Merge pull request #14 from 99linesofcode/mars-host-configuration

Configuration for hosts/mars

Author: 99linesofcode

.sops.yaml

@@ -1,45 +1,21 @@
-# TODO: generate keys and update creation rules dynamically on nixos-anywhere install (update yaml with yq)
-# the /etc/ssh/ssh_host_ed25519_key is used in nixos-config by default and needs to be added in order for
-# # it to be able to succesfully complete the installation.
 keys:
-  - &master age1nww8elvlr7l2sn2452z6wef8tyex53ehrypemkxhzfay2t99x52scwsw94
-  - &luna_shorty age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez
-  - &mars_shorty age1pztum0c6dy94ah2rcwfd983hwhg8mwum3uljpwguu8cypxrs0uxsqz6hc5
-  - &host_mars age1gx9hqvsc2ewy5yu4xp6v9wl0la7s9qhnezaya54yhsx3w7w3vg9s8pzknr
-  - &host_luna age1pueehhjrvwh8v50u7hhpy0u7zx50nj0u7c9hgtzrr7ja0hed9qdsk0m66j
+  - &master age1hy523tlslqas8qgs0lxgxanp9gx06fjekn608w4qf66mxkjzmucqh0g6vg
+  - &host_luna age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez
+  - &host_mars age1epkfxmjk0tlne8rmxqq77u06q3lnf5xfjcrwq42nuasswefndyfscw84cy
 creation_rules:
   - path_regex: hosts/shared/secrets/.*
     key_groups:
       - age:
           - *master
-          - *luna_shorty
-          - *mars_shorty
           - *host_luna
-  - path_regex: hosts/luna/secrets/.*
-    key_groups:
-      - age:
-          - *master
-          - *luna_shorty
-  - path_regex: users/shorty/secrets/.*
-    key_groups:
-      - age:
-          - *master
-          - *luna_shorty
           - *host_mars
-  - path_regex: hosts/mars/secrets/.*
-    key_groups:
-      - age:
-          - *master
-          - *luna_shorty
-          - *mars_shorty
-  - path_regex: hosts/mars/users/shorty/secrets/.*
+  - path_regex: hosts/luna/.*/secrets/.*
     key_groups:
       - age:
           - *master
-          - *luna_shorty
-          - *mars_shorty
-  - path_regex: hosts/luna/.*/secrets/.*
+          - *host_luna
+  - path_regex: hosts/mars/.*/secrets/.*
     key_groups:
       - age:
           - *master
-          - *host_luna
+          - *host_mars

deploy.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+. ./scripts/sops.sh
+. ./scripts/ssh.sh
+
+HOST=$(uname -n)
+USERNAME=$(id -un)
+VERBOSE=0
+
+show_help() {
+  cat <<EOF
+Usage: $0 [OPTION] [ARGUMENT]
+
+Options:
+  -h, -?, --help  Show this help message
+  -v, --verbose   Enable verbose mode
+
+Commands:
+  install         Remotely install a new NixOS system using nixos-anywhere
+
+Examples:
+  $0 --help
+EOF
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+  "-h" | "-?" | "--help")
+    show_help
+    exit 0
+    ;;
+  "-v" | "--VERBOSE")
+    VERBOSE=1
+    ;;
+  --)
+    shift
+    break
+    ;;
+  *) break ;;
+  esac
+  shift
+done
+
+# ---
+
+WORKDIR=$(mktemp -d)
+
+menu_install() {
+  echo "Enter target host IP address: "
+  read HOST_IP
+  echo "Enter hostname: "
+  read HOST
+  echo "Enter username: "
+  read USERNAME
+}
+
+nixos_install() {
+  nix run github:nix-community/nixos-anywhere -- \
+    --generate-hardware-config nixos-generate-config "./hosts/${HOST}/hardware-configuration.nix" \
+    --extra-files "$WORKDIR" \
+    --flake ".#${HOST}" \
+    "root@${HOST_IP}"
+}
+
+# ---
+
+case "$1" in
+"deploy")
+  menu_install
+
+  ssh_generate_host_ssh_key
+
+  sops_add_or_update_public_age_key "$(ssh-to-age <"/etc/ssh/ssh_host_ed25519_key.pub")" "host_${HOST}"
+
+  sops_add_host_creation_rules "hosts/${HOST}/secrets/.*"
+
+  # TODO: figure out how to add anchors and anchor content using yq instead
+  sed -E -i "s/'([&\*].*)'/\1/" .sops.yaml
+
+  sops_rekey
+
+  nixos_install
+
+  exit 0
+  ;;
+esac

