From 15fea3bec88966d25d59d68e59d0c95193385aae Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Fri, 3 Nov 2023 15:23:05 +0100 Subject: [PATCH] add yodaHedgehog --- README.md | 2 +- assets/ssh/known_hosts | 6 ++ hosts/yodaHedgehog/configuration.nix | 66 +++++++++++++++++++ hosts/yodaHedgehog/hardware-configuration.nix | 46 +++++++++++++ hosts/yodaHedgehog/host-specific.nix | 1 + modules/ssh-client.nix | 14 ++++ ...{fde-ssh-unlock.nix => ssh-fde-unlock.nix} | 5 +- modules/ssh-server.nix | 6 +- 8 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 hosts/yodaHedgehog/configuration.nix create mode 100644 hosts/yodaHedgehog/hardware-configuration.nix create mode 100644 hosts/yodaHedgehog/host-specific.nix rename modules/{fde-ssh-unlock.nix => ssh-fde-unlock.nix} (88%) diff --git a/README.md b/README.md index 1597698..1c571b7 100644 --- a/README.md +++ b/README.md @@ -347,7 +347,7 @@ Filtering: ## BTRFS swap file -* https://nixos.wiki/wiki/Btrfs#Swap_file +* Detailed instructions: https://nixos.wiki/wiki/Btrfs#Swap_file * https://wiki.archlinux.org/title/btrfs#Swap_file Summary: diff --git a/assets/ssh/known_hosts b/assets/ssh/known_hosts index 68e92c8..697e33f 100644 --- a/assets/ssh/known_hosts +++ b/assets/ssh/known_hosts @@ -5,6 +5,12 @@ [192.168.178.27]:2223 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0bfqbAh6E3sq82sg+ftcYLn7sPqCpPmPniL5Ey42Js [p1st.de]:2223 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0bfqbAh6E3sq82sg+ftcYLn7sPqCpPmPniL5Ey42Js +# 2023-11 yodaHedgehog with NixOS +[192.168.178.106]:2226 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZmR+z+5/7xdu8mbZ54/DoqiXzoKh8rtHBU52KhwWx4 +[p1st.de]:2226 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZmR+z+5/7xdu8mbZ54/DoqiXzoKh8rtHBU52KhwWx4 +[192.168.178.106]:2227 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOr6z4AcZelv08eY9TMHihlF+C1g8OBLldMvNz3TvXOr +[p1st.de]:2227 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOr6z4AcZelv08eY9TMHihlF+C1g8OBLldMvNz3TvXOr + # 2023-10 yodaHP with NixOS 192.168.178.108 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy1mNvsCIyYW5rNkNcEUCGYlDdPUJ+SyzrASd+z8q2Z diff --git a/hosts/yodaHedgehog/configuration.nix b/hosts/yodaHedgehog/configuration.nix new file mode 100644 index 0000000..a1424e6 --- /dev/null +++ b/hosts/yodaHedgehog/configuration.nix @@ -0,0 +1,66 @@ +{ config, pkgs, ... }: +{ + imports = + [ + ./hardware-configuration.nix + ./host-specific.nix + ../../modules/home-manager.nix + ../../modules/nur-and-unstable.nix + ../../modules/base.nix + ../../modules/headless.nix + + #../../modules/gnome-base.nix + #../../modules/gnome-config.nix + #../../modules/gnome-extensions.nix + #../../modules/gnome-fractional-scaling.nix + + #../../modules/programs.nix + #../../modules/boxes.nix + #../../modules/freetube.nix + #../../modules/vscodium.nix + #../../modules/signal-desktop.nix + #../../modules/element-desktop.nix + #../../modules/joplin-desktop.nix + #../../modules/tor-browser.nix + #../../modules/autostart.nix + #../../modules/wallpaper.nix + #../../modules/fwupd-gnome.nix + #../../modules/print-and-scan.nix + ../../modules/ssh-fde-unlock.nix + #../../modules/nextcloud-integration.nix + #../../modules/git.nix + ../../modules/zsh.nix + #../../modules/nitrokey-gpg-smartcard.nix + #../../modules/ssh-client.nix + ../../modules/ssh-server.nix + #../../modules/firefox.nix + #../../modules/thunderbird.nix + #../../modules/digikam-rawtherapee.nix + #../../modules/ghostwriter.nix + #../../modules/android.nix + #../../modules/pmbootstrap.nix + #../../modules/podman.nix + #../../modules/docker.nix + #../../modules/docker-pushrm.nix + #../../modules/lid-switch-handling.nix + #../../modules/sendmail-mta.nix # TODO + #../../modules/journalwatch.nix # TODO + #../../modules/waydroid.nix + #../../modules/ntfs.nix + #../../modules/veracrypt.nix + #../../modules/btrbk + #../../modules/spin-down.nix # TODO + + ../../modules/btrfs-scrub.nix + ../../modules/btrfs-mount-options.nix + ]; + + networking.hostName = "yodaHedgehog"; + boot.initrd.luks.devices."crypted".allowDiscards = true; + yoda.btrfsFileSystems = ["/"]; + #yoda.btrfsMounts = yoda.btrfsFileSystems; + + boot.kernelParams = []; + + boot.kernelPackages = pkgs.linuxPackages; +} diff --git a/hosts/yodaHedgehog/hardware-configuration.nix b/hosts/yodaHedgehog/hardware-configuration.nix new file mode 100644 index 0000000..d3e10f7 --- /dev/null +++ b/hosts/yodaHedgehog/hardware-configuration.nix @@ -0,0 +1,46 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4d413255-2c52-4b69-9be1-179e28f1b67e"; + fsType = "btrfs"; + options = [ "subvol=@" ]; + }; + + boot.initrd.luks.devices."crypted".device = "/dev/disk/by-uuid/5ecf0d68-24fc-49ee-8a78-23b47f3c566c"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/81A5-B98A"; + fsType = "vfat"; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-uuid/4d413255-2c52-4b69-9be1-179e28f1b67e"; + fsType = "btrfs"; + options = [ "subvol=@swap" ]; + }; + + swapDevices = [ { device = "/swap/swapfile"; } ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/yodaHedgehog/host-specific.nix b/hosts/yodaHedgehog/host-specific.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/yodaHedgehog/host-specific.nix @@ -0,0 +1 @@ +{} diff --git a/modules/ssh-client.nix b/modules/ssh-client.nix index 6e05305..b5f0a6c 100644 --- a/modules/ssh-client.nix +++ b/modules/ssh-client.nix @@ -74,6 +74,20 @@ compression = true; }; + # local IP: 192.168.178.106 + "yodaHedgehog" = { + hostname = "p1st.de"; + user = "yoda"; + port = 2226; + compression = true; + }; + "unlockYodaHedgehog" = { + hostname = "p1st.de"; + user = "root"; + port = 2227; + compression = true; + }; + # local IP: 192.168.178.27 "yodaNas" = { hostname = "p1st.de"; diff --git a/modules/fde-ssh-unlock.nix b/modules/ssh-fde-unlock.nix similarity index 88% rename from modules/fde-ssh-unlock.nix rename to modules/ssh-fde-unlock.nix index 8d3f35f..528eafe 100644 --- a/modules/fde-ssh-unlock.nix +++ b/modules/ssh-fde-unlock.nix @@ -2,6 +2,7 @@ { # Unlock encrypted root partition remotely with SSH. # TODO: Some manual steps are required, see https://nixos.wiki/wiki/Remote_LUKS_Unlocking#Prepare_SSH_host_keys + # -> ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key # # Additional references: # https://wiki.archlinux.org/title/Dm-crypt/Specialties#Remote_unlocking_of_root_(or_other)_partition @@ -17,6 +18,8 @@ then 2225 else if (config.networking.hostName == "yodaNas") then 2223 + else if (config.networking.hostName == "yodaHedgehog") + then 2227 else throw "Please add initrd ssh port here" ); shell = "/bin/cryptsetup-askpass"; @@ -34,7 +37,7 @@ # inxi -F # boot.initrd.availableKernelModules = ( - if (config.networking.hostName == "yodaTux") + if (config.networking.hostName == "yodaTux") || (config.networking.hostName == "yodaHedgehog") then [ "r8169" ] else if (config.networking.hostName == "yodaYoga") || (config.networking.hostName == "yodaNas") then [ "e1000e" ] diff --git a/modules/ssh-server.nix b/modules/ssh-server.nix index d60749e..b6e039b 100644 --- a/modules/ssh-server.nix +++ b/modules/ssh-server.nix @@ -10,6 +10,8 @@ then [2224] else if (config.networking.hostName == "yodaNas") then [2222] + else if (config.networking.hostName == "yodaHedgehog") + then [2226] else throw "Please add ssh port here" ); # Use authorized keys only. @@ -19,10 +21,10 @@ }; # SSH public key(s) allowed to connect via SSH. - users.users.yoda.openssh.authorizedKeys.keys = [ + users.users."yoda".openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/nitrokey.pub) ]; - users.users.root.openssh.authorizedKeys.keys = [ + users.users."root".openssh.authorizedKeys.keys = [ (builtins.readFile ../assets/ssh/nitrokey.pub) ] ++ ( if (config.networking.hostName == "yodaNas")