From 3ede14dc65065449cd1b948a477bdbb87e74c4fe Mon Sep 17 00:00:00 2001 From: "Agatha V. Lovelace" Date: Thu, 5 Sep 2024 18:30:11 +0200 Subject: [PATCH] Init Watchtower --- common/fragments/home-assistant.nix | 55 ++++++++ common/fragments/sponsorblock.nix | 10 ++ flake.lock | 133 +++++++++----------- flake.nix | 16 +++ hosts/watchtower/configuration.nix | 49 ++++++++ hosts/watchtower/hardware-configuration.nix | 40 ++++++ 6 files changed, 228 insertions(+), 75 deletions(-) create mode 100644 common/fragments/home-assistant.nix create mode 100644 common/fragments/sponsorblock.nix create mode 100644 hosts/watchtower/configuration.nix create mode 100644 hosts/watchtower/hardware-configuration.nix diff --git a/common/fragments/home-assistant.nix b/common/fragments/home-assistant.nix new file mode 100644 index 0000000..b3ccec8 --- /dev/null +++ b/common/fragments/home-assistant.nix @@ -0,0 +1,55 @@ +{ + networking.firewall.allowedTCPPorts = [ + 8123 + 1883 + 1884 + ]; + networking.firewall.allowedTCPPortRanges = [ + { + from = 21063; + to = 21070; + } + ]; + networking.firewall.allowedUDPPorts = [ + 53 + 67 + 5353 + ]; + + virtualisation.oci-containers.containers = { + "home-assistant" = { + image = "ghcr.io/home-assistant/home-assistant:stable"; + autoStart = true; + volumes = [ + "/var/lib/hass:/config" + "/etc/localtime:/etc/localtime:ro" + "/run/dbus:/run/dbus:ro" + ]; + extraOptions = [ "--network=host" ]; + }; + }; + + services.mosquitto = { + enable = true; + listeners = [ + { + users.root = { + acl = [ "readwrite #" ]; + hashedPassword = "$7$101$GLzV4JTDU6Z9vHYl$GqkS+LOdufO3Znt/3M+4y0u8I3Yyv+3J/8SpsVTpKZMexNciPDhV3K67ZX6++yD75e4Eo4gJCYYhJ/JFt2o2nw=="; + }; + } + ]; + }; + + services.create_ap = { + enable = true; + settings = { + WIFI_IFACE = "wlp2s0"; + SHARE_METHOD = "none"; + SSID = "Agatha-Isolated-Network"; + # TODO: Replace placeholder password after switching to sops-nix + PASSPHRASE = "nCvKNgRH5L5DFBR4JULP3GHbDuk9XLfT"; + }; + }; + networking.networkmanager.unmanaged = [ "wlp2s0" ]; +} diff --git a/common/fragments/sponsorblock.nix b/common/fragments/sponsorblock.nix new file mode 100644 index 0000000..1ecdb86 --- /dev/null +++ b/common/fragments/sponsorblock.nix @@ -0,0 +1,10 @@ +{ + virtualisation.oci-containers.containers = { + "isponsorblocktv" = { + image = "ghcr.io/dmunozv04/isponsorblocktv"; + autoStart = true; + volumes = [ "/var/lib/sponsorblock:/app/data" ]; + extraOptions = [ "--network=host" ]; + }; + }; +} diff --git a/flake.lock b/flake.lock index 307e3dd..8394782 100644 --- a/flake.lock +++ b/flake.lock @@ -167,24 +167,6 @@ "type": "github" } }, - "flake-utils_4": { - "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "frq-friend": { "inputs": { "naersk": "naersk_2", @@ -217,11 +199,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1714732742, - "narHash": "sha256-tvZiMfL0TEiZGe5lOAk0Qrmsigc5UNRDootbEGUV58o=", + "lastModified": 1719881815, + "narHash": "sha256-+Vh7r/dOlEphIV5zOIKKYTNMc083lLbQcUVsiyuiiws=", "owner": "helix-editor", "repo": "helix", - "rev": "7e13213e7430c95cbad210994cecbfadc52c0714", + "rev": "3524060ee83b23c2b741a41f57d6ecc06e3fd871", "type": "github" }, "original": { @@ -237,16 +219,16 @@ ] }, "locked": { - "lastModified": 1714043624, - "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=", + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", "owner": "nix-community", "repo": "home-manager", - "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "home-manager", "type": "github" } @@ -411,6 +393,26 @@ "type": "github" } }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs-darwin" + ] + }, + "locked": { + "lastModified": 1724219898, + "narHash": "sha256-7PwlnEQDIbww8+nk0CHLeYTYMA23F/CkynHsX7Mxk+s=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "d6703b988728b89456b32bac242c8689902e5a5b", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1696234590, @@ -425,6 +427,22 @@ "type": "indirect" } }, + "nixpkgs-darwin": { + "locked": { + "lastModified": 1724196396, + "narHash": "sha256-4GoGPErR0RM5r5x+LMnzZvxTdn11lCRO+z8wP3K3PyU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1c5f849214c6c03c47e684622306aad181c107a4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-24.05-darwin", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -443,11 +461,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1714656196, - "narHash": "sha256-kjQkA98lMcsom6Gbhw8SYzmwrSo+2nruiTcTZp5jK7o=", + "lastModified": 