From 6447202f7f5ae66f89eed3e934b5b37a5a6ffcf0 Mon Sep 17 00:00:00 2001 From: Sic mundus creatus est Date: Fri, 18 Jul 2025 01:40:21 +0200 Subject: [PATCH] init --- flake.nix | 67 +++++++++++++++++++++++++++++++++++ nodes.nix | 14 ++++++++ shared/bastion.nix | 7 ++++ shared/bastion/wireguard.nix | 5 +++ shared/commons.nix | 10 ++++++ shared/commons/basics.nix | 19 ++++++++++ shared/commons/networking.nix | 42 ++++++++++++++++++++++ shared/commons/ssh.nix | 12 +++++++ shared/commons/sudo.nix | 19 ++++++++++ shared/users.nix | 17 +++++++++ shell.nix | 23 ++++++++++++ 11 files changed, 235 insertions(+) create mode 100644 flake.nix create mode 100644 nodes.nix create mode 100644 shared/bastion.nix create mode 100644 shared/bastion/wireguard.nix create mode 100755 shared/commons.nix create mode 100644 shared/commons/basics.nix create mode 100644 shared/commons/networking.nix create mode 100644 shared/commons/ssh.nix create mode 100644 shared/commons/sudo.nix create mode 100644 shared/users.nix create mode 100644 shell.nix diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..467b985 --- /dev/null +++ b/flake.nix @@ -0,0 +1,67 @@ +{ + description = "LaSuite Federez Deployment"; + + inputs = { + # General sources + deploy-rs.url = "github:serokell/deploy-rs"; + agenix.url = "github:ryantm/agenix"; + nixpkgs-25-05.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + + outputs = { self, nixpkgs-25-05, nixpkgs-unstable, deploy-rs, agenix }: let + system = "x86_64-linux"; + + # Unmodified nixpkgs + pkgs-25-05 = import nixpkgs-25-05 { inherit system; }; + pkgs-unstable = import nixpkgs-unstable { inherit system; }; + + # nixpkgs with deploy-rs overlay but force the nixpkgs package + deployPkgs-25-05 = import nixpkgs-25-05 { + inherit system; + overlays = [ + deploy-rs.overlay.default + (self: super: { deploy-rs = { inherit (pkgs-25-05) deploy-rs; lib = super.deploy-rs.lib; }; }) + ]; + }; + deployPkgs-unstable = import nixpkgs-unstable { + inherit system; + overlays = [ + deploy-rs.overlay.default + (self: super: { deploy-rs = { inherit (pkgs-unstable) deploy-rs; lib = super.deploy-rs.lib; }; }) + ]; + }; + + nodes = import ./shared/nodes.nix; + + defaultModules = [ + ./shared/users.nix + ./shared/commons.nix + ]; + + in { + deploy = { + user = "root"; + autoRollback = true; + magicRollback = true; + remoteBuild = true; + nodes = builtins.mapAttrs (name: config: { + "${name}" = { + hostname = builtins.head (builtins.split "/" config.ip4); + profilesOrder = [ "system" ]; + profiles = { + system = { + path = "deployPkgs-${config.ver}".deploy-rs.lib.activate.nixos "nixpkgs-${config.ver}".lib.nixosSystem { + system = config.system; + modules = config.modules ++ defaultModules; + }; + }; + }; + }; + }) nodes; + }; + + # This is highly advised, and will prevent many possible mistakes + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; +} \ No newline at end of file diff --git a/nodes.nix b/nodes.nix new file mode 100644 index 0000000..4abdb40 --- /dev/null +++ b/nodes.nix @@ -0,0 +1,14 @@ +{ + "bastion.mtz.lasuite.federez" = { + system = "x86_64-linux"; + ver = "25.05"; + modules = [ + ./shared/bastion.nix + ]; + + ip4 = "193.48.225.150/24"; + gIp4 = "193.48.225.254/24"; + + dev = "ens18"; + }; +} \ No newline at end of file diff --git a/shared/bastion.nix b/shared/bastion.nix new file mode 100644 index 0000000..0c2ec72 --- /dev/null +++ b/shared/bastion.