diff --git a/flake.lock b/flake.lock index 342fbd7..c7d32dc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,23 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1665870395, + "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "a630400067c6d03c9b3e0455347dc8559db14288", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "coc-rust-analyzer": { "flake": false, "locked": { @@ -95,7 +113,7 @@ "emacs-overlay": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1671358416, @@ -119,7 +137,7 @@ "haskell-flake": "haskell-flake", "heist": "heist", "heist-extra": "heist-extra", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1669586795, @@ -151,6 +169,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -254,7 +288,7 @@ "inputs": { "flake-parts": "flake-parts_3", "nix-darwin": "nix-darwin", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "pre-commit-hooks-nix": "pre-commit-hooks-nix" }, "locked": { @@ -367,6 +401,26 @@ "type": "github" } }, + "nix-serve-ng": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_5", + "utils": "utils_3" + }, + "locked": { + "lastModified": 1669427214, + "narHash": "sha256-ELsHgI5OJEHDA2FWJdsxe5O7KGvt4znSH3yFVxOKHOA=", + "owner": "aristanetworks", + "repo": "nix-serve-ng", + "rev": "e36a1a93aacf2257c3eca8791b505a61b1e1ca95", + "type": "github" + }, + "original": { + "owner": "aristanetworks", + "repo": "nix-serve-ng", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1669146234, @@ -384,7 +438,7 @@ }, "nixos-shell": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1646257415, @@ -418,14 +472,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 0, - "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=", - "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source", - "type": "path" + "lastModified": 1665732960, + "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", + "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib": { @@ -483,6 +541,18 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 0, + "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=", + "path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1668443372, "narHash": "sha256-lXNlVyNWwO22/JUdBtUWz68jZB3DM+Jq/irlsbwncI0=", @@ -498,7 +568,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1670495322, "narHash": "sha256-PYwHXymeQZBrTylwDd4LgozTAgrJmp3UGf3mgnKPRr0=", @@ -514,7 +584,23 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { + "locked": { + "lastModified": 1669391192, + "narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1628465643, "narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=", @@ -529,7 +615,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_7": { "locked": { "lastModified": 1671200928, "narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=", @@ -569,6 +655,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "coc-rust-analyzer": "coc-rust-analyzer", "comma": "comma", "darwin": "darwin", @@ -577,10 +664,11 @@ "flake-parts": "flake-parts_2", "hci": "hci", "home-manager": "home-manager", + "nix-serve-ng": "nix-serve-ng", "nixos-hardware": "nixos-hardware", "nixos-shell": "nixos-shell", "nixos-vscode-server": "nixos-vscode-server", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_7", "zk-nvim": "zk-nvim" } }, @@ -614,6 +702,21 @@ "type": "github" } }, + "utils_3": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "zk-nvim": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 91fbb2a..cefa617 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,8 @@ darwin.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + agenix.url = "github:ryantm/agenix"; + nix-serve-ng.url = "github:aristanetworks/nix-serve-ng"; hci.url = "github:hercules-ci/hercules-ci-agent"; @@ -69,6 +71,7 @@ self.nixosModules.default # Defined in nixos/default.nix ./systems/hetzner/ax41.nix ./nixos/server/harden.nix + ./nixos/hercules.nix # I share my Hetzner server with other people who need it. self.nixosModules.guests ]; @@ -85,9 +88,12 @@ }; }; - perSystem = { pkgs, config, ... }: { + perSystem = { pkgs, config, inputs', ... }: { devShells.default = pkgs.mkShell { - buildInputs = [ pkgs.nixpkgs-fmt ]; + buildInputs = [ + pkgs.nixpkgs-fmt + inputs'.agenix.packages.agenix + ]; }; formatter = pkgs.nixpkgs-fmt; apps.default = config.apps.activate; diff --git a/secrets/cache-priv-key.age b/secrets/cache-priv-key.age new file mode 100644 index 0000000..3d45933 --- /dev/null +++ b/secrets/cache-priv-key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa sNTFlg +Ys3fyTk1zXIPfYvN1cx+fK+DgackWPAb/KrY1VRS5xYIB8ODs/VrvuV09apkfhyd +4hrWgTrTz5mgjanMdX1PhvEqrv79dRJgIqnt801brFhVEwTQKr1XWfWq5+iWtwJG +5i0TeAfKoEUNXs9A900GhmQWS7MC7oLyqhVlpAVJ1jAM3HyK/y+LyIi/My/tpc0Q +sa00r36F7dt/dr3xUxKv9oqmDkZeklMEMMPVfLokt5C8msPhFkm6cvNQ4xh9fgS2 +z14WbC4YNCmTxuFPPSoUX0QwK5shwA+qvENZ1jkP3F6bNfjcwDAg0dIzDXLcPFIH +oMElQQ1P/ZLxTAECigfl3w +-> ssh-ed25519 Ch6j2A thjC7f9Oz9WN7M5L0BHDzBvkz18KSTaF6OpiS1I09Ho +jbds6Wf0gKKdtv/l5ovnPbg1kY8Cyp3DZ8tjeuu27hw +-> 4l:[-grease ]V 3NBU )ut \; +KDb3aFVU6f7rhekxgSg+ +--- XDufzpsUOyYSM9SQ8+j45Bp4OSqbpFZ8lI+2dN3uYSY +Z$@2ꍤ&ik$-\$nVR4]fpܸ(E_^^! LҰ8F +(}ƴ@ϧķFQO +xzr?,lv:3gA5ѷH2ۅ{"8M \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..54e111b --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + keys = [ + (builtins.readFile ../nixos/takemessh/id_rsa.pub) + (builtins.readFile ../systems/hetzner/ax41.pub) + ]; +in +{ + "cache-priv-key.age".publicKeys = keys; +} diff --git a/systems/hetzner/ax41.nix b/systems/hetzner/ax41.nix index b2ce0c9..1d3d3ce 100644 --- a/systems/hetzner/ax41.nix +++ b/systems/hetzner/ax41.nix @@ -4,6 +4,8 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") + inputs.agenix.nixosModule + inputs.nix-serve-ng.nixosModules.default ]; boot.initrd.availableKernelModules = [ "nvme" "ahci" "usbhid" ]; @@ -54,7 +56,7 @@ # Network (Hetzner uses static IP assignments, and we don't use DHCP here) networking.useDHCP = false; - + networking.firewall.checkReversePath = "loose"; # Tailscale recommends this networking.interfaces."enp41s0" = { ipv4 = { addresses = [{ @@ -109,9 +111,29 @@ services.openssh.permitRootLogin = "prohibit-password"; services.openssh.enable = true; - services.tailscale.enable = true; - networking.firewall.checkReversePath = "loose"; # Tailscale recommends this + + age.secrets.cache-priv-key.file = ../../secrets/cache-priv-key.age; + services.nix-serve = { + enable = true; + secretKeyFile = config.age.secrets.cache-priv-key.path; + }; + services.nginx = { + enable = true; + virtualHosts."cache.srid.ca" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "srid@srid.ca"; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.${flake.config.people.myself} = { @@ -121,5 +143,4 @@ security.sudo.wheelNeedsPassword = false; system.stateVersion = "20.03"; - } diff --git a/systems/hetzner/ax41.pub b/systems/hetzner/ax41.pub new file mode 100644 index 0000000..a5bdbb2 --- /dev/null +++ b/systems/hetzner/ax41.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMI2BuoFaJD7dfOuJUP0yGWsQ4+tnKojUZiAQgIb44uj root@pinch \ No newline at end of file