Init Watchtower

This commit is contained in:
Agatha Lovelace 2024-09-05 18:30:11 +02:00
parent 4111ad2afa
commit 1457e0e883
Signed by: sorceress
GPG Key ID: 01D0B3AB10CED4F8
6 changed files with 213 additions and 75 deletions

View File

@ -0,0 +1,44 @@
{
networking.firewall.allowedTCPPorts = [ 8123 1883 1884 ];
networking.firewall.allowedTCPPortRanges = [{
from = 21063;
to = 21070;
}];
networking.firewall.allowedUDPPorts = [ 53 67 5353 ];
virtualisation.oci-containers.containers = {
"home-assistant" = {
image = "ghcr.io/home-assistant/home-assistant:stable";
autoStart = true;
volumes = [
"/var/lib/hass:/config"
"/etc/localtime:/etc/localtime:ro"
"/run/dbus:/run/dbus:ro"
];
extraOptions = [ "--network=host" ];
};
};
services.mosquitto = {
enable = true;
listeners = [{
users.root = {
acl = [ "readwrite #" ];
hashedPassword =
"$7$101$GLzV4JTDU6Z9vHYl$GqkS+LOdufO3Znt/3M+4y0u8I3Yyv+3J/8SpsVTpKZMexNciPDhV3K67ZX6++yD75e4Eo4gJCYYhJ/JFt2o2nw==";
};
}];
};
services.create_ap = {
enable = true;
settings = {
WIFI_IFACE = "wlp2s0";
SHARE_METHOD = "none";
SSID = "Agatha-Isolated-Network";
# TODO: Replace placeholder password after switching to sops-nix
PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT";
};
};
networking.networkmanager.unmanaged = [ "wlp2s0" ];
}

View File

@ -0,0 +1,10 @@
{
virtualisation.oci-containers.containers = {
"isponsorblocktv" = {
image = "ghcr.io/dmunozv04/isponsorblocktv";
autoStart = true;
volumes = [ "/var/lib/sponsorblock:/app/data" ];
extraOptions = [ "--network=host" ];
};
};
}

View File

@ -167,24 +167,6 @@
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"frq-friend": {
"inputs": {
"naersk": "naersk_2",
@ -217,11 +199,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1714732742,
"narHash": "sha256-tvZiMfL0TEiZGe5lOAk0Qrmsigc5UNRDootbEGUV58o=",
"lastModified": 1719881815,
"narHash": "sha256-+Vh7r/dOlEphIV5zOIKKYTNMc083lLbQcUVsiyuiiws=",
"owner": "helix-editor",
"repo": "helix",
"rev": "7e13213e7430c95cbad210994cecbfadc52c0714",
"rev": "3524060ee83b23c2b741a41f57d6ecc06e3fd871",
"type": "github"
},
"original": {
@ -237,16 +219,16 @@
]
},
"locked": {
"lastModified": 1714043624,
"narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
"lastModified": 1719827385,
"narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
"rev": "391ca6e950c2525b4f853cbe29922452c14eda82",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
@ -411,6 +393,26 @@
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs-darwin"
]
},
"locked": {
"lastModified": 1724219898,
"narHash": "sha256-7PwlnEQDIbww8+nk0CHLeYTYMA23F/CkynHsX7Mxk+s=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "d6703b988728b89456b32bac242c8689902e5a5b",
"type": "github"
},
"original": {
"owner": "LnL7",
"repo": "nix-darwin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1696234590,
@ -425,6 +427,22 @@
"type": "indirect"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1724196396,
"narHash": "sha256-4GoGPErR0RM5r5x+LMnzZvxTdn11lCRO+z8wP3K3PyU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1c5f849214c6c03c47e684622306aad181c107a4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-24.05-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@ -443,11 +461,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1714656196,
"narHash": "sha256-kjQkA98lMcsom6Gbhw8SYzmwrSo+2nruiTcTZp5jK7o=",
"lastModified": 1719826879,
"narHash": "sha256-xs7PlULe8O1SAcs/9e/HOjeUjBrU5FNtkAF/bSEcFto=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "94035b482d181af0a0f8f77823a790b256b7c3cc",
"rev": "b9014df496d5b68bf7c0145d0e9b0f529ce4f2a8",
"type": "github"
},
"original": {
@ -502,16 +520,16 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1714531828,
"narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
"lastModified": 1719838683,
"narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
"rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"type": "indirect"
}
},
@ -541,9 +559,10 @@
"home-manager": "home-manager",
"matrix-ril100": "matrix-ril100",
"mms": "mms",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs_5",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable",
"spicetify-nix": "spicetify-nix",
"url-eater": "url-eater",
"vampysite": "vampysite"
}
@ -573,27 +592,6 @@
"type": "github"
}
},
"spicetify-nix": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1704167711,
"narHash": "sha256-kFDq+kf/Di/P8bq5sUP8pVwRkrSVrABksBjMPmLic3s=",
"owner": "the-argus",
"repo": "spicetify-nix",
"rev": "1325416f951d6a82cfddb1289864ad782e2b87c4",
"type": "github"
},
"original": {
"owner": "the-argus",
"repo": "spicetify-nix",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1669735802,
@ -715,21 +713,6 @@
"type": "github"
}
},
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"url-eater": {
"inputs": {
"naersk": "naersk_4",
@ -826,7 +809,7 @@
},
"utils_5": {
"inputs": {
"systems": "systems_7"
"systems": "systems_6"
},
"locked": {
"lastModified": 1701680307,
@ -844,7 +827,7 @@
},
"utils_6": {
"inputs": {
"systems": "systems_8"
"systems": "systems_7"
},
"locked": {
"lastModified": 1681202837,
@ -866,11 +849,11 @@
"utils": "utils_6"
},
"locked": {
"lastModified": 1704387018,
"narHash": "sha256-ng+S3lDHgAu0FApVV74omIkYOQft1Vgh2rHpYxnhV6A=",
"lastModified": 1717180338,
"narHash": "sha256-g2ZNMpqJ4IARjXY8FX4UUfF4p9Unc01w8RzFYEONXlE=",
"ref": "refs/heads/mistress",
"rev": "bd6a6777ad2faf3779caaeb359354dff047066a4",
"revCount": 20,
"rev": "1adcc3630a6c626f61dac989fffd661dbb4946ef",
"revCount": 21,
"type": "git",
"url": "https://git.lain.faith/sorceress/vampysite"
},

View File

@ -157,6 +157,22 @@
};
};
watchtower = {
imports = [
./common
./common/linux-specific.nix
./hosts/watchtower/configuration.nix
(import "${home-manager}/nixos")
];
deployment = {
targetUser = "root";
targetHost = "watchtower";
tags = [ "prod" ];
};
};
ritual = mkDesktop "ritual";
tears = mkDesktop "tears";
};

View File

@ -0,0 +1,45 @@
{
imports = [
./hardware-configuration.nix
../../common/users/julia.nix
../../common/home_manager/common.nix
../../common/fragments/home-assistant.nix
../../common/fragments/sponsorblock.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device =
"/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";
networking.hostName = "watchtower";
# Enable networking
networking.networkmanager.enable = true;
# Open ports in the firewall.
networking.firewall = {
allowedTCPPorts = [ 22 80 443 ];
trustedInterfaces = [ "podman0" ];
};
virtualisation = {
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
oci-containers = { backend = "podman"; };
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

View File

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }: {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/eba0bc60-b96f-4b28-9447-f36209410ba3";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d".device =
"/dev/disk/by-uuid/9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D95C-66EE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[{ device = "/dev/disk/by-uuid/8a64d656-8ba2-4c11-87bf-858e1ca3ec7e"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}