mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Reconfigure and reinstall outpost

Browse source
This commit is contained in:
Lauren Lagarde 2025-08-22 21:47:07 -05:00
parent f2204b3489
commit b704bad251
7 changed files with 163 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.sops.yaml
View file

@ -6,6 +6,7 @@
# nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub'
keys:
- &system_bastion age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d
- &system_outpost age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8
- &system_redoubt age1ftcr6legvdxc2yn2zedqqsxaax3wedxqw5ad2k2f0m4vprfc3u9sgxty7t
- &system_fortress age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu
- &system_blockhouse age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c

13
dotspace/home.nix
View file

@ -13,18 +13,19 @@
home.file.".ssh/dotspace_known_hosts".text = ''
[10.86.84.150]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeO5P0YXb11gWpu+9Zj8qulnOeEHxFVIq/d4hfV6KAM
fortress.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINzNlalnh/cgosa5Vw85YEET9rwcEmfRGTFlNFqSo/53
bastion.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtmSrFZNFWFUH7ajyaFQSE85RC5Y5TdlZ0U/C863Zg9
blockhouse.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGKN+xPvC+o9f5vlItdytZfKbsQyN/7XODU2jexL1TV
drawbridge.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOphVdDU4YpAc+5JiwarKVk32kfFtVCmQUIJaXc3XqJA
fortress.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINzNlalnh/cgosa5Vw85YEET9rwcEmfRGTFlNFqSo/53
living-room.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMvrjTnD5GO8cxnzSj12kKn3lQfPQpiuO5XZzWnfVMi
ll-latitude-e5591.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiyCBH4WDsmkbsncWbEtzKcBh7t8dKFtWbGtp70lvGm
outpost.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWI2SiXlBECjJaQa3i5xu2Kvcu0ju6oUdk/t3AJVUMr
redoubt.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOv4X7Na5YG3ty8l2cofMD1ib79YrIlcSBh+PceB9HjB
vm-docker-0.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4bp3QlO6M2dfPvjzdTfcEXEsaJ1fcIxyx8aRZRzekq
vm-docker-1.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINolzmDBmxUIpR/pcvmQ91gydyty4HlrDyZcz78NYC9C
vm-docker-2.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm4WfWSfqmVGF6VwyLjxGcjn4YtqlWa2zS3eKxDJOCo
ll-latitude-e5591.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiyCBH4WDsmkbsncWbEtzKcBh7t8dKFtWbGtp70lvGm
[10.86.84.150]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeO5P0YXb11gWpu+9Zj8qulnOeEHxFVIq/d4hfV6KAM
drawbridge.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOphVdDU4YpAc+5JiwarKVk32kfFtVCmQUIJaXc3XqJA
'';
}

6
flake.nix
View file

@ -140,6 +140,12 @@
modules = [ ./systems/ll-nixos-live/configuration.nix ];
};
outpost = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit self inputs pkgs-unstable; };
modules = [ ./systems/outpost/configuration.nix ];
};
redoubt = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit self inputs pkgs-unstable; };

84
systems/outpost.nix
View file

@ -1,84 +0,0 @@
{ pkgs, ... }: {
networking.hostName = "outpost";
networking.hostId = "373a7023";
imports = [
# Base Config
../features/base.nix
../features/headless.nix
# Features
../features/tui-apps.nix
../features/openssh-server.nix
../features/hardware/yubikey.nix
../features/virtualization/dockge.nix
../features/virtualization/docker.nix
# Tweaks
../tweaks/zfs.nix
../tweaks/zram.nix
../tweaks/enable_flakes.nix
../tweaks/disable_firewall.nix
../tweaks/systemd-resolved_nonsense.nix
# Dotspace
../../dotspace/configuration.nix
# Users
../../users/lauren_lagarde/configuration.nix
# Outpost
../../nixos/tweaks/disable_firewall.nix
];
##############################################################################
##############################################################################
##############################################################################
# Networking
networking.useNetworkd = true;
systemd.network = {
enable = true;
networks = {
"30-end0" = {
matchConfig.Name = "end0";
linkConfig = {
RequiredForOnline = "routable";
};
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
};
};
"90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.106/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
};
services.tinc.networks.dotspace = {
name = "outpost";
ed25519PrivateKeyFile = "/root/tinc/dotspace_ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" "stronghold" ];
};
##############################################################################
##############################################################################
##############################################################################
# Services
# TODO: Put scripts into version control
services.cron = {
enable = true;
mailto = "";
systemCronJobs = [
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null"
];
};
}

