lasuite-federez/nix
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init

Browse source
This commit is contained in:
Sic mundus creatus est 2025-07-18 01:40:21 +02:00
parent 6a95af0656
commit 6447202f7f
11 changed files with 235 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

67
flake.nix Normal file
View file

@ -0,0 +1,67 @@
{
description = "LaSuite Federez Deployment";
inputs = {
# General sources
deploy-rs.url = "github:serokell/deploy-rs";
agenix.url = "github:ryantm/agenix";
nixpkgs-25-05.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { self, nixpkgs-25-05, nixpkgs-unstable, deploy-rs, agenix }: let
system = "x86_64-linux";
# Unmodified nixpkgs
pkgs-25-05 = import nixpkgs-25-05 { inherit system; };
pkgs-unstable = import nixpkgs-unstable { inherit system; };
# nixpkgs with deploy-rs overlay but force the nixpkgs package
deployPkgs-25-05 = import nixpkgs-25-05 {
inherit system;
overlays = [
deploy-rs.overlay.default
(self: super: { deploy-rs = { inherit (pkgs-25-05) deploy-rs; lib = super.deploy-rs.lib; }; })
];
};
deployPkgs-unstable = import nixpkgs-unstable {
inherit system;
overlays = [
deploy-rs.overlay.default
(self: super: { deploy-rs = { inherit (pkgs-unstable) deploy-rs; lib = super.deploy-rs.lib; }; })
];
};
nodes = import ./shared/nodes.nix;
defaultModules = [
./shared/users.nix
./shared/commons.nix
];
in {
deploy = {
user = "root";
autoRollback = true;
magicRollback = true;
remoteBuild = true;
nodes = builtins.mapAttrs (name: config: {
"${name}" = {
hostname = builtins.head (builtins.split "/" config.ip4);
profilesOrder = [ "system" ];
profiles = {
system = {
path = "deployPkgs-${config.ver}".deploy-rs.lib.activate.nixos "nixpkgs-${config.ver}".lib.nixosSystem {
system = config.system;
modules = config.modules ++ defaultModules;
};
};
};
};
}) nodes;
};
# This is highly advised, and will prevent many possible mistakes
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
};
}

14
nodes.nix Normal file
View file

@ -0,0 +1,14 @@
{
"bastion.mtz.lasuite.federez" = {
system = "x86_64-linux";
ver = "25.05";
modules = [
./shared/bastion.nix
];
ip4 = "193.48.225.150/24";
gIp4 = "193.48.225.254/24";
dev = "ens18";
};
}

7
shared/bastion.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
# Import dependencies
imports = [
./bastion/wireguard.nix
];
}

5
shared/bastion/wireguard.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
# TODO
}

10
shared/commons.nix Executable file
View file

@ -0,0 +1,10 @@
{ ... }:
{
# Import dependencies
imports = [
./commons/basics.nix
./commons/ssh.nix
./commons/sudo.nix
./commons/networking.nix
];
}

19
shared/commons/basics.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Global packages
environment.systemPackages = with pkgs; [
#(callPackage "${builtins.fetchTarball {url = "https://github.com/ryantm/agenix/archive/main.tar.gz"; sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";}}/pkgs/agenix.nix" {})
bmon
tcpdump
htop
conntrack-tools
mtr
dig
molly-guard
fastfetch
];
}

42
shared/commons/networking.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
let
# Import nodes
nodes = import ./../../nodes.nix;
myNode = nodes."${config.hostName}";
supportsIPv4 = nd: lib.hasAttr "ip4" nd;
supportsIPv6 = nd: lib.hasAttr "ip6" nd;
# configure addresses including subnet mask
addr4 = if supportsIPv4 myNode then [ myNode.ip4 ] else [];
addr6 = if supportsIPv6 myNode then [ myNode.ip6 ] else [];
# And routes, the gateway is assumed to be in subnet, otherwise GatewayOnLink is required
route4 = if supportsIPv4 myNode then [{ Gateway = myNode.gIp4; }] else [];
route6 = if supportsIPv6 myNode then [{ Gateway = myNode.gIp6; }] else [];
in
{
systemd.network.enable = true;
networking.useNetworkd = true;
networking.useDHCP = false;
systemd.network = {
networks."10-wan" = {
# match the interface by name
matchConfig.Name = myNode.dev;
address = addr4 ++ addr6;
routes = route4 ++ route6;
# DNS
dns = [ "1.1.1.1" ];
# make the routes on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
config.addRouteTablesToIPRoute2 = true;
config.routeTables = {
# Act as a route bin
off = 999;
};
};
networking.firewall.enable = true;
}

