diff --git a/.sops.yaml b/.sops.yaml index 22d8580..865e61f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &admin_ppetru age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn - &server_zippy age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac - &server_chilly age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp + - &server_sparky age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68 - &server_alo_cloud_1 age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z - &server_c1 age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt - &server_c2 age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m @@ -13,6 +14,7 @@ creation_rules: - *admin_ppetru - *server_zippy - *server_chilly + - *server_sparky - *server_alo_cloud_1 - *server_c1 - *server_c2 @@ -27,6 +29,11 @@ creation_rules: - age: - *admin_ppetru - *server_chilly + - path_regex: secrets/sparky\.yaml + key_groups: + - age: + - *admin_ppetru + - *server_sparky - path_regex: secrets/alo-cloud-1\.yaml key_groups: - age: diff --git a/flake.nix b/flake.nix index 40add00..1cc22fb 100644 --- a/flake.nix +++ b/flake.nix @@ -128,6 +128,7 @@ ./hosts/zippy ]; chilly = mkHMNixos "x86_64-linux" [ ./hosts/chilly ]; + sparky = mkHMNixos "x86_64-linux" [ ./hosts/sparky ]; }; deploy = { @@ -180,6 +181,15 @@ }; }; }; + sparky = { + hostname = "workshop"; + profiles = { + system = { + user = "root"; + path = (deployPkgsFor "x86_64-linux").deploy-rs.lib.activate.nixos self.nixosConfigurations.sparky; + }; + }; + }; }; }; diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix new file mode 100644 index 0000000..8be4f6a --- /dev/null +++ b/hosts/sparky/default.nix @@ -0,0 +1,19 @@ +{ pkgs, inputs, ... }: +{ + imports = [ + ../../common/encrypted-btrfs-layout.nix + ../../common/global + ../../common/base-node.nix + ../../common/dev-node.nix + ./hardware.nix + ]; + + diskLayout = { + mainDiskDevice = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNF0MA33640P"; + #keyDiskDevice = "/dev/disk/by-id/usb-Intenso_Micro_Line_22080777660468-0:0"; + keyDiskDevice = "/dev/sdb"; + }; + + networking.hostName = "sparky"; + services.tailscaleAutoconnect.authkey = "tskey-auth-kFGr5T4rtT11CNTRL-Ls3wbQz5Nr2AUyzeLaC3s2eChNasyPdR"; +} diff --git a/hosts/sparky/hardware.nix b/hosts/sparky/hardware.nix new file mode 100644 index 0000000..ec8b136 --- /dev/null +++ b/hosts/sparky/hardware.