diff --git a/.sops.yaml b/.sops.yaml index dac73f2..4c42092 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &host-raspite age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - &host-sgp-00 age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - &host-tok-00 age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj + - &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta creation_rules: - path_regex: machines/calcite/secrets.yaml @@ -31,6 +32,11 @@ creation_rules: - age: - *xin - *host-tok-00 + - path_regex: machines/dolomite/secrets/la-00.yaml + key_groups: + - age: + - *xin + - *host-la-00 - path_regex: machines/secrets.yaml key_groups: - age: @@ -39,6 +45,7 @@ creation_rules: - *host-raspite - *host-sgp-00 - *host-tok-00 + - *host-la-00 - *host-massicot - path_regex: home/xin/secrets.yaml key_groups: diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix new file mode 100644 index 0000000..853f8d8 --- /dev/null +++ b/machines/dolomite/bandwagon.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + cfg = config.isBandwagon; +in +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + + options = { + isBandwagon = lib.mkEnableOption "Bandwagon instance"; + }; + + config = lib.mkIf cfg.isBandwagon { + boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + boot.loader.grub.enable = lib.mkForce true; + boot.loader.grub.version = lib.mkForce 2; + boot.loader.grub.device = lib.mkForce "/dev/sda"; + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens19.useDHCP = true; + }; +} diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 1599db5..15f7e2e 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,12 +1,19 @@ { inputs, config, pkgs, lib, modulesPath, ... }: +let + awsHosts = [ "sgp-00" "tok-00 "]; + bwgHosts = [ "la-00" ]; +in { imports = [ ../sops.nix - "${modulesPath}/virtualisation/amazon-image.nix" + ./bandwagon.nix + ./lightsail.nix ]; config = { + isBandwagon = builtins.elem config.networking.hostName bwgHosts; + isLightsail = builtins.elem config.networking.hostName awsHosts; sops = { secrets = { wg_private_key = { @@ -19,7 +26,6 @@ }; }; }; - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; @@ -39,9 +45,9 @@ custom.prometheus = { enable = false; - exporters.enable = true; + exporters.enable = false; grafana = { - enable = true; + enable = false; password_file = config.sops.secrets.grafana_cloud_api.path; }; }; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix new file mode 100644 index 0000000..187c6ff --- /dev/null +++ b/machines/dolomite/lightsail.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + cfg = config.isLightsail; +in +{ + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + options = { + isLightsail = lib.mkEnableOption "Lightsail instance"; + }; + config = lib.mkIf cfg.isLightsail{ + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + }; +} diff --git a/machines/dolomite/secrets/la-00.yaml b/machines/dolomite/secrets/la-00.yaml new file mode 100644 index 0000000..266dae5 --- /dev/null +++ b/machines/dolomite/secrets/la-00.yaml @@ -0,0 +1,31 @@ +wg_private_key: ENC[AES256_GCM,data:jz/03kP/dj625Jweu0MEw9aGm3Z3M1f43cZqGy2eElCIDhD78n+zZAqOM8c=,iv:fZxuvZLx97YyDoafQXbqVYjqRYzZq90PJiri9vdjwro=,tag:0A9sGnSl3y3gpEuvsdRtGg==,type:str] +wg_ipv6_local_addr: ENC[AES256_GCM,data:W/uR+9kAKdXViAbZ0vEhC2eNwlzqX0x+LpzLrLCmQuVgRbZAtJCqfeE=,iv:pMZumU7fMV5MYX59hO7SEMLlG4m8DdPXeAiNgLxNzZk=,tag:xdGBpOBdWlc8Q9BDMv04sA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WjRVY3BKdVU1WERrVzla + L1NNYWp2SFZEaW84b0h1clFGRHVmRDhnM3o0CkUrZjZKNHp2TGtrTXpyOHNVckJw + VURjOEVaR3VQU1pJY2NaOFBQRjVIdWcKLS0tIFBQRWRnNnk4aWxsQVhhdUdVWWpy + aG9Oa3lOY0JjY2tFU3ZTazcyZW5SM0kKRfTrM65aI5LMOHoGsls3PWChrY5pEz91 + EERpRd552+PxYBKvumI59mtdlD263d5kmlTxIIZXTOJ2fcl1bii2bg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdzk4ajV5ekNpZXNGTHdD + aVBLZDlSbzE1aG5LT0cvVVVlVDBNOWtackNVCjVnZDhYZmFoT21DZHNYT2pMVDF6 + ZW5UY1ZFRFdtbDdPZHZIWUVuWjhJMk0KLS0tIGR4UUYwcjJtZUFYYlJSS2d6Q3hZ + WVJYSWhOaTEvNUdYTXV6OThPenJaY0UKv3WK6gacUxO6PFklkW+jDMG5FgIUuEvN + RvvI9ZXRD4QwKW1mpVrxbC+fRqlKawyyyyikvHFGJvpts4/88IcgUQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-15T11:37:57Z" + mac: ENC[AES256_GCM,data:iCgvJMijsUjdBT9hMQx4owYkbp2nV1jORB5HGtz5IPHgI9A5FXAAPFtaSGgQSI3twSkYMU94NULjumCyyWt3syH5KK9itHgHwONyVFieyXLiWozqpN2Z0SA5G4SnK3E6X273br9gwNAj33I2MdS/3K8b4EOO2yEzilWmrW7f3rk=,iv:UD7uHrtq4O6+EsWFrjegTXHtQUFcnhKsu4J0e0srDtk=,tag:b0eJEeUJPwi4+rDPeBY7oA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1