Added socrates, added multiple deploy keys

config/hardware/socrates.nix

@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+  config = {
+
+    boot = {
+      initrd = {
+        luks.devices.socrates-unlocked = {
+          device = "/dev/socrates/socrates-locked";
+          preLVM = false;
+          allowDiscards = true;
+        };
+        availableKernelModules = [
+          "xhci_pci"
+          "ehci_pci"
+          "ahci"
+          "usb_storage"
+          "usbhid"
+          "sd_mod"
+          "r8169"
+        ];
+        kernelModules = [ "dm-snapshot" ];
+        network = {
+          enable = true;
+          ssh = {
+            enable = true;
+            port = 22;
+            authorizedKeys = [
+              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
+            ];
+            hostKeys = [
+              "/state/ssh/ssh_host_ed25519_key"
+              "/state/ssh/ssh_host_rsa_key"
+            ];
+          };
+        };
+      };
+
+      loader = {
+        grub = {
+          enable = true;
+          version = 2;
+          device = "/dev/sda";
+        };
+      };
+
+      kernelModules = [ ];
+      extraModulePackages = [ ];
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "socrates-root";
+        fsType = "tmpfs";
+        options = [ "mode=755" "noexec" ];
+      };
+
+      "/boot" = {
+        device = "/dev/disk/by-label/socrates-boot";
+        fsType = "ext4";
+        options = [ "noatime" "nodiratime" "noexec" ];
+      };
+
+      "/nix" = {
+        device = "/dev/disk/by-label/socrates-data";
+        fsType = "btrfs";
+        options = [ "subvol=@nix" "compress=zstd" "noatime" "nodiratime" ];
+      };
+
+      "/var/log" = {
+        device = "/dev/disk/by-label/socrates-data";
+        fsType = "btrfs";
+        options = [ "subvol=@log" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+      };
+
+      "/state" = {
+        device = "/dev/disk/by-label/socrates-data";
+        fsType = "btrfs";
+        options = [ "subvol=@state" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+      };
+
+      "/home" = {
+        device = "/dev/disk/by-label/socrates-data";
+        fsType = "btrfs";
+        options = [ "subvol=@home" "compress=zstd" "noatime" "nodiratime" "noexec" ];
+      };
+    };
+
+    swapDevices = [{
+      device = "/dev/socrates/socrates-swap";
+      randomEncryption.enable = true;
+    }];
+
+    networking = {
+      macvlans = {
+        intif0 = {
+          interface = "enp1s0";
+          mode = "bridge";
+        };
+      };
+
+      interfaces = {
+        enp1s0.useDHCP = false;
+        intif0 = {
+          macAddress = "02:f2:30:b8:71:42";
+        };
+      };
+    };
+  };
+}

config/host-config/limina.nix

@@ -158,12 +158,9 @@ in {
 
     systemd.tmpfiles.rules = [
       "L /root/.gnupg - - - - /state/root/gnupg"
-      "L /root/.emacs.d - - - - /state/root/emacs.d"
       "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
       "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
       "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
-      "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
-      "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
     ];
 
     security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";

config/host-config/socrates.nix

@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  primary-ip = "10.0.0.20";
+
+in {
+  config = {
+    networking = {
+      useDHCP = false;
+
+      defaultGateway = {
+        address = "10.0.0.1";
+        interface = "intif0";
+      };
+
+      interfaces.intif0 = {
+        ipv4.addresses = [{
+          address = primary-ip;
+          prefixLength = 22;
+        }];
+      };
+    };
+
+    systemd.tmpfiles.rules = [
+      "L /root/.gnupg - - - - /state/root/gnupg"
+      "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
+      "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
+      "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
+    ];
+
+    environment.etc = {
+      nixos.source = "/state/nixos";
+      adjtime.source = "/state/etc/adjtime";
+      NIXOS.source = "/state/etc/NIXOS";
+      machine-id.source = "/state/etc/machine-id";
+      "host-config.nix".source = "/state/etc/host-config.nix";
+    };
+
+    system.stateVersion = "21.05";
+
+    security.sudo.extraConfig = ''
+      # Due to tmpfs home, it'll always lecture otherwise
+      Defaults lecture = never
+    '';
+
+    services = {
+      openssh = {
+        hostKeys = [
+          {
+            path = "/state/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+          {
+            path = "/state/ssh/ssh_host_rsa_key";
+            type = "rsa";
+            bits = 4096;
+          }
+        ];
+      };
+    };
+  };
+}