12
systems/outpost/.sops.yaml Normal file
View file

@ -0,0 +1,12 @@
keys:
- &system_outpost age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8
- &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
- &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- pgp:
- *yubikey_lauren_primary
age:
- *system_outpost
- *system_ll_latitude

86
systems/outpost/configuration.nix Normal file
View file

@ -0,0 +1,86 @@
{ lib, inputs, self, pkgs, pkgs-unstable, ... }: let
hostName = "outpost";
hostId = "373a7023";
tinc-ip = "10.86.84.106/32";
stateVersion = "25.05";
in {
networking.hostId = hostId;
networking.hostName = hostName;
system.stateVersion = stateVersion;
home-manager = {
users."lauren_lagarde" = {
home.stateVersion = stateVersion;
imports = self.homeManagerModules."lauren_lagarde@tui.mlaga97.space";
};
extraSpecialArgs = { inherit self pkgs-unstable; };
};
time.timeZone = "America/Chicago";
sops.defaultSopsFile = ./secrets.yaml;
imports = [
inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager
../../nixos/features/pi.nix
# Core Features
../../nixos/features/base.nix
../../nixos/features/tui-apps.nix
../../nixos/features/openssh-server.nix
# Core Tweaks
../../nixos/tweaks/zram.nix
../../nixos/tweaks/enable_flakes.nix
../../nixos/tweaks/systemd-resolved_nonsense.nix
# Dotspace
../../dotspace/parts/tinc.nix
# Users
../../users/lauren_lagarde/configuration.nix
../../users/ashley_funkhouser/ashley_funkhouser.nix
# Outpost
../../nixos/tweaks/disable_firewall.nix
];
##############################################################################
##############################################################################
##############################################################################
# Services
services.smartd.enable = lib.mkForce false;
##############################################################################
##############################################################################
##############################################################################
# Networking
networking.useNetworkd = true;
systemd.network = {
enable = true;
};
##############################################################################
# Tinc
sops.secrets."dotspace/${hostName}/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; };
sops.secrets."dotspace/${hostName}/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; };
systemd.network.networks."90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "${tinc-ip}" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
services.tinc.networks.dotspace = {
name = hostName;
ed25519PrivateKeyFile = "/run/secrets/dotspace/${hostName}/keys/tinc/ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" ];
};
}