flake.nix

@@ -45,9 +45,7 @@
       inherit (self) outputs;
 
       systems = [
-        "aarch64-darwin"
         "aarch64-linux"
-        "x86_64-darwin"
         "x86_64-linux"
       ];
 
@@ -67,7 +65,6 @@
         nixpkgs.lib.nixosSystem {
           modules = [
             disko.nixosModules.disko
-            sops-nix.nixosModules.sops
             (import ./modules)
             (import ./users)
           ]
@@ -87,6 +84,9 @@
         luna = NixosConfiguration {
           modules = [ ./hosts/luna ];
         };
+        mars = NixosConfiguration {
+          modules = [ ./hosts/mars ];
+        };
       };
     };
 }

hosts/luna/default.nix

@@ -1,8 +1,6 @@
 {
-  inputs,
   modulesPath,
   pkgs,
-  self,
   ...
 }:
 
@@ -25,7 +23,6 @@ in
   environment.systemPackages = with pkgs; [
     busybox
     git
-    zsh
   ];
 
   hardware = {
@@ -36,24 +33,22 @@ in
   };
 
   host = {
-    root = self.outPath;
     user.${username}.enable = true;
 
     efi.enable = true;
     encryption.enable = true;
     btrfs.enable = true;
     swap.enable = true;
 
-    networking = {
+    network = {
       hostname = "luna";
-      static = {
-        systemd-networkd.enable = true;
-      };
+      manager.enable = true;
+      systemd-resolved.enable = true;
     };
+
     printing.enable = true;
     virtualization.enable = true;
 
-    avahi.enable = true;
     bluetooth.enable = true;
     catt.enable = true;
     docker = {
@@ -86,6 +81,7 @@ in
     undervolt = {
       enable = true;
       coreOffset = -125;
+
       gpuOffset = -925;
     };
   };

hosts/luna/hardware-configuration.nix

@@ -27,9 +27,9 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.docker0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+  # networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.docker0.useDHCP = lib.mkDefault true;
+  networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

