diff --git a/.sops.yaml b/.sops.yaml index b0301ff..ca3aeb6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ # nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub' keys: - &system_bastion age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d + - &system_outpost age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8 - &system_redoubt age1ftcr6legvdxc2yn2zedqqsxaax3wedxqw5ad2k2f0m4vprfc3u9sgxty7t - &system_fortress age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu - &system_blockhouse age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c diff --git a/dotspace/home.nix b/dotspace/home.nix index 3bf0012..a0c4066 100644 --- a/dotspace/home.nix +++ b/dotspace/home.nix @@ -13,18 +13,19 @@ home.file.".ssh/dotspace_known_hosts".text = '' - [10.86.84.150]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeO5P0YXb11gWpu+9Zj8qulnOeEHxFVIq/d4hfV6KAM - - fortress.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINzNlalnh/cgosa5Vw85YEET9rwcEmfRGTFlNFqSo/53 - bastion.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtmSrFZNFWFUH7ajyaFQSE85RC5Y5TdlZ0U/C863Zg9 blockhouse.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGKN+xPvC+o9f5vlItdytZfKbsQyN/7XODU2jexL1TV - drawbridge.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOphVdDU4YpAc+5JiwarKVk32kfFtVCmQUIJaXc3XqJA + fortress.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINzNlalnh/cgosa5Vw85YEET9rwcEmfRGTFlNFqSo/53 + living-room.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEMvrjTnD5GO8cxnzSj12kKn3lQfPQpiuO5XZzWnfVMi + ll-latitude-e5591.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiyCBH4WDsmkbsncWbEtzKcBh7t8dKFtWbGtp70lvGm + outpost.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWI2SiXlBECjJaQa3i5xu2Kvcu0ju6oUdk/t3AJVUMr + redoubt.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOv4X7Na5YG3ty8l2cofMD1ib79YrIlcSBh+PceB9HjB vm-docker-0.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4bp3QlO6M2dfPvjzdTfcEXEsaJ1fcIxyx8aRZRzekq vm-docker-1.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINolzmDBmxUIpR/pcvmQ91gydyty4HlrDyZcz78NYC9C vm-docker-2.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm4WfWSfqmVGF6VwyLjxGcjn4YtqlWa2zS3eKxDJOCo - ll-latitude-e5591.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiyCBH4WDsmkbsncWbEtzKcBh7t8dKFtWbGtp70lvGm + [10.86.84.150]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGeO5P0YXb11gWpu+9Zj8qulnOeEHxFVIq/d4hfV6KAM + drawbridge.mlaga97.space ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOphVdDU4YpAc+5JiwarKVk32kfFtVCmQUIJaXc3XqJA ''; } diff --git a/flake.nix b/flake.nix index dd248c8..27ff7e0 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,12 @@ modules = [ ./systems/ll-nixos-live/configuration.nix ]; }; + outpost = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = { inherit self inputs pkgs-unstable; }; + modules = [ ./systems/outpost/configuration.nix ]; + }; + redoubt = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit self inputs pkgs-unstable; }; diff --git a/systems/outpost.nix b/systems/outpost.nix deleted file mode 100644 index 7ad1c2b..0000000 --- a/systems/outpost.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ pkgs, ... }: { - networking.hostName = "outpost"; - networking.hostId = "373a7023"; - - imports = [ - # Base Config - ../features/base.nix - ../features/headless.nix - - # Features - ../features/tui-apps.nix - ../features/openssh-server.nix - ../features/hardware/yubikey.nix - ../features/virtualization/dockge.nix - ../features/virtualization/docker.nix - - # Tweaks - ../tweaks/zfs.nix - ../tweaks/zram.nix - ../tweaks/enable_flakes.nix - ../tweaks/disable_firewall.nix - ../tweaks/systemd-resolved_nonsense.nix - - # Dotspace - ../../dotspace/configuration.nix - - # Users - ../../users/lauren_lagarde/configuration.nix - - # Outpost - ../../nixos/tweaks/disable_firewall.nix - ]; - - ############################################################################## - ############################################################################## - ############################################################################## - # Networking - - networking.useNetworkd = true; - - systemd.network = { - enable = true; - networks = { - "30-end0" = { - matchConfig.Name = "end0"; - linkConfig = { - RequiredForOnline = "routable"; - }; - networkConfig = { - DHCP = "ipv4"; - IPv6AcceptRA = true; - }; - }; - - "90-tinc" = { - matchConfig.Name = "tinc.dotspace"; - address = [ "10.86.84.106/32" ]; - routes = [ { Destination = "10.86.84.0/24"; } ]; - }; - }; - }; - - services.tinc.networks.dotspace = { - name = "outpost"; - ed25519PrivateKeyFile = "/root/tinc/dotspace_ed25519_key.priv"; - - chroot = false; - settings.ConnectTo = [ "fortress" "stronghold" ]; - }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Services - - # TODO: Put scripts into version control - services.cron = { - enable = true; - mailto = ""; - systemCronJobs = [ - "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null" - ]; - }; -} diff --git a/systems/outpost/.sops.yaml b/systems/outpost/.sops.yaml new file mode 100644 index 0000000..5981223 --- /dev/null +++ b/systems/outpost/.sops.yaml @@ -0,0 +1,12 @@ +keys: + - &system_outpost age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8 + - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - pgp: + - *yubikey_lauren_primary + age: + - *system_outpost + - *system_ll_latitude diff --git a/systems/outpost/configuration.nix b/systems/outpost/configuration.nix new file mode 100644 index 0000000..60503d1 --- /dev/null +++ b/systems/outpost/configuration.nix @@ -0,0 +1,86 @@ +{ lib, inputs, self, pkgs, pkgs-unstable, ... }: let + hostName = "outpost"; + hostId = "373a7023"; + tinc-ip = "10.86.84.106/32"; + + stateVersion = "25.05"; +in { + networking.hostId = hostId; + networking.hostName = hostName; + system.stateVersion = stateVersion; + + home-manager = { + users."lauren_lagarde" = { + home.stateVersion = stateVersion; + imports = self.homeManagerModules."lauren_lagarde@tui.mlaga97.space"; + }; + extraSpecialArgs = { inherit self pkgs-unstable; }; + }; + + time.timeZone = "America/Chicago"; + sops.defaultSopsFile = ./secrets.yaml; + + imports = [ + inputs.sops-nix.nixosModules.sops + inputs.home-manager.nixosModules.home-manager + + ../../nixos/features/pi.nix + + # Core Features + ../../nixos/features/base.nix + ../../nixos/features/tui-apps.nix + ../../nixos/features/openssh-server.nix + + # Core Tweaks + ../../nixos/tweaks/zram.nix + ../../nixos/tweaks/enable_flakes.nix + ../../nixos/tweaks/systemd-resolved_nonsense.nix + + # Dotspace + ../../dotspace/parts/tinc.nix + + # Users + ../../users/lauren_lagarde/configuration.nix + ../../users/ashley_funkhouser/ashley_funkhouser.nix + + # Outpost + ../../nixos/tweaks/disable_firewall.nix + ]; + + ############################################################################## + ############################################################################## + ############################################################################## + # Services + + services.smartd.enable = lib.mkForce false; + + ############################################################################## + ############################################################################## + ############################################################################## + # Networking + + networking.useNetworkd = true; + systemd.network = { + enable = true; + }; + + ############################################################################## + # Tinc + + sops.secrets."dotspace/${hostName}/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; }; + sops.secrets."dotspace/${hostName}/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; }; + + systemd.network.networks."90-tinc" = { + matchConfig.Name = "tinc.dotspace"; + address = [ "${tinc-ip}" ]; + routes = [ { Destination = "10.86.84.0/24"; } ]; + }; + + services.tinc.networks.dotspace = { + name = hostName; + ed25519PrivateKeyFile = "/run/secrets/dotspace/${hostName}/keys/tinc/ed25519_key.priv"; + + chroot = false; + settings.ConnectTo = [ "fortress" ]; + }; +} diff --git a/systems/outpost/secrets.yaml b/systems/outpost/secrets.yaml new file mode 100644 index 0000000..072f29e --- /dev/null +++ b/systems/outpost/secrets.yaml @@ -0,0 +1,51 @@ +dotspace: + outpost: + keys: + tinc: + ed25519_key.priv: ENC[AES256_GCM,data:gQ17aLaRXgItUfoR9ZjvoU0nh/8rbPoFrgjGJ6XacaixYZp2J7evD5QKbJQpAn2vrVnOU1CEsLZngIR4DCXBek6XiqQsPOTA47E/8nNwB74go3VIdx/jCSWU0ObLm32Z27zKKkUwd62yOmyuYZIWpGrSWlEwlQj+Xf+lPlHEZGHLHahXvsuiA28wJ6ZYhNgQC9zjx5yi2SK0tnnfR68q4d57yVEe3I3KTruh01nVH86Vm1sR9Vum/KWViko/rIHNqwdKtzE2qQ==,iv:SZYQofepeR+Uq6mdlleYNbhHg72aB3i4GwY2Xdgriq8=,tag:Xf2BL6qLhwRqmNLkNtQY4Q==,type:str] + rsa_key.priv: ENC[AES256_GCM,data:ofZzGqt+OfmzWPJfRY9OaHoS264OwsuI8St0ldAnB55tcA/WZu0MHpOzsFlR8ibAhYpMN7Qvj2Hjmw/Fq0tt1V9hrpiIWkyJ2SxrlPtNrVRSPxJaqBkOtm42r/L5we/wZO/xr6JAUV3ZXrNbpBv/Y58YLpvg/YCnjCYtUgzeZdwxRlRjUcx4rOEWI9GgbSraVlehG6EQiQLcrSENeZRnDAyrThuy1RgX/fduXnzHfHkNGqAepK9IfC1ffletWK+1xhRVfLrq9bSCKI2085PJIR8xLDk2/Saq6o2V/+xZEBRO8ISAvk9ZZ48XcjD0a/incyKKLXXbdUrGuS4BXGeIqdN7anG1BmrjlMNwajpc6hHTXiXb79B0bReQ2QR+8T0jK0hDPjC/6d+q32xm42jsHcXPaPP2R29+tf8N4ry2N9RYmxLPM48jOKrsAD4l7iF7d23HfvPHoYk6LknAEq3jXtDkqyNW5RTVfoSZtinHdijM6zvuGiyKl0kK88/EXTOZrjym2kHxN9gPPlk2neg5aKJ1Y0qHTbkh9BP6D7nPBz+ecjRx7CL+pGAyyfhwO/HFMX2Zyz0oog2Y+teErFVjg0p/WhMxlz/5KtslG5aSM0Q6+fMwcLmE46yb/VpuJCnNu8m3OwqInQS4Hpq7h2oIEnB+ptGaL3iDy2FdCZxsLN4ABatSaxDtjOnwaxWNHHtl1KaCRz+WU4MF8Me6u6xTQxj4GxHPKi9tV1sLRJgW1gA7ioMT8nhOlc9DKw6vZU7mZRGNHYiJMGII0LrrSr3pNN1qH4DpuLR5RDzYAFClsIKi6ZH73JPU0EhEPgrSO0xjqpje/vpf29haS6xaMn3djzuDKgkqDpqW5lDOrJvP8sHeNNYB5fkYbhPZbz1R79PnEQWW3zq9Z9iPK0/q5NiTy9rkqJp8vNmUXiwvP7/9nugTAHFDpt8fvImTA5Mxoy3r8y8+QUeZQvayVMuspBVmLrcpV0PEeZvoTU+G2/8Rx5CMLG2OMfdGUvpM4gHPlHWb+U4GsgCc7bTA7Ob7+sqXbKyGC9UudVnD8mtONtkngUqR7rT+TbQFVwid9DPmgnl17UVs8/qpcGJ+gbmjEbBmQ3ucZ9u0vdwBe+IK+tPmnCtQFnWpHRUvdTp6g0asLN/kYn1Y5nZ6VAOLXc/ANfq02jqTmBKQQXnR28OVXgM7pCJKufUTmfzDnRfszl83ILpUI3EHuiFzXw6Eb67HySajMKGGYrSRK8wSlr9bJSTN9I6k7ij3VvhSOEEsTO5coSmf5SNRWBkfCEDl0Oa3rsWhpAHcWZGcMEOEqKv2OsQ7IVnS8JRzJ8w3v7Ddy8Uu3D1uFZXKP779D8XvbUowKk1GD71fgRNWn027cl814OpLD8ncEjx3lGd0/PWH1+OK39ZYlmXZx9fBvUYnVoNT6XevTouW2c/VAkZR+D4SdTXEp+EZNscihPPW5vIb1xj59K96kqM6TS49VDOPQGritCHu2xDGJ0Wqxw0Pbd4c9yTfPu5Y8A5EeDXUA1/2UpxgpjC1fpXkztTGM2tVStbOcqeB+HieBNRUdUzexcuwKFC5aZ3ES8SXt4kEjiMlyHPyneMbd7LmGLaHwBHH+VXnyHXap8c26guXsjgNqO5IufW3pdGjZ77BUanzwVCRZySmO+SLSs5a63dXnXoGq4Resh6gKiwJGJGCgQ6xvBljzZkaPxjSk/gUOhdfG33/0ytgCfNS8pHxI9w1Ddb44VNL5M1LOlqx6akaPa4gqd1ORlgUjR7dbJ8d9ZNPzX3zH9gfAOLjrNY/xgo3LUQEnSRqmvtw/UfH+zbxYGKzskolE2JCxankuoe8XWnqz6KTyrPMLzjJuXfqepZi23jvRe7M+/Z1G5xp0YGAmU6Qq2EeFjQ2SLcHI1uJnt4AU+NNMMl4Uop4nxc0CSCFI3k4cg+JY6meYlLZs4BA/FKdk+VenKYVwpY/tsO1GbrsxlrEFjOO1OmQgjL2AsNQnjkHcveZCRqcq19LreRMvxCfGl7Cfcq34T7uwvvXmDrti/GWDhll4iSTsRGWxobY8HiNV929duXwiymqD/tdjUzTa3l3T0t6AXkEVW25y89qFtMlI9AH3oz6RC4YvB/ZYbZBn4UQAJsAYIm8x8Ox0Y4I1npxRa6HZnz9Pjyt+tL+wMsvCgqbGljLdvh1b2uRf/YFEDAoEUT6DyfHelSpuS7YN7o+1joR0tA9Lvli5+ZCgwN+KLkI3g==,iv:+ajn2mfJWvKCVYPa52jmIZ6Q4uX5ZuJG+EoaDjKtJXc=,tag:Zrgud6tf7fhw1Rw3d5Dy7Q==,type:str] +sops: + age: + - recipient: age1us0wxu4me53y6djl5e5az07c83syxmm0u2jgwzgvdj9nfq6stq3sk8qcc8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dXRTUlRNR29MR2hpOEQ5 + SUg0NFFZZzdCTnN1Y2hlT1lZbmluWkk5TGtvCk50MllJT2pGQ25rMHJpTmx2SWFR + SGN6NmdkVzBFOWM2eWdqREFUcnVmUFUKLS0tIGtYNS82U0k2b1VycDhIVGgvR3Fs + VFJKR3NYU2pVUG1QeDh2T2dLRDF1bFkKjppj+REmPq0ZtvLsCII34ena+kFeSj2Q + nDsjD7Fy4A7Zd6OcmK7yl7CTjYHTDsrTrFDCJUq3S92GRIG7bVpcvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRTNXaEZVdEVQQ1ZrSnR3 + Uzl4LzR1MjRQd3luNmhud2hidk9uRGRQQzA0CmJOcEhJNXdTVU82ajQydUYwQlo1 + TlVsOXdLUHhXR2xmY3NHLzdRMkNwT3MKLS0tIHBmZU5tZmtuTWx6LzlhQjhXN2t5 + emR4LzN4WEtRSUJhbW1YN2UxNkZUR0EKHcsfR2hOb0LilIPUXtkRp1Rl+r9AioQa + LtL+Jxx3FyxSIfflhJ7+oT9QHZXMvzcbi1dhFiRVZDXHKWZMyLDsXw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-22T03:48:08Z" + mac: ENC[AES256_GCM,data:5r5USgaoTikwqkxtuXHHAaMz6mPJ07AC0TFq3mEBGEScoO4XStf2AuY2j5EFr9aLep+cIZJEO1AUMaAZTcrZfumjwn/XysCQm1A5xEPU5a7ydrtQHV6gjQaKsG7NLjbueVOhWuerxvmC7U9Gn3TZAg7OHXqXpG3SWXGE3aZJsuc=,iv:YMeRi4MYqx/cQBWtQc3uzZkpVCIRQObplE8/YN15ft8=,tag:oO+O6H7l9np79m6AWjHa8g==,type:str] + pgp: + - created_at: "2025-08-22T04:26:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9BR1U1EkAnnARAAqezp8QnTZlZAp78Zq8vnGvfo4XcpWWo5SLATglDsCUaQ + CHPZrifgdbekzirOR0chsOfNwdJpRNyS3lVxtVhbaA5TzGBYM6E4AHXBQV7Sx15O + NXQ6xxFlrpqxP3uRTvrT0UA2WSJVr0LfUzrY5DMgfcVX3H51YQFX5CQYgDj0sYyc + x57kPXGk3/+CxTOFaGyV7YP50JAEZ6sVW33wFgm5Ts+thPpZgtM3lQMnvcs/4RhX + 3/POIIQ/UQSlWL9wZvTmbMIddCnAhXxu8z9+qPkcaqQ/WEifDgxVqOgXMek6ePxd + FI09XapzVe6JSG8O0alNrKfVU2rwqXKDYndCcvAx3wVBqH5YMN3C+qORZEUW4Z2T + qlIA0V+eajnkthBq0IOhOEQzh18fV2sVhSvrOx4EoQCVL4vvJBxN9De0aW6X/Pgu + nrrEK1x5mhBKBKbBr7X8LXfbe83rEutvlrxYYogBlWMYfEYKcn9yoTbHYjsfZVx9 + 256srOjeXo7g8HGoVdkchzHd8COA5uWUhVIBPTQcqmJKnOGcWHEDlbWhGZObzu61 + GqUuXLdnmOnpaYjCOAbV6l01+gA13TsK06ByF76hVYuRlRq8FZnCfaYUkNI4+VUK + ZVx2cDK3naSZwPZPGElLKy7zoi667/pHtcJeliT5i4XajCcCv0nMkGE40fb56KrS + XgFrt6+KWSWytSpCNhNTXpNQNqPhQy8P6d6dYYjolXLDCj+TUp1cHJgp2GBzuvGj + q83tqAWawhhzYQufeKsyVxfvJJSuumWsmYI/RiNgpkT5ttUMCLNjWbV9+JwD02A= + =dXST + -----END PGP MESSAGE----- + fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51 + unencrypted_suffix: _unencrypted + version: 3.10.2