diff --git a/config/hardware/socrates.nix b/config/hardware/socrates.nix
new file mode 100644
index 0000000..2ca7ca5
--- /dev/null
+++ b/config/hardware/socrates.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+ config = {
+
+ boot = {
+ initrd = {
+ luks.devices.socrates-unlocked = {
+ device = "/dev/socrates/socrates-locked";
+ preLVM = false;
+ allowDiscards = true;
+ };
+ availableKernelModules = [
+ "xhci_pci"
+ "ehci_pci"
+ "ahci"
+ "usb_storage"
+ "usbhid"
+ "sd_mod"
+ "r8169"
+ ];
+ kernelModules = [ "dm-snapshot" ];
+ network = {
+ enable = true;
+ ssh = {
+ enable = true;
+ port = 22;
+ authorizedKeys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
+ ];
+ hostKeys = [
+ "/state/ssh/ssh_host_ed25519_key"
+ "/state/ssh/ssh_host_rsa_key"
+ ];
+ };
+ };
+ };
+
+ loader = {
+ grub = {
+ enable = true;
+ version = 2;
+ device = "/dev/sda";
+ };
+ };
+
+ kernelModules = [ ];
+ extraModulePackages = [ ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "socrates-root";
+ fsType = "tmpfs";
+ options = [ "mode=755" "noexec" ];
+ };
+
+ "/boot" = {
+ device = "/dev/disk/by-label/socrates-boot";
+ fsType = "ext4";
+ options = [ "noatime" "nodiratime" "noexec" ];
+ };
+
+ "/nix" = {
+ device = "/dev/disk/by-label/socrates-data";
+ fsType = "btrfs";
+ options = [ "subvol=@nix" "compress=zstd" "noatime" "nodiratime" ];
+ };
+
+ "/var/log" = {
+ device = "/dev/disk/by-label/socrates-data";
+ fsType = "btrfs";
+ options = [ "subvol=@log" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+ };
+
+ "/state" = {
+ device = "/dev/disk/by-label/socrates-data";
+ fsType = "btrfs";
+ options = [ "subvol=@state" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+ };
+
+ "/home" = {
+ device = "/dev/disk/by-label/socrates-data";
+ fsType = "btrfs";
+ options = [ "subvol=@home" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+ };
+ };
+
+ swapDevices = [{
+ device = "/dev/socrates/socrates-swap";
+ randomEncryption.enable = true;
+ }];
+
+ networking = {
+ macvlans = {
+ intif0 = {
+ interface = "enp1s0";
+ mode = "bridge";
+ };
+ };
+
+ interfaces = {
+ enp1s0.useDHCP = false;
+ intif0 = {
+ macAddress = "02:f2:30:b8:71:42";
+ };
+ };
+ };
+ };
+}
diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix
index 9be41e6..c81c90a 100644
--- a/config/host-config/limina.nix
+++ b/config/host-config/limina.nix
@@ -158,12 +158,9 @@ in {
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
- "L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
- "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
- "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";
diff --git a/config/host-config/socrates.nix b/config/host-config/socrates.nix
new file mode 100644
index 0000000..9ac3c8b
--- /dev/null
+++ b/config/host-config/socrates.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+ primary-ip = "10.0.0.20";
+
+in {
+ config = {
+ networking = {
+ useDHCP = false;
+
+ defaultGateway = {
+ address = "10.0.0.1";
+ interface = "intif0";
+ };
+
+ interfaces.intif0 = {
+ ipv4.addresses = [{
+ address = primary-ip;
+ prefixLength = 22;
+ }];
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "L /root/.gnupg - - - - /state/root/gnupg"
+ "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
+ "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
+ "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
+ ];
+
+ environment.etc = {
+ nixos.source = "/state/nixos";
+ adjtime.source = "/state/etc/adjtime";
+ NIXOS.source = "/state/etc/NIXOS";
+ machine-id.source = "/state/etc/machine-id";
+ "host-config.nix".source = "/state/etc/host-config.nix";
+ };
+
+ system.stateVersion = "21.05";
+
+ security.sudo.extraConfig = ''
+ # Due to tmpfs home, it'll always lecture otherwise
+ Defaults lecture = never
+ '';
+
+ services = {
+ openssh = {
+ hostKeys = [
+ {
+ path = "/state/ssh/ssh_host_ed25519_key";
+ type = "ed25519";
+ }
+ {
+ path = "/state/ssh/ssh_host_rsa_key";
+ type = "rsa";
+ bits = 4096;