hosts/luna/secrets/wireguard-private-key

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:EEIiRpGzZb28fI9cjYuxAD69tIJHgj3ADT2TiLMovVIn0XJm5e9fS2SInmN0MW6ZtT/wlaPpiHRUTs9R5P4/vE0vGvTtm23Hm/yTMiP4aOU2n2mrvQBca5h+A3aQojHiR9tTBMMy2Zsh+AH5MvZeGAP0W5xx74B+uict5LO4ZfNByur7l19o3ezsPq/0gDxjscJT1xGieg9b8sR3GAtw8J34xjKultp8MqrQU5Ng8eLk2vhghAnrrlUW3o1GwRP224EMjMieVzf/tPDkb/yDpAGFtsMJ4yoP90NWZ8IV2KWzaqn45SCk1XpfwKUOx3ILRNkUbQnaTiuqo1m5MNNHB/xE+QzC3ufYfv6TAgfX3EdojxCUs53ZERnsta3dvFp6sfdVXbrR/GVFuy9AnkEmK2Nm05qBnJiLQf7dP4cl3sJlrA3GjKoqwEsz5tMGjR12EJHf1FwWtkIjrL81jnFDr3bZBqFiNYd+a2z9Nc/NwtyJSRpT6UcnPGWczpYHyc4K4x+uG2K67YblHx07TqjV,iv:3koIfiw1sqvSdNZenW8d1tWXa/eOe4bYbjMcspEMnFs=,tag:Kt2sjD2Vrb3p21DByHOYqg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1hy523tlslqas8qgs0lxgxanp9gx06fjekn608w4qf66mxkjzmucqh0g6vg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUzljQWlRb0ZyNHA1cUNN\nZ09QNXhFS2Q0UEJ5MDRkc29nVWJKQzZabWlZCmdpTjlIbU50Y2hPNU5mS2JGdTFJ\nTHltNEJJRWs0SVBEK2JzcklzaWp6emsKLS0tIFVTbHlOWnNhbWorSndFTmlCMjVj\nZjJkaHZaSUl2YW00MUttaWFFczZOUFEKO6+2ZzBOTwC6bFSf/y34l/okKgy2jYhj\n++IQltnjSEuoVZO9CaBiB0c2eknz382fd4N2uiepF8mRCd7dBHhvqw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYajRJUTIzdnp4VE5zVnVB\nVHFjbXpZeU11L1JreURNaHNQYWkvM2hmTnhvCjR0V3M3SGJXcDN3NkVoV3NUZ1NV\nNVNlaVdQcXYvYVI3Nm9qMWlPK1VVQVkKLS0tIEFNOGNhTVdKd3h1d3l6czVXQXpX\nRXJHeXExbDRtRkJWUXVxRjZ4OWloSjQKcajyJcZCZoel1qXKES5NmZ/iHgQtiG2Y\npjZqIBrw6FNH1oTXmErLJIBxVW9d5I3bU/xQ2A5jNd3o8OAC9MsTAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-24T11:14:20Z",
+		"mac": "ENC[AES256_GCM,data:gWhdcymmHdDe3ObVcNgiBDdjgnPhkU7nCJUihVe5UB/bFl/hshLIvysuB7sIFzYDLLoJS3OYJBUtfG8L6ApUWKOMII5P1O7S+0TVzocm6OTORHiMKgAg4PfB5gJBgMZPoM5TDwHkZQFan5jMdZT2I2M3jIZhxNwdJbCqfXN0LZc=,iv:+pKinP22WwwqKwAJG4zvMBaZLC8RVivW/BVnQ1uPC6k=,tag:H9tepOOUIyR1s/asbefKpQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

hosts/luna/users/shorty/secrets/id_ed25519

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:lpXo14lBouQ8maOZFkxZRAC32m/wDMJHajNJQPF0IAzPxiDPMRwTdIDaqbT7ehJwibHyCFDKeN6ykW415ZkEoyFJRheP3mesKjlH/Blvqszl91uJhqBy7oCBiQSu,iv:S+rrflN8KGkBDui6KyHarzQTuGTN8EivJDuLYFLof8Q=,tag:FV8omreLceM9DA9MYxHfaQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1hy523tlslqas8qgs0lxgxanp9gx06fjekn608w4qf66mxkjzmucqh0g6vg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SFdqdUZkenRqUjV3d2o5\nS0VXTE1Cak80SHdXcnpCd0FmSTBBR0FwVjNRCjFEYXlLOCtHbUg4RlhmVkV6aldB\nbWxTRDhBd3grcnloMHNSSnFuN3RtTTQKLS0tIGNtTUI2WDVKV0pDU0NwQjRxdFZF\nK3IvQ1pyS3BSbVk5QjUyZk9tVmtFak0KW//YyXr6+6NSlUdatMX00O5dlioLBnqv\njq84ZsgCrzm7KAhStvH3icOGdP1skQ82Wp8B76X3IQQvIqTXLT+Jkw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUxkNVFDVlFYOXpQVk45\nMEtTdEQvMEwramdLQW9XNVBNVDN5Z1JqMlFzClZTakNJVFBSSEFWdlBRN0xITXlS\nYkE2dk0rNDFrcnFwZ2FPL3ZvRTlINEUKLS0tIFhhdkF6ZWwvR3JJMTA2L0hITGsz\nYkhac0FKeHhqUUplblMrd1dpNldNdUUKGQZlACAnWYpxAVO5tHnHg/cJXypujWEk\n9t4pSQIamiFJQ7zeUuNjEPRppQYKuPCkGx6hZ7PUiuLLDNWdL/GzpQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-26T18:29:50Z",
+		"mac": "ENC[AES256_GCM,data:Ru1Fsr/jcq1ij9NJJyoKy4n0ft98V6u1vBP1tQHTF1bfL6jeHiFDQXdMN52aLAPgWiU0agyfYQ+SW9REoqpW9wMoNRPojGPfdi91Okt8irsdPxDPNTJ7sWA6XeIcLiNpFkFHY1S/VtOFICNLOldnctdHRxBocfsi8E3O7S1g8yM=,iv:yuyTCpLP/C7IE/kP2kGzBiwTLcXoJ1ng6TezKmyGEYY=,tag:rVSdDOCnbaOxxNiI7AIbpw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

