From 95b79ab2241751fe2e066388b0e85d8006e32fd5 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Sat, 1 Mar 2025 00:07:58 +0000 Subject: [PATCH] Add jupiter vps Signed-off-by: Nikolaos Karaolidis --- README.md | 15 +++--- flake.nix | 6 +++ hosts/.gitignore | 4 +- hosts/common/configs/system/boot/default.nix | 6 +-- .../configs/system/impermanence/default.nix | 34 +++---------- .../configs/system/impermanence/options.nix | 51 ++++++++++++++++--- hosts/common/configs/system/sops/default.nix | 9 ++-- hosts/common/configs/system/ssh/default.nix | 1 + hosts/eirene/default.nix | 2 + hosts/jupiter-vps/README.md | 12 +++++ hosts/jupiter-vps/configs/boot/default.nix | 12 +++++ hosts/jupiter-vps/configs/sshd/default.nix | 8 +++ .../jupiter-vps/configs/wireguard/default.nix | 50 ++++++++++++++++++ hosts/jupiter-vps/default.nix | 26 ++++++++++ hosts/jupiter-vps/format.nix | 39 ++++++++++++++ hosts/jupiter-vps/hardware/default.nix | 28 ++++++++++ hosts/jupiter-vps/install.sh | 17 +++++++ .../secrets/ssh_host_ed25519_key.pub | 1 + hosts/jupiter/default.nix | 15 ++---- 19 files changed, 277 insertions(+), 59 deletions(-) create mode 100644 hosts/jupiter-vps/README.md create mode 100644 hosts/jupiter-vps/configs/boot/default.nix create mode 100644 hosts/jupiter-vps/configs/sshd/default.nix create mode 100644 hosts/jupiter-vps/configs/wireguard/default.nix create mode 100644 hosts/jupiter-vps/default.nix create mode 100644 hosts/jupiter-vps/format.nix create mode 100644 hosts/jupiter-vps/hardware/default.nix create mode 100755 hosts/jupiter-vps/install.sh create mode 100644 hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub diff --git a/README.md b/README.md index c9021cf..463becb 100644 --- a/README.md +++ b/README.md @@ -37,10 +37,11 @@ Any `options.nix` files create custom option definitions when present. Below is a table of all hosts, with links to their respective README files, which may provide further details and/or post-installation checklists. -| Host | README | -| ----------- | -------------------------------------------------------- | -| `installer` | [hosts/installer/README.md](./hosts/installer/README.md) | -| `eirene` | [hosts/eirene/README.md](./hosts/eirene/README.md) | -| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) | -| `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) | -| `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) | +| Host | README | +| ------------- | ------------------------------------------------------------ | +| `installer` | [hosts/installer/README.md](./hosts/installer/README.md) | +| `eirene` | [hosts/eirene/README.md](./hosts/eirene/README.md) | +| `elara` | [hosts/elara/README.md](./hosts/elara/README.md) | +| `himalia` | [hosts/himalia/README.md](./hosts/himalia/README.md) | +| `jupiter` | [hosts/jupiter/README.md](./hosts/jupiter/README.md) | +| `jupiter-vps` | [hosts/jupiter-vps/README.md](./hosts/jupiter-vps/README.md) | diff --git a/flake.nix b/flake.nix index 8778c2f..c99099e 100644 --- a/flake.nix +++ b/flake.nix @@ -160,6 +160,12 @@ modules = [ ./hosts/jupiter ]; specialArgs = { inherit inputs system; }; }; + + jupiter-vps = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + modules = [ ./hosts/jupiter-vps ]; + specialArgs = { inherit inputs system; }; + }; }; } // inputs.flake-utils.lib.eachSystem [ "x86_64-linux" ] ( diff --git a/hosts/.gitignore b/hosts/.gitignore index aa08156..8beaef9 100644 --- a/hosts/.gitignore +++ b/hosts/.gitignore @@ -1,2 +1,2 @@ -*/secrets/ssh_host_ed25519_key -*/secrets/.decrypted~* +**/secrets/ssh_host_ed25519_key +**/secrets/.decrypted~* diff --git a/hosts/common/configs/system/boot/default.nix b/hosts/common/configs/system/boot/default.nix