config/hosts/socrates.nix

@@ -1,6 +1,10 @@
 {
   description = "sea.fudo.org deploy server.";
   ssh-fingerprints = [
+    "1 1 4055c1d922ec858e703856dd76237f09219261e5"
+    "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659"
+    "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a"
+    "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55"
   ];
   rp = "niten";
   admin-email = "niten@fudo.org";
@@ -8,6 +12,6 @@
   site = "seattle";
   profile = "server";
   ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab";
   tmp-on-tmpfs = false;
 }

config/networks/sea.fudo.org.nix

@@ -3,7 +3,7 @@
 let local-domain = "sea.fudo.org";
 in {
   aliases = {
-    deploy = "plato";
+    deploy = "socrates";
     gateway = "limina";
     # kadmin = "nostromo";
     # kdc = "nostromo";
@@ -82,7 +82,10 @@ in {
       ipv4-address = "10.0.0.11";
       mac-address = "02:f5:fe:8c:22:fe";
     };
-    socrates = { ipv4-address = "10.0.0.20"; };
+    socrates = {
+      ipv4-address = "10.0.0.20";
+      mac-address = "02:f2:30:b8:71:42";
+    };
     plato = { ipv4-address = "10.0.0.21"; };
     cam-entrance = {
       ipv4-address = "10.0.0.31";

config/sites.nix

@@ -9,8 +9,9 @@
       dynamic-network = "10.0.1.0/24";
       timezone = "America/Los_Angeles";
       gateway-host = "nostromo";
-      deploy-pubkey =
+      deploy-pubkeys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+      ];
       build-servers = {
         nostromo = {
           max-jobs = 2;
@@ -54,7 +55,6 @@
 
     portage = {
       gateway-v4 = "208.81.3.113";
-      # gateway-v6 = "265:e200:d200:1::1";
       network = "208.81.3.112/28";
       nameservers = [ "1.1.1.1" "208.81.7.14" "2606:4700:4700::1111" ];
       timezone = "America/Winnipeg";
@@ -71,11 +71,11 @@
 
     joes-datacenter-0 = {
       gateway-v4 = "172.86.179.17";
-      # network = "FIXME";
       nameservers = [ "1.1.1.1" "2606:4700:4700::1111" ];
       timezone = "America/Winnipeg";
-      deploy-pubkey =
+      deploy-pubkeys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+      ];
       keytab-directory = "/state/secrets/kerberos";
     };
   };

fudo-pkgs

@@ -1 +1 @@
-Subproject commit 8ff5dfa3481c1e625f612e0b01a899dd1c37420b
+Subproject commit 3304caa8ee5891d05320375b5dc825871e53172d

lib/fudo/sites.nix

@@ -81,8 +81,8 @@ let
         example = "America/Winnipeg";
       };
 
-      deploy-pubkey = mkOption {
+      deploy-pubkeys = mkOption {
-        type = nullOr str;
+        type = nullOr (listOf str);
         description = "SSH pubkey of site deploy key. Used by dropbear daemon.";
         default = null;
       };
@@ -197,7 +197,7 @@ in {
   config = {
     users.users = {
       root.openssh.authorizedKeys.keys =
-        mkIf (site-cfg.deploy-pubkey != null) [ site-cfg.deploy-pubkey ];
+        mkIf (site-cfg.deploy-pubkeys != null) site-cfg.deploy-pubkeys;
 
       ${site-cfg.build-user} = mkIf
         (any (build-host: build-host == config.instance.hostname)

nix-home

@@ -1 +1 @@
-Subproject commit 0d213bdbf0838a0571582659aaf18ea5700eed4b
+Subproject commit dcab43275a732e9a3e3c66c9a92132b4290838d3

nixops/seattle.nix

@@ -33,6 +33,7 @@ in {
   limina = define-host "10.0.0.1" "limina";
   nostromo = define-host "10.0.0.10" "nostromo";
   plato = define-host "10.0.0.21" "plato";
+  socrates = define-host "10.0.0.20" "socrates";
   spark = define-host "10.0.0.108" "spark";
   system3 = define-host "10.0.0.111" "system3";
   zbox = define-host "10.0.0.110" "zbox";