diff --git a/.sops.yaml b/.sops.yaml index 7fd85a7..57e1935 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -52,3 +52,7 @@ creation_rules: - age: - *nathan - *tounge + - path_regex: secrets/universe + key_groups: + - age: + - *nathan diff --git a/flake.nix b/flake.nix index 2b27873..ceb12af 100644 --- a/flake.nix +++ b/flake.nix @@ -159,6 +159,16 @@ extraModules = [ ./machines/tounge/configuration.nix ]; }; + universe = makeNixosSystem { + system = "aarch64-linux"; + hostName = "universe"; + extraModules = [ + ./machines/tounge/universe.nix + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + ({ pkgs, ... }: { sdImage.compressImage = false; }) + ]; + }; + perception = makeNixosSystem { system = "x86_64-linux"; hostName = "perception"; diff --git a/machines/universe/configuration.nix b/machines/universe/configuration.nix new file mode 100644 index 0000000..26a3253 --- /dev/null +++ b/machines/universe/configuration.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + # Setup hardware + imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ]; + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + # Sops setup for this machine + sops.secrets = { + # "borg-ssh-key" = { + # sopsFile = ../../secrets/tounge/borg.yaml; + # format = "yaml"; + # }; + # "borg-password" = { + # sopsFile = ../../secrets/tounge/borg.yaml; + # format = "yaml"; + # }; + "wifi" = { + sopsFile = ../../secrets/universe/wifi; + formate = "binary"; + }; + }; + # Setup system configuration + nathan = { + services = { + borg = { + enable = false; + extraExcludes = [ "/var/lib/docker" "/var/log" ]; + passwordFile = config.sops.secrets."borg-password".path; + sshKey = config.sops.secrets."borg-ssh-key".path; + }; + }; + config = { + setupGrub = false; + userUid = "1001"; + nix = { + autoUpdate = true; + autoGC = true; + }; + harden = false; + virtualization = { docker = true; }; + }; + }; + # Configure networking + networking = { + domain = "mccarty.io"; + useDHCP = true; + wireless = { + environmentFile = config.sops.secrets."wifi".path; + "Apollo" = { psk = "@PSK_WIFI@"; }; + }; + # Open ports in firewall + firewall = { + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; + }; + + # Setup home manager + home-manager.users.nathan = import ./home.nix; + +} diff --git a/machines/universe/home.nix b/machines/universe/home.nix new file mode 100644 index 0000000..88d8a3b --- /dev/null +++ b/machines/universe/home.nix @@ -0,0 +1,3 @@ +{ config, lib, pkgs, ... }: + +{ } diff --git a/secrets/universe/wifi b/secrets/universe/wifi new file mode 100644 index 0000000..5dc4f2e --- /dev/null +++ b/secrets/universe/wifi @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:3WmVihQjC4qhLb92jgGx0Bw+CsAZXzkiJ3LDAhc=,iv:ncxPR7HwiuGUsD8nJIuYy9Y/8yZYIwn/68NL4mYpDzA=,tag:sTDgX6nYxTdobePAAjwnEQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa3V6UURQODB3QU9ad2RR\nTElJd0xxb3BMbEJyRWVyb0RjbUw4QUZkVHhRCjA4ZjA1Q3lvM3dVdDJ0NjMxOVpr\nNkNQSmNnSHBiNVc0M0FYUXBMVXArZG8KLS0tIERrRlV6QzFabmVrUzVMdG1ob1NB\nc1dyV0s5c09hWmdhcW9xM1ltSTVBNTAK+MxyzBmwT19bMVRTl0/0y1/RIQFOFwJD\nExKflegKylhEIlSmUub1PP7qf2+AVi8mzEUufpr19hdWOY0U8h0kBA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-08-05T17:26:29Z", + "mac": "ENC[AES256_GCM,data:cBvQSQG17NmUZE+Yoh81w2Mn9OpJig93pLM6JcixY1mR9478K3KuXMSc4GzkGMlslWC4LoyZWd9BEGkY6WqRpBD+qkRmwFt3rTy6YB/mZZ2sPfpP3p4VA6Z4Wb5mHHfIvD4G/HHhIRo8wt0IpSQrwCUNwKrdbPApQhYEh5qnzig=,iv:gELvtkE18TMJeg1nS9wamNdutUeKKgI+ub15s9eHqvo=,tag:guO4p6AcE5BsO3Oyi7sB4g==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file