index 223d6e4..e4f9200 100644 --- a/hosts/common/configs/system/boot/default.nix +++ b/hosts/common/configs/system/boot/default.nix @@ -10,11 +10,9 @@ timeout = 1; efi.canTouchEfiVariables = true; }; + initrd.systemd.enable = true; kernelPackages = pkgs.linuxPackages_latest; - supportedFilesystems = [ - "btrfs" - "ntfs" - ]; + supportedFilesystems = [ "btrfs" ]; }; } diff --git a/hosts/common/configs/system/impermanence/default.nix b/hosts/common/configs/system/impermanence/default.nix index e2c0a7f..3f099c1 100644 --- a/hosts/common/configs/system/impermanence/default.nix +++ b/hosts/common/configs/system/impermanence/default.nix @@ -1,32 +1,12 @@ -{ config, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { imports = [ ./options.nix ]; - boot.initrd.systemd = { - enable = true; - - initrdBin = with pkgs; [ - coreutils - util-linux - findutils - btrfs-progs - ]; - - services.impermanence = { - description = "Rollback BTRFS subvolumes to a pristine state"; - wantedBy = [ "initrd.target" ]; - before = [ "sysroot.mount" ]; - after = [ - "cryptsetup.target" - "local-fs-pre.target" - ]; - unitConfig.DefaultDependencies = false; - serviceConfig.Type = "oneshot"; - environment.DEVICE = config.environment.impermanence.device; - script = builtins.readFile ./scripts/wipe.sh; - }; - }; - # uuidgen -r | tr -d - # https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/administration/systemd-state.section.md # https://github.com/NixOS/nixpkgs/pull/286140/files @@ -36,6 +16,8 @@ fileSystems."/persist".neededForBoot = true; environment = { + impermanence.enable = true; + etc."machine-id".source = pkgs.runCommandLocal "machine-id-link" { } '' ln -s ${config.sops.secrets."machineId".path} $out ''; diff --git a/hosts/common/configs/system/impermanence/options.nix b/hosts/common/configs/system/impermanence/options.nix index 54e2e6d..951ebac 100644 --- a/hosts/common/configs/system/impermanence/options.nix +++ b/hosts/common/configs/system/impermanence/options.nix @@ -1,6 +1,7 @@ { config, lib, + pkgs, utils, ... }: @@ -47,12 +48,16 @@ in with lib; with types; { - impermanence.device = mkOption { - type = str; - default = config.disko.devices.disk.main.content.partitions.root.content.content.device; - description = '' - LUKS BTRFS partition to wipe on boot. - ''; + impermanence = { + enable = mkEnableOption "Impermanence"; + + device = mkOption { + type = str; + default = config.disko.devices.disk.main.content.partitions.root.content.content.device; + description = '' + LUKS BTRFS partition to wipe on boot. + ''; + }; }; persistence = @@ -179,7 +184,32 @@ in let all = lib.lists.flatten (builtins.concatMap builtins.attrValues (builtins.attrValues cfg)); in - { + lib.mkIf config.environment.impermanence.enable { + boot.initrd.systemd = { + enable = true; + + initrdBin = with pkgs; [ + coreutils + util-linux + findutils + btrfs-progs + ]; + + services.impermanence = { + description = "Rollback BTRFS subvolumes to a pristine state"; + wantedBy = [ "initrd.target" ]; + before = [ "sysroot.mount" ]; + after = [ + "cryptsetup.target" + "local-fs-pre.target" + ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + environment.DEVICE = config.environment.impermanence.device; + script = builtins.readFile ./scripts/wipe.sh; + }; + }; + fileSystems = builtins.mapAttrs (_: _: { neededForBoot = true; }) cfg; systemd = { @@ -244,6 +274,13 @@ in ); }; + environment.persistence."/persist" = { + "/etc/nixos" = { }; + "/var/lib/nixos" = { }; + "/var/lib/systemd" = { }; + "/var/log" = { }; + }; + assertions = let paths = builtins.map (c: c.path) all; diff --git a/hosts/common/configs/system/sops/default.nix b/hosts/common/configs/system/sops/default.nix index 72af56a..27e73b9 100644 --- a/hosts/common/configs/system/sops/default.nix +++ b/hosts/common/configs/system/sops/default.nix @@ -22,10 +22,13 @@ age = { generateKey = true; - sshKeyPaths = [ - config.environment.persistence."