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + # Import dependencies + imports = [ + ./bastion/wireguard.nix + ]; +} \ No newline at end of file diff --git a/shared/bastion/wireguard.nix b/shared/bastion/wireguard.nix new file mode 100644 index 0000000..eecb17f --- /dev/null +++ b/shared/bastion/wireguard.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + # TODO +} \ No newline at end of file diff --git a/shared/commons.nix b/shared/commons.nix new file mode 100755 index 0000000..a1bcfec --- /dev/null +++ b/shared/commons.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + # Import dependencies + imports = [ + ./commons/basics.nix + ./commons/ssh.nix + ./commons/sudo.nix + ./commons/networking.nix + ]; +} \ No newline at end of file diff --git a/shared/commons/basics.nix b/shared/commons/basics.nix new file mode 100644 index 0000000..15da60d --- /dev/null +++ b/shared/commons/basics.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +{ + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Global packages + environment.systemPackages = with pkgs; [ + #(callPackage "${builtins.fetchTarball {url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";}}/pkgs/agenix.nix" {}) + bmon + tcpdump + htop + conntrack-tools + mtr + dig + molly-guard + fastfetch + ]; + +} \ No newline at end of file diff --git a/shared/commons/networking.nix b/shared/commons/networking.nix new file mode 100644 index 0000000..a201f45 --- /dev/null +++ b/shared/commons/networking.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: + +let + # Import nodes + nodes = import ./../../nodes.nix; + myNode = nodes."${config.hostName}"; + + supportsIPv4 = nd: lib.hasAttr "ip4" nd; + supportsIPv6 = nd: lib.hasAttr "ip6" nd; + + # configure addresses including subnet mask + addr4 = if supportsIPv4 myNode then [ myNode.ip4 ] else []; + addr6 = if supportsIPv6 myNode then [ myNode.ip6 ] else []; + + # And routes, the gateway is assumed to be in subnet, otherwise GatewayOnLink is required + route4 = if supportsIPv4 myNode then [{ Gateway = myNode.gIp4; }] else []; + route6 = if supportsIPv6 myNode then [{ Gateway = myNode.gIp6; }] else []; +in +{ + systemd.network.enable = true; + networking.useNetworkd = true; + networking.useDHCP = false; + systemd.network = { + networks."10-wan" = { + # match the interface by name + matchConfig.Name = myNode.dev; + address = addr4 ++ addr6; + routes = route4 ++ route6; + # DNS + dns = [ "1.1.1.1" ]; + # make the routes on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + + config.addRouteTablesToIPRoute2 = true; + config.routeTables = { + # Act as a route bin + off = 999; + }; + }; + networking.firewall.enable = true; +} \ No newline at end of file diff --git a/shared/commons/ssh.nix