48:08Z" + mac: ENC[AES256_GCM,data:5r5USgaoTikwqkxtuXHHAaMz6mPJ07AC0TFq3mEBGEScoO4XStf2AuY2j5EFr9aLep+cIZJEO1AUMaAZTcrZfumjwn/XysCQm1A5xEPU5a7ydrtQHV6gjQaKsG7NLjbueVOhWuerxvmC7U9Gn3TZAg7OHXqXpG3SWXGE3aZJsuc=,iv:YMeRi4MYqx/cQBWtQc3uzZkpVCIRQObplE8/YN15ft8=,tag:oO+O6H7l9np79m6AWjHa8g==,type:str] + pgp: + - created_at: "2025-08-22T01:50:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9BR1U1EkAnnAQ//bn+DWuHDMMxHxv5SH0zop7bzApc+mn7OXBS7OQERKR6o + 2RA/ZExvEkCMXwjXI1lfzIkab5Ipa6h6Ao6DcFczdcOVa3jIzlZjpsS8lA5DqZ/v + fpP3tQOYfxvdtCLxkHPfJ7Tmq92Kqd1TBhIfG6A/YCuDiNnMQb/IC7RB7R810xtb + X/gMLftJCORa/qCaWVgjObqF5ehMFqtUIBNmBiMUihbOaAMKn60U8XWSgPH8/+uE + S/GrKEKRnuDHgaSfFDodtnLASR7UzWNSU0Xcw1dlWGDDadITextvorrwABVM2HmX + ZXh4noXFmAf8Ft16NY8Ke1FtzcqObwbIN6drcfjoI4NBqFF5OAKj6QR88yNtZrWD + 5YTMSdmYCJAZ7wOH8Jze0TgCTO/2x8/car4QoFShVwftrQqdKqaTXfQ1tChAgL4O + VjkaXFfnKB4aU6iQ8XB7n5WmvYBquDB8swjaTo42ejMtpxw6hxsCtP0qaY+Syv0B + SBt4k4KTi6Yb1pwbpxn5KilyqXSt8xGINYf/jY7uOanvL/+GuUUQzq052yMTQFlI + K8ePPh6MNJz+Z6AB0LPXGEIkAERbFv52nkchO8tyMD0TE7pSuWDWliVdCUBbYxeh + DsU4qES5P/MCRoDKmlUpfhCGhVP15fR6fumvVtLZuSCOtRY/YYoGUo/KPcKYIM3S + XgFk8knsaG1Ncmqsg3Y2Su5yNGVvjICxde0xTb7PPdR1+6R+Dp461Rorzgmp9XTu + mrdYZJGqlz/yKEqsxU7ExTsppRrzRcejImyeukgHPu4/0S0lsfDRvNpX+CS48wE= + =ACo/ + -----END PGP MESSAGE----- + fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51 + unencrypted_suffix: _unencrypted + version: 3.10.2