/persist/state"."/etc/ssh/ssh_host_ed25519_key".source - ]; keyFile = "/var/lib/sops-nix/key.txt"; + + sshKeyPaths = + if config.environment.impermanence.enable then + [ config.environment.persistence."/persist"."/etc/ssh/ssh_host_ed25519_key".source ] + else + [ "/etc/ssh/ssh_host_ed25519_key" ]; }; }; } diff --git a/hosts/common/configs/system/ssh/default.nix b/hosts/common/configs/system/ssh/default.nix index a6dd5fb..734d8dc 100644 --- a/hosts/common/configs/system/ssh/default.nix +++ b/hosts/common/configs/system/ssh/default.nix @@ -6,5 +6,6 @@ elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub; himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub; jupiter.publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub; + jupiter-vps.publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub; }; } diff --git a/hosts/eirene/default.nix b/hosts/eirene/default.nix index 35890ee..2f7636f 100644 --- a/hosts/eirene/default.nix +++ b/hosts/eirene/default.nix @@ -51,6 +51,8 @@ networking.hostName = "eirene"; + boot.supportedFilesystems = [ "ntfs" ]; + fileSystems."/mnt/windows" = { device = "/dev/disk/by-id/nvme-Samsung_SSD_980_PRO_2TB_S69ENF0R841140X-part3"; fsType = "ntfs3"; diff --git a/hosts/jupiter-vps/README.md b/hosts/jupiter-vps/README.md new file mode 100644 index 0000000..b3ee02b --- /dev/null +++ b/hosts/jupiter-vps/README.md @@ -0,0 +1,12 @@ +# jupiter-vps + +## Installation Instructions + +1. Provision an OVHcloud VPS on Ubuntu 22.04 +2. Add personal public key +3. Add a CNAME entry for `vps.karaolidis.com` pointing to the VPS IP/host +4. Run `hosts/jupiter-vps/install.sh` + +## Update Instructions + +1. Run `nixos-rebuild switch --flake .#jupiter-vps --target-host root@vps.karaolidis.com` diff --git a/hosts/jupiter-vps/configs/boot/default.nix b/hosts/jupiter-vps/configs/boot/default.nix new file mode 100644 index 0000000..e4321d8 --- /dev/null +++ b/hosts/jupiter-vps/configs/boot/default.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +{ + boot = { + loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + timeoutStyle = "hidden"; + }; + + kernelPackages = pkgs.linuxPackages_latest; + }; +} diff --git a/hosts/jupiter-vps/configs/sshd/default.nix b/hosts/jupiter-vps/configs/sshd/default.nix new file mode 100644 index 0000000..624a47d --- /dev/null +++ b/hosts/jupiter-vps/configs/sshd/default.nix @@ -0,0 +1,8 @@ +{ lib, ... }: +{ + services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + ]; +} diff --git a/hosts/jupiter-vps/configs/wireguard/default.nix b/hosts/jupiter-vps/configs/wireguard/default.nix new file mode 100644 index 0000000..940dbba --- /dev/null +++ b/hosts/jupiter-vps/configs/wireguard/default.nix @@ -0,0 +1,50 @@ +{ + config, + inputs, + pkgs, + ... +}: +{ + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + networking.firewall = { + allowedTCPPorts = + inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedTCPPorts; + + allowedUDPPorts = [ + 51820 + ] ++ inputs.self.nixosConfigurations.jupiter.config.networking.firewall.allowedUDPPorts; + }; + + sops.secrets."wireguard" = { }; + + networking.wireguard.interfaces.wg0 = + let + iptables = "${pkgs.iptables}/bin/iptables"; + in + { + ips = [ "10.100.0.1/24" ]; + listenPort = 51820; + privateKeyFile = config.sops.secrets."wireguard".path; + + postSetup = [ + "${iptables} -t nat -A PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" + "${iptables} -t nat -A PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" + "${iptables} -t nat -A POSTROUTING -o wg0 -j MASQUERADE" + ]; + + postShutdown = [ + "${iptables} -t nat -D PREROUTING -i ens3 -p tcp --dport 22 -j RETURN" + "${iptables} -t nat -D PREROUTING -i ens3 -j DNAT --to-destination 10.100.0.2" + "${iptables} -t nat -D POSTROUTING -o wg0 -j MASQUERADE" + ]; + + peers = [ + { + name = "jupiter"; + allowedIPs = [ "10.100.0.2/32" ]; + publicKey = "Lvx7bpyqI8rUrxYVDolz7T+EPuRWDohJAAToq7kH7EU="; + } + ]; + }; +} diff --git a/hosts/jupiter-vps/default.nix b/hosts/jupiter-vps/default.nix new file mode 100644 index 0000000..9c9e286 --- /dev/null +++ b/hosts/jupiter-vps/default.nix @@ -0,0 +1,26 @@ +{ inputs, lib, ... }: +{ + imports = [ + inputs.disko.nixosModules.disko + ./format.nix + + ./hardware + + ../common/configs/system/impermanence + ../common/configs/system/nix + ../common/configs/system/nixpkgs + ../common/configs/system/sops + ../common/configs/system/sshd + ../common/configs/system/system + ../common/configs/system/users + ../common/configs/system/zsh + + ./configs/boot + ./configs/sshd + ./configs/wireguard + ]; + + networking.hostName = "jupiter-vps"; + + environment.impermanence.enable = lib.mkForce false; +} diff --git a/hosts/jupiter-vps/format.nix b/hosts/jupiter-vps/format.nix new file mode 100644 index 0000000..66dfc0b --- /dev/null +++ b/hosts/jupiter-vps/format.nix @@ -0,0 +1,39 @@ +{ + disko.devices = { + disk.main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "esp"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ "defaults" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/jupiter-vps/hardware/default.nix b/hosts/jupiter-vps/hardware/default.nix new file mode 100644 index 0000000..65cf0ef --- /dev/null +++ b/hosts/jupiter-vps/hardware/default.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + boot = { + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "virtio_net" + "virtio_mmio" + "virtio_blk" + "9p" + "9pnet_virtio" + "sd_mod" + ]; + + kernelModules = [ + "virtio_balloon" + "virtio_console" + "virtio_rng" + "virtio_gpu" + ]; + }; + + kernelModules = [ "kvm-amd" ]; + }; +} diff --git a/hosts/jupiter-vps/install.sh b/hosts/jupiter-vps/install.sh new file mode 100755 index 0000000..5a9f61d --- /dev/null +++ b/hosts/jupiter-vps/install.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +temp=$(mktemp -d) + +cleanup() { + rm -rf "$temp" +} +trap cleanup EXIT + +install -d -m 755 "$temp/etc/ssh" +cp ./hosts/jupiter-vps/secrets/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key" + +nix run github:nix-community/nixos-anywhere -- --flake .#jupiter-vps --extra-files "$temp" --target-host ubuntu@vps.karaolidis.com -i ~/.ssh/ssh_personal_ed25519_key diff --git a/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub b/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..7953cff --- /dev/null +++ b/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps diff --git a/hosts/jupiter/default.nix b/hosts/jupiter/default.nix index 09a00ac..5322fdd 100644 --- a/hosts/jupiter/default.nix +++ b/hosts/jupiter/default.nix @@ -1,8 +1,6 @@ { lib, inputs, ... }: { imports = [ - ../../lib - inputs.disko.nixosModules.disko ./format.nix @@ -32,6 +30,11 @@ ./users/nick ]; + networking = { + hostName = "jupiter"; + extraHosts = lib.strings.concatStringsSep "\n" [ "127.0.0.1 karaolidis.local" ]; + }; + fileSystems."/mnt/storage" = { label = "storage"; fsType = "btrfs"; @@ -43,12 +46,4 @@ "noatime" ]; }; - - networking = { - hostName = "jupiter"; - extraHosts = lib.strings.concatStringsSep "\n" [ "127.0.0.1 karaolidis.local" ]; - }; - - i18n.defaultLocale = "en_US.UTF-8"; - sops.defaultSopsFile = ./secrets/secrets.yaml; }