12
shared/commons/ssh.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
# SSH
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
}

19
shared/commons/sudo.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
security.sudo = {
enable = true;
extraRules = [
# Sudoers wheel can do everything without password
{
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}
];
};
}

17
shared/users.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, lib, ... }:
{
# Users
# Uid 1000 - 1999 are reserved for specific system users that need uid > 999
# Wheeler
users.users.asyncnomi = {
isNormalUser = true;
uid = 2001;
home = "/home/asyncnomi";
description = "Sic mundus creatus est";
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC3wkkW58044OeMnwbok+KQJrxNVPLx8Bbh4ukfADkBNFhve0+XDHMdMXRsD8MEheiRW/tlkHOljD2206cYIfW5w/lCJIWnP/EJgOfQ+vSQ5cJMXjP18Wm7HBYsyc4PYdeZLbRS6lFYisWkSwKscO1sy3s5JtftMI5/QXK6al1Xbnr5K2mkeB90w3aiaUCz2pXXe1SiHitTmIeiuEY/4iycEBxkxEupSEivCBHoSO7uBpEhasZcpSxTz/303Ti4+JgWs69xUooyEuIhcwjWH/91a0LV+5yKzOpdDQeJrSv8Cw1EQmmGM0ZJv7wFKKQ3ht9DXZd4lrvPtyWSD+JYOSRSsNCEMy6dPX7uUdcDwkwnrdPaxBOXFOB1InTGQWVnMGBsG0aK7UkwmPuoJXhaordrHFEac9aIcg5P7q1D8S+L6u/DdFq2IGZsymTrSAJsHQJ6q9wnOwGmiLaPw4WBaagzdlTmNz6WODG/9I25vQsC3z+I4Q39NG1u9/d+f465e2Z79D8X3H/pfKkAllgOrMY2eWVqjttZpjCbFo2Ckpat7JRYrvUIQCrzbhWK0uwUlH7+wGDqcPPrtpLYtVfKcWR8G4hFZl7HzN18riNHJ3158Pf4Te4/OzC6kbXa62zFpB9BWXoL8VXfDHaNv/5LB27Ikqd3QsCJfuhUBpFbndiUtlO/WSSx/ryPv3P0tWWlLcZXHTgTAzSjd+Git2FWXnSQd4QY5N48zVZE4jMK92ZBb1sqoDQnsWv5PeBWFiti/fNbJhqUJhraUerNpXgkNgxq6I1CTWG27cq8cA2v8Pf3VTM26NlQU3fR+m5ClbzS2iAeNjnh8dN9jx+q+4f5d/WS4HhsbBE+0l7sOaNp/ahOTPandZcU4wELc1sWkF/8apI1NItFtESU+So5gGs4nCoE8DXGV6kMPHsL4lmOlCVMjqe35AXu6XLQidocAKMr2sZxvaB/57oKPf6w+XjAxN2Aur8J6ocBGiePVK+VOud3NdpJLQ6QNeI4n7NHXBh9NVuS/RTy9r/EtoSXDwibINWNNDSCANLT7WQNorM4LiJRVFFfAcmwaCY1LbYnnr27qrboPTMT+jrOOQn35wZboAC531oD//qt7VP03uQeeXtFlUmZYywAdhStour7YsmwnxdEe8B+FfRmdhFaOlWdoMnUrziNdWHWTuIH0UIiB/DuF8eGLRtAdDBT3cFOHDMekx0LW/a1BYn3dXXuW+p7gTQUtEZXe+NJcgc62dSPFXwVKo8sogjFQzscupkFFXn3FSmfH91iVa8B84AhAZi/bZ5TslccHr3C+333RJ8holOOynOfFxryN5mKPP4ycypF66TNcZ5/b/klpvUt7BitvPZT asyncnomi" ];
};
}

23
shell.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs ? import <nixpkgs> {} }:
let
agenixSrc = fetchTarball {
url = "https://github.com/ryantm/agenix/archive/main.tar.gz";
sha256 = "103slb8xy5sb68zxjjbb9d0svq8xz751a7yrg6vrz5rh4374bzgl";
};
in
pkgs.mkShell {
buildInputs = [
(pkgs.callPackage "${agenixSrc}/pkgs/agenix.nix" {})
];
packages = with pkgs; [
deploy-rs
nano
];
EDITOR="nano";
shellHook = ''
echo "Welcome to Federez-LaSuite network deploy-rs shell environment!"
'';
}