51
systems/outpost/secrets.yaml Normal file
View file

@ -0,0 +1,51 @@
dotspace:
outpost:
keys:
tinc:
ed25519_key.priv: ENC[AES256_GCM,data:gQ17aLaRXgItUfoR9ZjvoU0nh/8rbPoFrgjGJ6XacaixYZp2J7evD5QKbJQpAn2vrVnOU1CEsLZngIR4DCXBek6XiqQsPOTA47E/8nNwB74go3VIdx/jCSWU0ObLm32Z27zKKkUwd62yOmyuYZIWpGrSWlEwlQj+Xf+lPlHEZGHLHahXvsuiA28wJ6ZYhNgQC9zjx5yi2SK0tnnfR68q4d57yVEe3I3KTruh01nVH86Vm1sR9Vum/KWViko/rIHNqwdKtzE2qQ==,iv:SZYQofepeR+Uq6mdlleYNbhHg72aB3i4GwY2Xdgriq8=,tag:Xf2BL6qLhwRqmNLkNtQY4Q==,type:str]
rsa_key.priv: ENC[AES256_GCM,data:ofZzGqt+OfmzWPJfRY9OaHoS264OwsuI8St0ldAnB55tcA/WZu0MHpOzsFlR8ibAhYpMN7Qvj2Hjmw/Fq0tt1V9hrpiIWkyJ2SxrlPtNrVRSPxJaqBkOtm42r/L5we/wZO/xr6JAUV3ZXrNbpBv/Y58YLpvg/YCnjCYtUgzeZdwxRlRjUcx4rOEWI9GgbSraVlehG6EQiQLcrSENeZRnDAyrThuy1RgX/fduXnzHfHkNGqAepK9IfC1ffletWK+1xhRVfLrq9bSCKI2085PJIR8xLDk2/Saq6o2V/+xZEBRO8ISAvk9ZZ48XcjD0a/incyKKLXXbdUrGuS4BXGeIqdN7anG1BmrjlMNwajpc6hHTXiXb79B0bReQ2QR+8T0jK0hDPjC/6d+q32xm42jsHcXPaPP2R29+tf8N4ry2N9RYmxLPM48jOKrsAD4l7iF7d23HfvPHoYk6LknAEq3jXtDkqyNW5RTVfoSZtinHdijM6zvuGiyKl0kK88/EXTOZrjym2kHxN9gPPlk2neg5aKJ1Y0qHTbkh9BP6D7nPBz+ecjRx7CL+pGAyyfhwO/HFMX2Zyz0oog2Y+teErFVjg0p/WhMxlz/5KtslG5aSM0Q6+fMwcLmE46yb/VpuJCnNu8m3OwqInQS4Hpq7h2oIEnB+ptGaL3iDy2FdCZxsLN4ABatSaxDtjOnwaxWNHHtl1KaCRz+WU4MF8Me6u6xTQxj4GxHPKi9tV1sLRJgW1gA7ioMT8nhOlc9DKw6vZU7mZRGNHYiJMGII0LrrSr3pNN1qH4DpuLR5RDzYAFClsIKi6ZH73JPU0EhEPgrSO0xjqpje/vpf29haS6xaMn3djzuDKgkqDpqW5lDOrJvP8sHeNNYB5fkYbhPZbz1R79PnEQWW3zq9Z9iPK0/q5NiTy9rkqJp8vNmUXiwvP7/9nugTAHFDpt8fvImTA5Mxoy3r8y8+QUeZQvayVMuspBVmLrcpV0PEeZvoTU+G2/8Rx5CMLG2OMfdGUvpM4gHPlHWb+U4GsgCc7bTA7Ob7+sqXbKyGC9UudVnD8mtONtkngUqR7rT+TbQFVwid9DPmgnl17UVs8/qpcGJ+gbmjEbBmQ3ucZ9u0vdwBe+IK+tPmnCtQFnWpHRUvdTp6g0asLN/kYn1Y5nZ6VAOLXc/ANfq02jqTmBKQQXnR28OVXgM7pCJKufUTmfzDnRfszl83ILpUI3EHuiFzXw6Eb67HySajMKGGYrSRK8wSlr9bJSTN9I6k7ij3VvhSOEEsTO5coSmf5SNRWBkfCEDl0Oa3rsWhpAHcWZGcMEOEqKv2OsQ7IVnS8JRzJ8w3v7Ddy8Uu3D1uFZXKP779D8XvbUowKk1GD71fgRNWn027cl814OpLD8ncEjx3lGd0/PWH1+OK39ZYlmXZx9fBvUYnVoNT6XevTouW2c/VAkZR+D4SdTXEp+EZNscihPPW5vIb1xj59K96kqM6TS49VDOPQGritCHu2xDGJ0Wqxw0Pbd4c9yTfPu5Y8A5EeDXUA1/2UpxgpjC1fpXkztTGM2tVStbOcqeB+HieBNRUdUzexcuwKFC5aZ3ES8SXt4kEjiMlyHPyneMbd7LmGLaHwBHH+VXnyHXap8c26guXsjgNqO5IufW3pdGjZ77BUanzwVCRZySmO+SLSs5a63dXnXoGq4Resh6gKiwJGJGCgQ6xvBljzZkaPxjSk/gUOhdfG33/0ytgCfNS8pHxI9w1Ddb44VNL5M1LOlqx6akaPa4gqd1ORlgUjR7dbJ8d9ZNPzX3zH9gfAOLjrNY/xgo3LUQEnSRqmvtw/UfH+zbxYGKzskolE2JCxankuoe8XWnqz6KTyrPMLzjJuXfqepZi23jvRe7M+/Z1G5xp0YGAmU6Qq2EeFjQ2SLcHI1uJnt4AU+NNMMl4Uop4nxc0CSCFI3k4cg+JY6meYlLZs