Init Watchtower

2024-09-05 18:30:11 +02:00 · 2024-09-05 18:30:11 +02:00 · 3ede14dc65
parent 1a94f63496
commit 3ede14dc65
6 changed files with 228 additions and 75 deletions
--- a/common/fragments/home-assistant.nix
+++ b/common/fragments/home-assistant.nix
@ -0,0 +1,55 @@
+{
+  networking.firewall.allowedTCPPorts = [
+    8123
+    1883
+    1884
+  ];
+  networking.firewall.allowedTCPPortRanges = [
+    {
+      from = 21063;
+      to = 21070;
+    }
+  ];
+  networking.firewall.allowedUDPPorts = [
+    53
+    67
+    5353
+  ];
+
+  virtualisation.oci-containers.containers = {
+    "home-assistant" = {
+      image = "ghcr.io/home-assistant/home-assistant:stable";
+      autoStart = true;
+      volumes = [
+        "/var/lib/hass:/config"
+        "/etc/localtime:/etc/localtime:ro"
+        "/run/dbus:/run/dbus:ro"
+      ];
+      extraOptions = [ "--network=host" ];
+    };
+  };
+
+  services.mosquitto = {
+    enable = true;
+    listeners = [
+      {
+        users.root = {
+          acl = [ "readwrite #" ];
+          hashedPassword = "$7$101$GLzV4JTDU6Z9vHYl$GqkS+LOdufO3Znt/3M+4y0u8I3Yyv+3J/8SpsVTpKZMexNciPDhV3K67ZX6++yD75e4Eo4gJCYYhJ/JFt2o2nw==";
+        };
+      }
+    ];
+  };
+
+  services.create_ap = {
+    enable = true;
+    settings = {
+      WIFI_IFACE = "wlp2s0";
+      SHARE_METHOD = "none";
+      SSID = "Agatha-Isolated-Network";
+      # TODO: Replace placeholder password after switching to sops-nix
+      PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT";
+    };
+  };
+  networking.networkmanager.unmanaged = [ "wlp2s0" ];
+}
--- a/common/fragments/sponsorblock.nix
+++ b/common/fragments/sponsorblock.nix
@ -0,0 +1,10 @@
+{
+  virtualisation.oci-containers.containers = {
+    "isponsorblocktv" = {
+      image = "ghcr.io/dmunozv04/isponsorblocktv";
+      autoStart = true;
+      volumes = [ "/var/lib/sponsorblock:/app/data" ];
+      extraOptions = [ "--network=host" ];
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
@ -167,24 +167,6 @@
        "type": "github"
      }
    },
-    "flake-utils_4": {
-      "inputs": {
-        "systems": "systems_6"
-      },
-      "locked": {
-        "lastModified": 1685518550,
-        "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "frq-friend": {
      "inputs": {
        "naersk": "naersk_2",
@ -217,11 +199,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1714732742,
-        "narHash": "sha256-tvZiMfL0TEiZGe5lOAk0Qrmsigc5UNRDootbEGUV58o=",
+        "lastModified": 1719881815,
+        "narHash": "sha256-+Vh7r/dOlEphIV5zOIKKYTNMc083lLbQcUVsiyuiiws=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "7e13213e7430c95cbad210994cecbfadc52c0714",
+        "rev": "3524060ee83b23c2b741a41f57d6ecc06e3fd871",
        "type": "github"
      },
      "original": {
@ -237,16 +219,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1714043624,
-        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
+        "lastModified": 1719827385,
+        "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
+        "rev": "391ca6e950c2525b4f853cbe29922452c14eda82",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
@ -411,6 +393,26 @@
        "type": "github"
      }
    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-darwin"
+        ]
+      },
+      "locked": {
+        "lastModified": 1724219898,
+        "narHash": "sha256-7PwlnEQDIbww8+nk0CHLeYTYMA23F/CkynHsX7Mxk+s=",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "rev": "d6703b988728b89456b32bac242c8689902e5a5b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1696234590,
@ -425,6 +427,22 @@
        "type": "indirect"
      }
    },
+    "nixpkgs-darwin": {
+      "locked": {
+        "lastModified": 1724196396,
+        "narHash": "sha256-4GoGPErR0RM5r5x+LMnzZvxTdn11lCRO+z8wP3K3PyU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1c5f849214c6c03c47e684622306aad181c107a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-24.05-darwin",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@ -443,11 +461,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1714656196,
-        "narHash": "sha256-kjQkA98lMcsom6Gbhw8SYzmwrSo+2nruiTcTZp5jK7o=",
+        "lastModified": 1719826879,
+        "narHash": "sha256-xs7PlULe8O1SAcs/9e/HOjeUjBrU5FNtkAF/bSEcFto=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "94035b482d181af0a0f8f77823a790b256b7c3cc",
+        "rev": "b9014df496d5b68bf7c0145d0e9b0f529ce4f2a8",
        "type": "github"
      },
      "original": {