hosts/luna/users/shorty/secrets/id_ed25519.pub

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:xhXb0H/xniOvNFtxPVwFsAdaJIRhSlX0PRvamZFCIQDXWgTS2tCvBMHEjtvm2kTgRoEn1wI7PRF6QdDtpemuSXQuPQ/oiaUAAQU=,iv:0oNZ9yVxqp4k10iOkC0xnNqJEPJftTE52svGJ6xz5Oo=,tag:LnG1A+0osRC3LaWDl3lOBA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1hy523tlslqas8qgs0lxgxanp9gx06fjekn608w4qf66mxkjzmucqh0g6vg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNXJ4TDNxa2FQS2FRSCs2\nVUNSME5SSEtUWTE5OHUveUtHWGVXMHRZZ3pvClljV0Z5OFNyWVpRU3ZTQlVjZng2\nTkc2S0pod01Oa3dHeWlHQWdYTTFnQTAKLS0tIEJpSHk2RHFabG54eGNPTVRIMHBU\nNkZTWVRMenZZamdzTHBzUUFJbGVsT3MKTwwrMTNUIOq8lTvC7uPyYV0n/6eVsF1v\nDIWopzau+JLckuGeddi5W++D3qT2V1Y+37u9MqbBeks1oQ7NENtbvw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPalNaM2s3MU5uTTNrY0Zz\naTRmbktXVjhmYnZZTTl0WVJZYnZSZHBmclZVClFiYXBpM2xDc2JJZmV1V2dPVEIv\nTjdnU0dmSy96czhMV3YyZGxxRnBEQUUKLS0tIHNoazhXd3M0Wks2Vk1BSTArd1Rt\nNWQ0QTI4bm83U0xhN21ZWmxOTjhVK1UK9jKeX87VhO40kEUG4JDkLOgTKHb5i+5d\nEVJY3KEsbbF0V3H0ND9GJ8MuF1b9RMWjGMkEcardkLuy1M1nmtetDw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-03-11T21:49:48Z",
+		"mac": "ENC[AES256_GCM,data:oEeEsZwgYq1EeuQKbWTdo5KSUdsVZZMdjFv2v5ThrlGpaJyIeuV5thBhahGEF6xnO/Ah6DZsA72i719vkX2kvG/TpsRDsoyZ9Vjs4OJ9ZgCDIIgFkKmav7mbeRSA0eCr97DUyu7uUHhy7eYvCXnBLLIea/TgJsHvfjA8AQIsauo=,iv:NQPEAYyccEdeWv+iSyZ7T08YZQjysdyaDArtfAiUcKk=,tag:FALOMEkEBGN7yu4ARiKrYA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}

hosts/luna/users/shorty/secrets/passwd

@@ -0,0 +1,44 @@
+{
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+let
+  username = "shorty";
+in
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./disko.nix
+    ./hardware-configuration.nix
+    ../shared
+  ];
+
+  environment.systemPackages = with pkgs; [
+    busybox
+    gitMinimal
+  ];
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  host = {
+    user.${username}.enable = true;
+
+    network = {
+      hostname = "mars";
+    };
+
+    docker = {
+      enable = true;
+      rootless.enable = false;
+    };
+    k3s.enable = true;
+
+    openssh.enable = true;
+  };
+}