4BA/FKdk+VenKYVwpY/tsO1GbrsxlrEFjOO1OmQgjL2AsNQnjkHcveZCRqcq19LreRMvxCfGl7Cfcq34T7uwvvXmDrti/GWDhll4iSTsRGWxobY8HiNV929duXwiymqD/tdjUzTa3l3T0t6AXkEVW25y89qFtMlI9AH3oz6RC4YvB/ZYbZBn4UQAJsAYIm8x8Ox0Y4I1npxRa6HZnz9Pjyt+tL+wMsvCgqbGljLdvh1b2uRf/YFEDAoEUT6DyfHelSpuS7YN7o+1joR0tA9Lvli5+ZCgwN+KLkI3g==,iv:+ajn2mfJWvKCVYPa52jmIZ6Q4uX5ZuJG+EoaDjKtJXc=,tag:Zrgud6tf7fhw1Rw3d5Dy7Q==,type:str]
sops:
age:
- recipient: age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dXRTUlRNR29MR2hpOEQ5
SUg0NFFZZzdCTnN1Y2hlT1lZbmluWkk5TGtvCk50MllJT2pGQ25rMHJpTmx2SWFR
SGN6NmdkVzBFOWM2eWdqREFUcnVmUFUKLS0tIGtYNS82U0k2b1VycDhIVGgvR3Fs
VFJKR3NYU2pVUG1QeDh2T2dLRDF1bFkKjppj+REmPq0ZtvLsCII34ena+kFeSj2Q
nDsjD7Fy4A7Zd6OcmK7yl7CTjYHTDsrTrFDCJUq3S92GRIG7bVpcvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRTNXaEZVdEVQQ1ZrSnR3
Uzl4LzR1MjRQd3luNmhud2hidk9uRGRQQzA0CmJOcEhJNXdTVU82ajQydUYwQlo1
TlVsOXdLUHhXR2xmY3NHLzdRMkNwT3MKLS0tIHBmZU5tZmtuTWx6LzlhQjhXN2t5
emR4LzN4WEtRSUJhbW1YN2UxNkZUR0EKHcsfR2hOb0LilIPUXtkRp1Rl+r9AioQa
LtL+Jxx3FyxSIfflhJ7+oT9QHZXMvzcbi1dhFiRVZDXHKWZMyLDsXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-22T03:48:08Z"
mac: ENC[AES256_GCM,data:5r5USgaoTikwqkxtuXHHAaMz6mPJ07AC0TFq3mEBGEScoO4XStf2AuY2j5EFr9aLep+cIZJEO1AUMaAZTcrZfumjwn/XysCQm1A5xEPU5a7ydrtQHV6gjQaKsG7NLjbueVOhWuerxvmC7U9Gn3TZAg7OHXqXpG3SWXGE3aZJsuc=,iv:YMeRi4MYqx/cQBWtQc3uzZkpVCIRQObplE8/YN15ft8=,tag:oO+O6H7l9np79m6AWjHa8g==,type:str]
pgp:
- created_at: "2025-08-22T04:26:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA9BR1U1EkAnnARAAqezp8QnTZlZAp78Zq8vnGvfo4XcpWWo5SLATglDsCUaQ
CHPZrifgdbekzirOR0chsOfNwdJpRNyS3lVxtVhbaA5TzGBYM6E4AHXBQV7Sx15O
NXQ6xxFlrpqxP3uRTvrT0UA2WSJVr0LfUzrY5DMgfcVX3H51YQFX5CQYgDj0sYyc
x57kPXGk3/+CxTOFaGyV7YP50JAEZ6sVW33wFgm5Ts+thPpZgtM3lQMnvcs/4RhX
3/POIIQ/UQSlWL9wZvTmbMIddCnAhXxu8z9+qPkcaqQ/WEifDgxVqOgXMek6ePxd
FI09XapzVe6JSG8O0alNrKfVU2rwqXKDYndCcvAx3wVBqH5YMN3C+qORZEUW4Z2T
qlIA0V+eajnkthBq0IOhOEQzh18fV2sVhSvrOx4EoQCVL4vvJBxN9De0aW6X/Pgu
nrrEK1x5mhBKBKbBr7X8LXfbe83rEutvlrxYYogBlWMYfEYKcn9yoTbHYjsfZVx9
256srOjeXo7g8HGoVdkchzHd8COA5uWUhVIBPTQcqmJKnOGcWHEDlbWhGZObzu61
GqUuXLdnmOnpaYjCOAbV6l01+gA13TsK06ByF76hVYuRlRq8FZnCfaYUkNI4+VUK
ZVx2cDK3naSZwPZPGElLKy7zoi667/pHtcJeliT5i4XajCcCv0nMkGE40fb56KrS
XgFrt6+KWSWytSpCNhNTXpNQNqPhQy8P6d6dYYjolXLDCj+TUp1cHJgp2GBzuvGj
q83tqAWawhhzYQufeKsyVxfvJJSuumWsmYI/RiNgpkT5ttUMCLNjWbV9+JwD02A=
=dXST
-----END PGP MESSAGE-----
fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51
unencrypted_suffix: _unencrypted
version: 3.10.2