@ -502,16 +520,16 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1714531828,
-        "narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
+        "lastModified": 1719838683,
+        "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
+        "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "type": "indirect"
      }
    },
@ -541,9 +559,10 @@
        "home-manager": "home-manager",
        "matrix-ril100": "matrix-ril100",
        "mms": "mms",
+        "nix-darwin": "nix-darwin",
        "nixpkgs": "nixpkgs_5",
+        "nixpkgs-darwin": "nixpkgs-darwin",
        "nixpkgs-unstable": "nixpkgs-unstable",
-        "spicetify-nix": "spicetify-nix",
        "url-eater": "url-eater",
        "vampysite": "vampysite"
      }
@ -573,27 +592,6 @@
        "type": "github"
      }
    },
-    "spicetify-nix": {
-      "inputs": {
-        "flake-utils": "flake-utils_4",
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ]
-      },
-      "locked": {
-        "lastModified": 1704167711,
-        "narHash": "sha256-kFDq+kf/Di/P8bq5sUP8pVwRkrSVrABksBjMPmLic3s=",
-        "owner": "the-argus",
-        "repo": "spicetify-nix",
-        "rev": "1325416f951d6a82cfddb1289864ad782e2b87c4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "the-argus",
-        "repo": "spicetify-nix",
-        "type": "github"
-      }
-    },
    "stable": {
      "locked": {
        "lastModified": 1669735802,
@ -715,21 +713,6 @@
        "type": "github"
      }
    },
-    "systems_8": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "url-eater": {
      "inputs": {
        "naersk": "naersk_4",
@ -826,7 +809,7 @@
    },
    "utils_5": {
      "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_6"
      },
      "locked": {
        "lastModified": 1701680307,
@ -844,7 +827,7 @@
    },
    "utils_6": {
      "inputs": {
-        "systems": "systems_8"
+        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1681202837,
@ -866,11 +849,11 @@
        "utils": "utils_6"
      },
      "locked": {
-        "lastModified": 1704387018,
-        "narHash": "sha256-ng+S3lDHgAu0FApVV74omIkYOQft1Vgh2rHpYxnhV6A=",
+        "lastModified": 1717180338,
+        "narHash": "sha256-g2ZNMpqJ4IARjXY8FX4UUfF4p9Unc01w8RzFYEONXlE=",
        "ref": "refs/heads/mistress",
-        "rev": "bd6a6777ad2faf3779caaeb359354dff047066a4",
-        "revCount": 20,
+        "rev": "1adcc3630a6c626f61dac989fffd661dbb4946ef",
+        "revCount": 21,
        "type": "git",
        "url": "https://git.lain.faith/sorceress/vampysite"
      },
--- a/flake.nix
+++ b/flake.nix
@ -157,6 +157,22 @@
          };
        };

+        watchtower = {
+          imports = [
+            ./common
+            ./common/linux-specific.nix
+            ./hosts/watchtower/configuration.nix
+            (import "${home-manager}/nixos")
+          ];
+
+          deployment = {
+            targetUser = "root";
+            targetHost = "watchtower";
+
+            tags = [ "prod" ];
+          };
+        };
+
        ritual = mkDesktop "ritual";
        tears = mkDesktop "tears";
      };
--- a/hosts/watchtower/configuration.nix
+++ b/hosts/watchtower/configuration.nix
@ -0,0 +1,49 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../common/users/julia.nix
+    ../../common/home_manager/common.nix
+    ../../common/fragments/home-assistant.nix
+    ../../common/fragments/sponsorblock.nix
+  ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device = "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d";
+
+  networking.hostName = "watchtower";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    allowedTCPPorts = [
+      22
+      80
+      443
+    ];
+    trustedInterfaces = [ "podman0" ];
+  };
+
+  virtualisation = {
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+    oci-containers = {
+      backend = "podman";
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
--- a/hosts/watchtower/hardware-configuration.nix
+++ b/hosts/watchtower/hardware-configuration.nix
@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, modulesPath, ... }: {
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/eba0bc60-b96f-4b28-9447-f36209410ba3";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d".device =
+    "/dev/disk/by-uuid/9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D95C-66EE";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/8a64d656-8ba2-4c11-87bf-858e1ca3ec7e"; }];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
+}