b/shared/commons/ssh.nix new file mode 100644 index 0000000..1ced729 --- /dev/null +++ b/shared/commons/ssh.nix @@ -0,0 +1,12 @@ +{ ... }: + +{ + # SSH + services.openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; +} \ No newline at end of file diff --git a/shared/commons/sudo.nix b/shared/commons/sudo.nix new file mode 100644 index 0000000..aa7b219 --- /dev/null +++ b/shared/commons/sudo.nix @@ -0,0 +1,19 @@ +{ ... }: + +{ + security.sudo = { + enable = true; + extraRules = [ + # Sudoers wheel can do everything without password + { + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + groups = [ "wheel" ]; + } + ]; + }; +} \ No newline at end of file diff --git a/shared/users.nix b/shared/users.nix new file mode 100644 index 0000000..697e9aa --- /dev/null +++ b/shared/users.nix @@ -0,0 +1,17 @@ +{ config, pkgs, lib, ... }: + +{ + # Users + # Uid 1000 - 1999 are reserved for specific system users that need uid > 999 + + # Wheeler + users.users.asyncnomi = { + isNormalUser = true; + uid = 2001; + home = "/home/asyncnomi"; + description = "Sic mundus creatus est"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC3wkkW58044OeMnwbok+KQJrxNVPLx8Bbh4ukfADkBNFhve0+XDHMdMXRsD8MEheiRW/tlkHOljD2206cYIfW5w/lCJIWnP/EJgOfQ+vSQ5cJMXjP18Wm7HBYsyc4PYdeZLbRS6lFYisWkSwKscO1sy3s5JtftMI5/QXK6al1Xbnr5K2mkeB90w3aiaUCz2pXXe1SiHitTmIeiuEY/4iycEBxkxEupSEivCBHoSO7uBpEhasZcpSxTz/303Ti4+JgWs69xUooyEuIhcwjWH/91a0LV+5yKzOpdDQeJrSv8Cw1EQmmGM0ZJv7wFKKQ3ht9DXZd4lrvPtyWSD+JYOSRSsNCEMy6dPX7uUdcDwkwnrdPaxBOXFOB1InTGQWVnMGBsG0aK7UkwmPuoJXhaordrHFEac9aIcg5P7q1D8S+L6u/DdFq2IGZsymTrSAJsHQJ6q9wnOwGmiLaPw4WBaagzdlTmNz6WODG/9I25vQsC3z+I4Q39NG1u9/d+f465e2Z79D8X3H/pfKkAllgOrMY2eWVqjttZpjCbFo2Ckpat7JRYrvUIQCrzbhWK0uwUlH7+wGDqcPPrtpLYtVfKcWR8G4hFZl7HzN18riNHJ3158Pf4Te4/OzC6kbXa62zFpB9BWXoL8VXfDHaNv/5LB27Ikqd3QsCJfuhUBpFbndiUtlO/WSSx/ryPv3P0tWWlLcZXHTgTAzSjd+Git2FWXnSQd4QY5N48zVZE4jMK92ZBb1sqoDQnsWv5PeBWFiti/fNbJhqUJhraUerNpXgkNgxq6I1CTWG27cq8cA2v8Pf3VTM26NlQU3fR+m5ClbzS2iAeNjnh8dN9jx+q+4f5d/WS4HhsbBE+0l7sOaNp/ahOTPandZcU4wELc1sWkF/8apI1NItFtESU+So5gGs4nCoE8DXGV6kMPHsL4lmOlCVMjqe35AXu6XLQidocAKMr2sZxvaB/57oKPf6w+XjAxN2Aur8J6ocBGiePVK+VOud3NdpJLQ6QNeI4n7NHXBh9NVuS/RTy9r/EtoSXDwibINWNNDSCANLT7WQNorM4LiJRVFFfAcmwaCY1LbYnnr27qrboPTMT+jrOOQn35wZboAC531oD//qt7VP03uQeeXtFlUmZYywAdhStour7YsmwnxdEe8B+FfRmdhFaOlWdoMnUrziNdWHWTuIH0UIiB/DuF8eGLRtAdDBT3cFOHDMekx0LW/a1BYn3dXXuW+p7gTQUtEZXe+NJcgc62dSPFXwVKo8sogjFQzscupkFFXn3FSmfH91iVa8B84AhAZi/bZ5TslccHr3C+333RJ8holOOynOfFxryN5mKPP4ycypF66TNcZ5/b/klpvUt7BitvPZT asyncnomi" ]; + }; + +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..a2ed18c --- /dev/null +++ b/shell.nix @@ -0,0 +1,23 @@ +{ pkgs ? import {} }: + +let + agenixSrc = fetchTarball { + url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; + sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl"; + }; +in +pkgs.mkShell { + buildInputs = [ + (pkgs.callPackage "${agenixSrc}/pkgs/agenix.nix" {}) + ]; + packages = with pkgs; [ + deploy-rs + nano + ]; + + EDITOR="nano"; + + shellHook = '' + echo "Welcome to Federez-LaSuite network deploy-rs shell environment!" + ''; +}