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/config/hosts/socrates.nix b/config/hosts/socrates.nix
index 29072c0..2413030 100644
--- a/config/hosts/socrates.nix
+++ b/config/hosts/socrates.nix
@@ -1,6 +1,10 @@
{
description = "sea.fudo.org deploy server.";
ssh-fingerprints = [
+ "1 1 4055c1d922ec858e703856dd76237f09219261e5"
+ "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659"
+ "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a"
+ "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55"
];
rp = "niten";
admin-email = "niten@fudo.org";
@@ -8,6 +12,6 @@
site = "seattle";
profile = "server";
ssh-pubkey =
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
tmp-on-tmpfs = false;
}
diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix
index 00f4e26..b226fb0 100644
--- a/config/networks/sea.fudo.org.nix
+++ b/config/networks/sea.fudo.org.nix
@@ -3,7 +3,7 @@
let local-domain = "sea.fudo.org";
in {
aliases = {
- deploy = "plato";
+ deploy = "socrates";
gateway = "limina";
# kadmin = "nostromo";
# kdc = "nostromo";
@@ -82,7 +82,10 @@ in {
ipv4-address = "10.0.0.11";
mac-address = "02:f5:fe:8c:22:fe";
};
- socrates = { ipv4-address = "10.0.0.20"; };
+ socrates = {
+ ipv4-address = "10.0.0.20";
+ mac-address = "02:f2:30:b8:71:42";
+ };
plato = { ipv4-address = "10.0.0.21"; };
cam-entrance = {
ipv4-address = "10.0.0.31";
diff --git a/config/sites.nix b/config/sites.nix
index f6e08f3..68d1cd5 100644
--- a/config/sites.nix
+++ b/config/sites.nix
@@ -9,8 +9,9 @@
dynamic-network = "10.0.1.0/24";
timezone = "America/Los_Angeles";
gateway-host = "nostromo";
- deploy-pubkey =
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
+ deploy-pubkeys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+ ];
build-servers = {
nostromo = {
max-jobs = 2;
@@ -54,7 +55,6 @@
portage = {
gateway-v4 = "208.81.3.113";
- # gateway-v6 = "265:e200:d200:1::1";
network = "208.81.3.112/28";
nameservers = [ "1.1.1.1" "208.81.7.14" "2606:4700:4700::1111" ];
timezone = "America/Winnipeg";
@@ -71,11 +71,11 @@
joes-datacenter-0 = {
gateway-v4 = "172.86.179.17";
- # network = "FIXME";
nameservers = [ "1.1.1.1" "2606:4700:4700::1111" ];
timezone = "America/Winnipeg";
- deploy-pubkey =
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
+ deploy-pubkeys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+ ];
keytab-directory = "/state/secrets/kerberos";
};
};
diff --git a/fudo-pkgs b/fudo-pkgs
index 8ff5dfa..3304caa 160000
--- a/fudo-pkgs
+++ b/fudo-pkgs
@@ -1 +1 @@
-Subproject commit 8ff5dfa3481c1e625f612e0b01a899dd1c37420b
+Subproject commit 3304caa8ee5891d05320375b5dc825871e53172d
diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix
index e8ef282..9cd2cd6 100644
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@@ -81,8 +81,8 @@ let
example = "America/Winnipeg";
};
- deploy-pubkey = mkOption {
- type = nullOr str;
+ deploy-pubkeys = mkOption {
+ type = nullOr (listOf str);
description = "SSH pubkey of site deploy key. Used by dropbear daemon.";
default = null;
};
@@ -197,7 +197,7 @@ in {
config = {
users.users = {
root.openssh.authorizedKeys.keys =
- mkIf (site-cfg.deploy-pubkey != null) [ site-cfg.deploy-pubkey ];
+ mkIf (site-cfg.deploy-pubkeys != null) site-cfg.deploy-pubkeys;
${site-cfg.build-user} = mkIf
(any (build-host: build-host == config.instance.hostname)
diff --git a/nix-home b/nix-home
index 0d213bd..dcab432 160000
--- a/nix-home
+++ b/nix-home
@@ -1 +1 @@
-Subproject commit 0d213bdbf0838a0571582659aaf18ea5700eed4b
+Subproject commit dcab43275a732e9a3e3c66c9a92132b4290838d3
diff --git a/nixops/seattle.nix b/nixops/seattle.nix
index 6472b95..fd2c36d 100644
--- a/nixops/seattle.nix
+++ b/nixops/seattle.nix
@@ -33,6 +33,7 @@ in {
limina = define-host "10.0.0.1" "limina";
nostromo = define-host "10.0.0.10" "nostromo";
plato = define-host "10.0.0.21" "plato";
+ socrates = define-host "10.0.0.20" "socrates";
spark = define-host "10.0.0.108" "spark";
system3 = define-host "10.0.0.111" "system3";
zbox = define-host "10.0.0.110" "zbox";