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ + "kvm-intel" + ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = true; +} diff --git a/hosts/sparky/key.bin b/hosts/sparky/key.bin new file mode 100644 index 0000000..4c134fb Binary files /dev/null and b/hosts/sparky/key.bin differ diff --git a/secrets/common.yaml b/secrets/common.yaml index 8395cf7..90d9a66 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -8,65 +8,74 @@ sops: - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjOWdvMkRQQUV0emx3WDZt - aDEvRHhKZGQxTThjakc5VVpMRFlxQ3pwdEhrCjl1Y3hKM2FRVENRcEtCYlphVTR5 - ejFDZzhYUG5NTHgyUVp2emgwVWx1RVEKLS0tIDFWM1RublZVWjN3cXZKM1RsZHBt - ZFl4elUxbHdUZVQ4ajYvd2h3RHpMaVkKxviRk3TCTl9SdqAC7C+e+ugD3o/6/3sh - 6I7Z1f9K99ONAaP3VhVoW34+qDXyA/RmNk85TWDjE8U/Y4A7/+kYAQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeCtRemFxOUErVll5OGlx + Sk5UM3Z2SUdJeUVoYlBXZFdiMlc2NlFLNEhFCk94YUtDbGtzVm9wbkRWNkFNbjY1 + aUQxSVhmWVVLRThMRWRCR00xbFk5czgKLS0tIG5wMGlaNi8wT3FTdkhhMkhvV3Ft + WHg4Zis0K20vM1MwcFVDSDQ3Tmx5N3cK8QO9Uyc11TdIDTUiOvTgAvgehVnWclRI + UX7ISxlF+qBwfkoXeo3N6jl4buAOrKhY/ssrvjF8fXwl/dc4iVRbRw== -----END AGE ENCRYPTED FILE----- - recipient: age1gtyw202hd07hddac9886as2cs8pm07e4exlnrgfm72lync75ng9qc5fjac enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBOVNYRTB1NVpMYzJlakpZ - cXd4amF2dUEyZXVubFZvUDVJZFVlSWh2TTBnCmhRMDhTdjFDQzg4eGNBYzhVTGNy - THJrbXZBeVVxMkJweXJESDVSR1U1S1kKLS0tIGpOcFZ1NnZyczZZT01BcUVLVGo5 - cmdiMTNKZ0pJVWpOTDNHSUt1UUJCM2cKsCOQM166AQjNqlBoB3r04HMGiUkgkFvA - /uxxVnapjzn0Fj9OgtTSsHT7TnRHsPLvFbIPNuvzk2T7j2sv8TEZnw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bm9uQVZ3YlFXaldDSGhC + d3lEbjFweGY3b1Eyd2RQcFRYQ1ZCNDU5U0ZBCjVBUHhmOEtieVp3M0UrbzE5U0Nn + cnJjR0g3MCt0SngreWJpMFlFM2RDekUKLS0tIGdmQWgzelpabFJ0VWRaQ1FiRjRZ + UW9GbmUybkpXUExtWnJldENMek5wV00K/3ZKwVjEc/gfkwPZ/baPPNrc1SN9Yudn + DtKZfbR9nsqflEtuP2y7vEkEzBj3u/nRD8t7gvj9bAnjJGB+9HCdyA== -----END AGE ENCRYPTED FILE----- - recipient: age16yqffw4yl5jqvsr7tyd883vn98zw0attuv9g5snc329juff6dy3qw2w5wp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZnVQVzhYaGlzcUY2ckNW - RkxKVHZpa2RRZ3ZuWGFkaTNWVVNISnpaMEhRCmxjbnlGbEJPWGhOdGFnNzNoSkgx - ZTNvL0ZKZ2JyeFRlMFJHK2dRTzhoTVkKLS0tIHBoZ09TdHFpTUs4TE5BVUxKemRr - WCttVkpwNVVhRUhtaWlDcDBSMzA1eEEKG149AvnnLyGGYA7oXIhUz46rFzYDFcC+ - r1UrA6MrJXSDggNh2puQ1dDtntub9BHCO8qDGsxSOCpp/TqEtrv9eA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQk9lUWRWcEpzYlNnSStt + L2E3RUE0VG9SZ2pZcmYrbmZ3M3c2VkVWckFNClRHSnJhakcwNkZaSmg3aWVPSXZG + dUVQQWpqQjlwazQ4SitScllWMnhHRG8KLS0tIFZRWU1lbWhEdkZ5VFl2bWRJTkZM + Q1VaTjl6U2hzeWZUeDlab0RaNGlIa1EKaiEDRzdkn0dAoQdps1W1UHAYATDvP531 + 6V/KikZPwY8g6UBUsq53CKKx8tx4SvqixAuAYJT29WtPLIfn2wGnDA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVnZ0OERvMzRxSVE2MEFI + dmRCQUZ1a2YyN1JoMGcxdGhwT0cvcFhnSDNZCnYxa2R2T01aWmVpWUdrK0JTNGkv + empMTjFkRzZLZUFJVkpZU0tXUnRlcTgKLS0tIFU4QXk3NlR3b1o0UmVhNWt4NVR3 + anJ5R3Z0MVNFWEZVM0pnQVgzcjdaSVUKcKKDp0mu4yO6Sxu6CDweETwJ6b404+rT + YfznubwZw+bbTS/W1yXvmKE9cSZ1A6EUldaGjizS+wR1fKpCwEGoHQ== -----END AGE ENCRYPTED FILE----- - recipient: age1w5w4wfvtul3sge9mt205zvrkjaeh3qs9gsxhmq7df2g4dztnvv6qylup8z enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTTV0QkdnWDlVckJjaVF6 - bXhZUHFFNEVReE1qSURZdjlXVkN4ZE1VOVVrCjBsdTdOSXRISkpVMGVDY0RtMXIy - MGtHakFuV2VqNk4vcFJmV2FmQjhJQk0KLS0tIC9nRHJSVWVWY0tEaURValdOY1Vm - bTFWS25lajdzNDdXd0lJY3VCbm0xbW8KgW0kqgIoH2UWqMPhyI1lY3qJJhDankCr - wQ1s6Jyxi58hFpCChfSi0q3s0Nd1RWo/MMHZnw8IJ9YAp7MFRY/6lA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTm1XZTdDU2tCMlRUZlR3 + SURZbU5LOHl6MlVpb0J1QW5TbmZ1S3J5aERFCm5pTnJjUmg0Q1VWWUJ6TThTWGx0 + dmMwUGlVc3FqTHFvRWhiQnp0UWljSTgKLS0tIHVXWjlaNjBTaTM4ck1XVWRFcXNi + L2pWazRCVnZDUHd6bUpvbG1JWEgvNFEKKT3AWCrMFyGp2bnAUMi1RDxKvJSUm5We + qt5ZaZbV8VqAhrZhHXb3KpWZYcof5yxTRGOalfKMSaAGg9Mr0itN6w== -----END AGE ENCRYPTED FILE----- - recipient: age1wwufz86tm3auxn6pn27c47s8rvu7en58rk00nghtaxsdpw0gya6qj6qxdt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeTBZM2NnV3EvSFQveUFE - OWJoeC9sR1BVemczT01YbjJCUW45dCtOamh3CjJycHNBb2RRaUVrd1E4V2k5d0Jt - SUhuakRFWDRQbnJmNDl1b0g2ZGV1S1kKLS0tIHd2eW5sNFAwUjhCaVVibGowSVNS - VGRMUmUxcjVqekFXV0MzbnpVN2V6dUUKze9Ys+rYb46Oz1ZTCoUGCjWteuheoa4h - DnhKGEcHVYVsJ+lxRheLeEEilLUSluWK0ejAomPSR9oi9y0Z3rEUAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQWhWcC95OGRpNStyY21U + K3UyaXR3dUJhelVVUXpvMDRpNzlYZHFUVFNvCitzaUM5akl2RGlsTDBsdHptaTRM + MUFsNmlrS1JYV0w4anZMc2QxNy9sbjAKLS0tIHFGY2cwekpoL3IyMHAwK1VBai9D + NlVPMFNySmhjNzhSR0k2Z3kyRnpKZEkKfTCC2nPXDFEx7w2U5Z2Kdp8FPHAFakL1 + xX4L4l878IfuRz7yMQGdS90tCexPocord/zWRks65JFdm31TLdkOVg== -----END AGE ENCRYPTED FILE----- - recipient: age1c2kc034n7tqztarcu7n5ldnjmy9sr3jgwrsaddsj0hwfus9mdp3sctts4m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5L3FmS3JFTHRqeUkxY1JS - TXFONTNFNnUyVE1CSWhnM05pT21aVStWVDN3ClE2WHhRTExsVmhaaWQyNCs4LzJo - ampVZHlycE9McEEzdCtFZzNoY1ROcmcKLS0tIGFhcFM3cVNEa0k2NS93amtEVHp4 - cE42N2Y5WGVMOUZ5a3VvQVlEcDNqZUEKUhfElhoxunhwhIEouSCzqbsqAHcBcuh6 - tuzDqSuc3z8NMfLKW3EwCwmGbk9YX57WHmGbd1EM54kAE7zflymOLQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXT2Q5Z3BoZzFPQ2FSbkY4 + dFYyRHc0dlpHdktUR2tKYUJ3Zjg3dWJpMWxJCkthenZ5TnkwL3B2bzFFQzN5WUJ0 + Uk5iRm5QOTk2Y1BDcXFmVElDTjAySDAKLS0tIElVUkpyeXYwQ2Z6N0QvdDZVdkVo + K1MySzNiNWhBV2VaTVdEQ2pzZjJmME0K+Fvb4fpLEc8fcAFyeCQmdrXERUogjIvR + hlkO/x5nFdipBqNPLzY5ytE3GpgRTuq/O3+uXpdOk65Eq1Uwlrcm7w== -----END AGE ENCRYPTED FILE----- - recipient: age1zjgqu3zks5kvlw6hvy6ytyygq7n25lu0uj2435zlf30smpxuy4hshpmfer enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RS9maGVJeDNnRUl5Yk0r - N3pvbWxQL3h6aU01TGRFNysrZkd1TmRER1JBCmJjdnBiUUlMR1poZGpTeC8wSVQx - aGF0STE0TE1sa3YxakEwMUt3bURxUkkKLS0tIDVsdnpxcHpvQStjM09iSDRMdU1T - c09FQVJURG5PaW43cGhIWFRhQ1ppcEUK2iJ/M228wXCdIcs7LBbnntTrJqzmfdOi - btMKaOX0d3vecXooJF6smssVrdUIwRdoLe8qBeGiMqhjCqjwur0UzQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdkE0Uk5RNzI0MnRnc0Q5 + UFVxOVRyQjRrTUNla0lpblVBUDNCVGU3clVzCk1Pd0RzUmxuVVI5WHRhYVdVYUVQ + MGkyS0F2ZlhIT0d3WU5SQloyYWN0eXMKLS0tIGROZ3J5SUZBVGt5SkZRY3dpdzht + bkFsT1NyWXhXbGJ6dWJRcWZBbE1vZ1UK2q/dIfdaRn18XvPJJUC/ML/cHZN+/XhQ + BYxCkg+8z6F+tWzJ/7yuV522fKRW7Vw/8jPQ1obPTRTYGvWSgPVVBg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-04-04T09:34:06Z" mac: ENC[AES256_GCM,data:YIcRrsPparPfPaI2+MLlKsxu7M19H8nndOsrDLuh/5BXzIZNiuTIWyvxODyhI745rDwlibO+7Q0QctanhTl4+IzGaYtuY4i+rb+3dzBMpcdT2VAbtCHHxcltWeanRGFq2K3WM2tbnQCERst5kejfn0Razjq3UU5vNwfBsdJMwGc=,iv:izDxy0ufVnH8ImkZIngcYhGuj0PGpLqBD/ZDvQyE+5I=,tag:oYBUEQS52pr09h5OvOadNg==,type:str] diff --git a/secrets/sparky.yaml b/secrets/sparky.yaml new file mode 100644 index 0000000..cc1d673 --- /dev/null +++ b/secrets/sparky.yaml @@ -0,0 +1,30 @@ +kopia: ENC[AES256_GCM,data:AS5zTDpPPuPGEoT05uHyAfPTbls=,iv:YZK8O0/osP0/ay1tw2kkiCoxws+DlzquVqXNdVayE+k=,tag:tCNM8fzEEuRTPDJybq7fUA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOUY0MFRzNkV4WTlyVXhj + L2drMTlUZ2pzN09mVk4xYk90cmg0VXVvbXdFCjNrYjNCQ1RXaXo3Nm5ScTZIcHJy + eGdVRkhpV0J1bC9jenkwS3l0UXVSMXMKLS0tIDZXbythcWN3Y21zZVVvNkhiVmY5 + cnJZYWg3VVZsbGZhSHM5b2tXMTk2d1EKz1Dd5jhfVT+f+nRCYNFo1YuTDVzTUq91 + W1HDd/6SvBfky80+KXTEqZL/TL+gjgKEdyXQryrfH/rfvymqzDpGaA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zxf8263nk04zf4pu5x2czh6g4trv4e2xydypyjschyekr6udqcsqmrgv68 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcWZxaE9EbWlIM0R5Wkhj + MmFMdlhyR2Vma3RsbnM4ak9sKzdLWENaUTJFCkNXVDNmRUJTRWFPeEpXcWl0cE9Z + dm53UTJVSlZpNmdieFJEYmU5TVhhUkUKLS0tIHhwSWhuWUhUYmZrK1Ezelpud3J3 + Sit5S0hzcGZEL0oxRmNVbVNhYklaaTAKf0ts/HpTcrLH8svaB3gwFH4W4QIdrPPE + trGqXGj8YOkiA78J1maKijXuqjtPvKkBEPYekEY3c378gZhFdL+8lQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-19T17:33:13Z" + mac: ENC[AES256_GCM,data:IwEyBr/I7BJa0gWZ494dCT0ogyP2PbnUg5fLOn15vZAHIyYtTB3dI3gV5Lx7oPdqOPlI61MsShIYBnk0uBChpNu6O4oiGUfwvBfegzlDyHHERLx+S7nZpcwmf/3JoNXwq0f2OtOu8nA6Q1V4gVjFFNWUCAh5cq106vG1awsQkn0=,iv:j+JcVtKz2RfyWu55dUeJJTRK6prB9DGLvcjiAAdVySM=,tag:Pg5sKiLzYUFoN9Duu+nF0w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/setup-host.txt b/setup-host.txt index c612edc..84db3dd 100644 --- a/setup-host.txt +++ b/setup-host.txt @@ -10,3 +10,4 @@ * on base host: nix run github:nix-community/nixos-anywhere -- --flake '.#' nixos@ * after confirmed working, update hosts//default.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace) * if replacing failed host in place, update key in .sops.yaml with the output from "ssh-keyscan | ssh-to-age" then "sops updatekeys secrets/*.yaml" +** if installing new host, do the same for install then again after the first reboot (the installer key is not persisted)