1719826879, + "narHash": "sha256-xs7PlULe8O1SAcs/9e/HOjeUjBrU5FNtkAF/bSEcFto=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "94035b482d181af0a0f8f77823a790b256b7c3cc", + "rev": "b9014df496d5b68bf7c0145d0e9b0f529ce4f2a8", "type": "github" }, "original": { @@ -502,16 +520,16 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1714531828, - "narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=", + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "type": "indirect" } }, @@ -541,9 +559,10 @@ "home-manager": "home-manager", "matrix-ril100": "matrix-ril100", "mms": "mms", + "nix-darwin": "nix-darwin", "nixpkgs": "nixpkgs_5", + "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-unstable": "nixpkgs-unstable", - "spicetify-nix": "spicetify-nix", "url-eater": "url-eater", "vampysite": "vampysite" } @@ -573,27 +592,6 @@ "type": "github" } }, - "spicetify-nix": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1704167711, - "narHash": "sha256-kFDq+kf/Di/P8bq5sUP8pVwRkrSVrABksBjMPmLic3s=", - "owner": "the-argus", - "repo": "spicetify-nix", - "rev": "1325416f951d6a82cfddb1289864ad782e2b87c4", - "type": "github" - }, - "original": { - "owner": "the-argus", - "repo": "spicetify-nix", - "type": "github" - } - }, "stable": { "locked": { "lastModified": 1669735802, @@ -715,21 +713,6 @@ "type": "github" } }, - "systems_8": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "url-eater": { "inputs": { "naersk": "naersk_4", @@ -826,7 +809,7 @@ }, "utils_5": { "inputs": { - "systems": "systems_7" + "systems": "systems_6" }, "locked": { "lastModified": 1701680307, @@ -844,7 +827,7 @@ }, "utils_6": { "inputs": { - "systems": "systems_8" + "systems": "systems_7" }, "locked": { "lastModified": 1681202837, @@ -866,11 +849,11 @@ "utils": "utils_6" }, "locked": { - "lastModified": 1704387018, - "narHash": "sha256-ng+S3lDHgAu0FApVV74omIkYOQft1Vgh2rHpYxnhV6A=", + "lastModified": 1717180338, + "narHash": "sha256-g2ZNMpqJ4IARjXY8FX4UUfF4p9Unc01w8RzFYEONXlE=", "ref": "refs/heads/mistress", - "rev": "bd6a6777ad2faf3779caaeb359354dff047066a4", - "revCount": 20, + "rev": "1adcc3630a6c626f61dac989fffd661dbb4946ef", + "revCount": 21, "type": "git", "url": "https://git.lain.faith/sorceress/vampysite" }, diff --git a/flake.nix b/flake.nix index 90f61fb..e7016f9 100644 --- a/flake.nix +++ b/flake.nix @@ -157,6 +157,22 @@ }; }; + watchtower = { + imports = [ + ./common + ./common/linux-specific.nix + ./hosts/watchtower/configuration.nix + (import "${home-manager}/nixos") + ]; + + deployment = { + targetUser = "root"; + targetHost = "watchtower"; + + tags = [ "prod" ]; + }; + }; + ritual = mkDesktop "ritual"; tears = mkDesktop "tears"; }; diff --git a/hosts/watchtower/configuration.nix b/hosts/watchtower/configuration.nix new file mode 100644 index 0000000..299e22f --- /dev/null +++ b/hosts/watchtower/configuration.nix @@ -0,0 +1,49 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../common/users/julia.nix + ../../common/home_manager/common.nix + ../../common/fragments/home-assistant.nix + ../../common/fragments/sponsorblock.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + boot.initrd.luks.devices."luks-081780bd-f005-4394-bbf2-3e5d9aab3c7d".device = "/dev/disk/by-uuid/081780bd-f005-4394-bbf2-3e5d9aab3c7d"; + + networking.hostName = "watchtower"; + + # Enable networking + networking.networkmanager.enable = true; + + # Open ports in the firewall. + networking.firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + ]; + trustedInterfaces = [ "podman0" ]; + }; + + virtualisation = { + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; + oci-containers = { + backend = "podman"; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/watchtower/hardware-configuration.nix b/hosts/watchtower/hardware-configuration.nix new file mode 100644 index 0000000..4eb2049 --- /dev/null +++ b/hosts/watchtower/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: { + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/eba0bc60-b96f-4b28-9447-f36209410ba3"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d".device = + "/dev/disk/by-uuid/9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D95C-66EE"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/8a64d656-8ba2-4c11-87bf-858e1ca3ec7e"; }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +}