From 27b0b357748db05a05d985f561d42583d37f18bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christopher=20M=C3=BChl?= Date: Thu, 18 Sep 2025 19:07:50 +0200 Subject: [PATCH] Configure beryllium for usage --- Justfile | 4 +- flake.lock | 16 +++++ flake.nix | 9 +++ .../christopher@beryllium/default.nix | 32 +++++++++ ...061d23fe6d1347e4e94aabe277f-smbSecrets.age | 8 +++ ...92c3025c1f5bd7a4f4aabbf554-traefik-env.age | 8 +++ ...30af7b9efa661c3f88d1e5209b802b3-config.age | Bin 947 -> 0 bytes ...d09b6b5d3b63d4794137e3cbdad53c9-config.age | Bin 0 -> 1233 bytes secrets/smb-secrets.age | Bin 0 -> 459 bytes secrets/ssh/config.age | Bin 1055 -> 1353 bytes secrets/traefik.env.age | 11 ++++ systems/x86_64-linux/beryllium/default.nix | 62 ++++++++++++++++-- systems/x86_64-linux/beryllium/hardware.nix | 10 +++ 13 files changed, 152 insertions(+), 8 deletions(-) create mode 100644 homes/x86_64-linux/christopher@beryllium/default.nix create mode 100644 secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age create mode 100644 secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age delete mode 100644 secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age create mode 100644 secrets/rekeyed/christopher_cobalt/ed09b6b5d3b63d4794137e3cbdad53c9-config.age create mode 100644 secrets/smb-secrets.age create mode 100644 secrets/traefik.env.age diff --git a/Justfile b/Justfile index 59a46f1..aafaf31 100644 --- a/Justfile +++ b/Justfile @@ -17,10 +17,10 @@ deploy: }} europium: - nixos-rebuild switch --flake .#europium --target-host europium --build-host europium --use-remote-sudo + nixos-rebuild switch --flake .#europium --target-host europium-deploy --build-host europium --use-remote-sudo beryllium: - nixos-rebuild switch --flake .#beryllium --target-host beryllium --build-host beryllium --use-remote-sudo + nixos-rebuild switch --flake .#beryllium --target-host beryllium-deploy --build-host beryllium --use-remote-sudo # Opens the elements configuration in the default editor edit: diff --git a/flake.lock b/flake.lock index 492913e..c52c6e9 100644 --- a/flake.lock +++ b/flake.lock @@ -934,6 +934,21 @@ "type": "github" } }, + "quadlet": { + "locked": { + "lastModified": 1754008153, + "narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=", + "owner": "SEIAROTg", + "repo": "quadlet-nix", + "rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4", + "type": "github" + }, + "original": { + "owner": "SEIAROTg", + "repo": "quadlet-nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -947,6 +962,7 @@ "hyprland": "hyprland", "musnix": "musnix", "nixpkgs": "nixpkgs_4", + "quadlet": "quadlet", "rose-pine-hyprcursor": "rose-pine-hyprcursor", "snowfall": "snowfall", "split-monitor-workspaces": "split-monitor-workspaces" diff --git a/flake.nix b/flake.nix index 95f5d73..9e98260 100644 --- a/flake.nix +++ b/flake.nix @@ -35,9 +35,17 @@ ]; beryllium.modules = [ copyparty.nixosModules.default + quadlet.nixosModules.quadlet + ]; + europium.modules = [ + quadlet.nixosModules.quadlet ]; }; + homes.users."christopher@beryllium".modules = with inputs; [ + quadlet.homeManagerModules.quadlet + ]; + # Configure nixpkgs when instantiating the package set # TODO: This is already specified elsewhere. Still needed here? channels-config = { @@ -110,6 +118,7 @@ inputs.hyprland.follows = "hyprland"; }; + quadlet.url = "github:SEIAROTg/quadlet-nix"; musnix.url = "github:musnix/musnix"; docker-compose-1.url = github:nixos/nixpkgs/b0f0b5c6c021ebafbd322899aa9a54b87d75a313; diff --git a/homes/x86_64-linux/christopher@beryllium/default.nix b/homes/x86_64-linux/christopher@beryllium/default.nix new file mode 100644 index 0000000..a3a04ca --- /dev/null +++ b/homes/x86_64-linux/christopher@beryllium/default.nix @@ -0,0 +1,32 @@ +{ + pkgs, + config, + ... +}: { + elements.secrets = { + rekeyPath = "christopher_beryllium"; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf"; + + needs = { + traefik-env = "traefik.env.age"; + }; + }; + + # virtualisation.quadlet.containers = { + # echo = { + # autoStart = true; + # serviceConfig = { + # RestartSec = "10"; + # Restart = "always"; + # }; + # containerConfig = { + # image = "docker.io/mendhak/http-https-echo:31"; + # publishPorts = ["127.0.0.1:8080:8080"]; + # }; + # }; + # }; + + home.packages = with pkgs; [ + helix + ]; +} diff --git a/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age b/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age new file mode 100644 index 0000000..74bb7a8 --- /dev/null +++ b/secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 pySEWw kigbWfXfeb8YlBMpSWM+jDPtjYeAltdTORqPQ7kqnFg +P8j10qrMzjWZ91FVnn4sLugS/AcS2XrMr9TRal5gRVc +-> m0^G"4-grease p]TT RuLz +9HFjCiuy7w +--- j57VRBCbLMVDI2s7DnpBwTvVzzvqwMdXL6Ec/9Tg6MA +cD_FT,h }/;A8P%/:E)pՀ +mq{J Ukn\8L}j'yaJ \ No newline at end of file diff --git a/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age b/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age new file mode 100644 index 0000000..84cc35b --- /dev/null +++ b/secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 pySEWw yyra9wL+n2gFPpbmnkvbsxBverCR/r7yPSw3aCD0slk +65Vc/tQKzfsFC5smIqHmXA7NlSJLW8oXAYPYiX3bGcw +-> MV*6+^H-grease uV!LS]1* B5lCK], yjN7. +O1RM77BbFx0SsKlEXUVAJCswHGS1oKfX1ZvBNcF47W0o//6iiBHOWTvpaW15xVMZ +00g +--- XNgzqoXEkkzK8TE/A81FFduXsiDouJFXV/9o/m/bnss +Q10#͚i~d~ElgG^O,P:֣[if>,@i|DJm)P8h2Vk)7>u@q #͈םf偨䐙ۥ+O,a,%tR[7N \ No newline at end of file diff --git a/secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age b/secrets/rekeyed/christopher_cobalt/530af7b9efa661c3f88d1e5209b802b3-config.age deleted file mode 100644 index 90a4f40c99aee6047e6985dfae88a6fc79a52be9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 947 zcmV;k15Es3XJsvAZewzJaCB*JZZ29_S2%Z3IZ{SUVR}_Bby`JKOfyC+cWZ1+RX7S*T1Y}yNI7vw zHgI=QD@{#RL^3y7dQEG1IY@9vFHciaT6r;YaWOSSc{mC!J|HttJV|gZXL4m>b7cx- zNNg}?Q&B5$V|NNIEiE8fWMVW#V`M{Ec6w5DPEj{ROE6+?Gc;yFSxi<}OjA{6S5{|G zLULDjF*FMEVSFV=Adc1$My1x$oc-m zw}s?`Yg%V&pr9m5%kbitl8>Mq36_;k==*D5hD z@PD4lJ>;@b$}RuHZa1x(u?{1I@quO1*IWBZF$1vGVYEmy4Y6xrL4_a-Q<*^^7>5U8 zsBd{sQsTpU{OVD!Cm4w7m(efdA>k6)<2om{E2#=SQDl{0`GJSzd4p4lVts%=yYwP% zCd_Xz19eZ*K4oO))c1d>Ct|zD+>kD$tRu@*0In|#x2Xp9nBp9NS)PT6crw#_;3578 zc`L@^*1ZcJO%l_U|F8=X&GuQjFRNk0lW_NYF(HOmla8YB*_EKY0mfzIbJ%yT>~06< zZvz=6m|XQN8N?&8%qZgY%8QuG=EzzqH$zV$0PRC-pQ`1h3!YpRT8;!)K|8a&4SV|R z!D7TGZ=V^WJnmIfFBN5slywIgTgUPb_%igxzXI^yCxMvSJX^yxoy3z>WA^3jRWAdz zaAUJKnIyl_$Y41#jp6$pf1XgR0cMT6vLii^6j^A+$-_+Ct$IIyCq%if) zAZmWN@pZBg zS~YQVXlE}%S!`xeB7FEKVj3K0Me_68lz$LXqIHDUQE z%Q4r`F!m@_aBri6vyHdP%mks0uer@{Qxv}ibm-DttVnB7iecEV46>_lA+#B zIGKz5``F7s#!5ECb%ReQpqS8Fq+>LZkj%(ZbeQ^RWzD(0<&LOzhLg+7p{65Poy17c z#{$Jg%a<)Z@z>{HD*O{Tyxjb}V1s$#3DjnBdNysy5N^+@Fb_E%f4C#~=f3EG|uj@Nz)n-o+moE%DdVTX03v*d5GY%T$OGi0N=kT!9q z!IST#7|D>+%cFfUgi|&(lHMVQ|-4KSLm-&im%5=w?C%7 zkXwt6MLU)L(nV9x-IFW^vNd#Za$A9yjh{;kNMS$~0|E?^8W`dUiCUEVl<&kr%v|yN z3@Y(WbAK@lnthW8Zj)F5h|FbH)0dZ#K}bpMbBc9o|x zyA?CgAoa3}T56}c2vX%`Eq3s4rmnJ`*2WwZuzd)(?c2y~Tl(Bu36ieY{@=0$0e2G^ z>o+6++ax+?-*48%uImP_+6j_`D0_-uK7_f(qP(f$wxTxfZuRrm9M!zgu?*G5m^nlM zegM@T{FnF8&gKMAFI~kAa0dz#?a%9m!E?F-$}n>-gI8V3GG%%FD4Z_>dPSu@}ft8F&g>TBJRPUAHs literal 0 HcmV?d00001 diff --git a/secrets/smb-secrets.age b/secrets/smb-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..c3d08ca5828defe312145c9505c3d3b8491a7793 GIT binary patch literal 459 zcmWm7J&V&|003Yog@7QqI2}>&mXOO=lO~IrzHQSq*XE;_OPWKWZPFxd^Yy+>N;7(J ze?f2%7bg*vbI?UZK?QLYZWpDClRrT2`2)`+49Fmz!EL^dv-BW?AyqLLc@KA4o@XSS znRh|Ef_(od@@7jgwA+#I70bvkCrQrrScOwo8iZrkR53~+SZ*GVfjEtOl(T3fR~bQX z;>c!e*c3ZRLWJm(PRjN z2@3Fid~pZQ@M?8})mk)9#s!rsRuRtK9E?_~z}B^EqfsfLysHr@2U-Q(KI{Wh81<&=EUK z2(Qzp9UySpLd4F0W>>zw``WyCeO8`d%x=8B{r+=j@8IQdBTvH*HyOQAq;CJ|I{@EoX9NVRK~)LsU^!Gj&2XGD0_MQc6==WqCJQH&9hnGjvy3aZyWHNmW&4 zZg6!&Zen6>cz;TFW^6Y^PBdgmVQOz?dQUJiI0|7;NmDXuS7=yMZbDFaOE5VyX)C=BOD;SwB9wWqE+ha|K$5$378ww2O8`NNBjXJxYdGHKB&Rs(mp|9Aq#rp$W!KarB zFNDg4RDVHZmGJi2X64ydMG$p3Eyg6f^qj)VZDcwG8NQY@+p!Wk|JC9*gG~+2A~W1W z%o;)Y%7SeQ{+$vF8yB1E%fa&%fv35zOz4G0!8XfiNeCY?;7Y#%*7iNX+^;`Nu2ASK z6d{T-!OE)Oj1fALBiUdme_}=mqV<45n`Id25PzKcG(+shc0d~jO==bT@isrlvhnw~ ziaL8uNPA@TF=NUTrjI!K?5b$Y<~J_gO0D%f{yFZzfsGk}7&A(hH(N}3UlgrVb~9Qz zvrpH#7d}aTKynscnYbo7{%wE46aA%1BZ1dddhd9rF94k0{lf+viCeA(%RiJkvN{L! zP=7e^et+s2L0rKqBsMm5l_BFy!{t@ovT|=6Qt*?gZkiYQ)#6@Cg1i3?-0Y6@0<>UK3MBs} zQdYoAEs-Q!VS|k5zKP+nMA417T%-{eV}C+n`?^}JUvF-`j?e6j^YkB4f9YY>id(`c z#Co~cTnyP}<&$al%MwK;4s{^0;Ve6Q1anYKReHp}%53NBskWJYJ_f{||G^=0AZwvs zS_v`zTYSlpG?f8VA3Fv7`<4!It;JaDs2|8bF5^W&HRl|9M8_+uF$AQ8&+$=yNPmyC z0iGXv0Ve+wfk|?G7NlGSJgF@(6e_bntZTtPkVqiu-;Z@yp`i1(P^qhmwqSA_-@$l_ zcaHxK)@AT~ui1+0I?*YHb=wwcmXxYeJBGyqE9UeiId&2)z|y>rLEY&4t2c6|PK5jk zqMoMF7@+N+YU@+L?>|O~Uh}HqQA4u$`dmIHS5t1^%>21Ng&DM;l%9iu zx>AvY{DXMoQ*zV297ivJAqIg!j9NZ}O%Hyp=$hjDP*~l*x%Kq&emw-O5Hs`Q3;(M7 w$*hBrVvdk62Jqu;hhTAV=6x%+lk2vj7pf2QZ?wXk!7!FhMqOV_`y2LUJ=#N@r+fD|#_xOGIg7Sx!)Na|$g! zAaH4REpRe5HXuuFZZl6&AVD@mD?(y;ZDmDdb#P`@c6CovVSh7Od38}}G%!$Bd0KU7 zSao@7V@h&)dTk1Ca#T-Iac(g+ZE1R1QcgKZc{prFNmy1hSVb{yMlUsHO<7_xLq{)G zXLAZIJ|H7wHhExIDlKPnWnpt=Aa67Zb5T_|N@z-HOF>XFad2m3aCZtVEiE8wQet^? zQBregdQoX;bAN1iZ*f^5lSgk0YpAKg@y@K;%Q|b*nD3OI6vWXKC z;xtY(>>8?pdG~{0BK2#4E6M}}uG4YrPF}}hce3hS(0_PQ1WsVyjaE*BnrE_u0PY2V zZXeljl##p8e7V?{|5??8aY2~3YA--z6XA3P7Fh*z608ZRUhnnairoGvy~8fOd?jyC zemO3!xIUvEAsNXcY-Cg&24}=wkf423)v<`VQTB;{ib;bNBjqfhLf^p|AmqL4`LJEC z4RArY!GFFp7gcCHa^;DxYOT^xX6rjPa?LH|AS%Zq3Mp9k7$Y04Wb|&)@^V^PA9FHW ze6K-I5_VK{)YG^WK#SVXZL?nIiMYM0eoTuy5Z1ZzYdg1G_I_6>PjA=vqcz=Nw zf8(cq*>2sB&tNaIF%^b^CnQ#@F6;Hl8(I)hP=DQ=%fK5VFwMK<#NkVbZtiy9iXk(y zDsQvsvrcfLapI z9;JKc6{o(}1dCSke7545H+|=AxS!;J;XECz$rHV}!xZ@T2HmR% z;M)Mzhd;YOE_KNIlv~R>abe-rEt%M93xAy4?;{B@*W#Na{yGkp37DuUz@|(YxQ1AH zCd~Y;ureLSY9tRV=oEnrxxwlWd&S#7*#V5kS2>jtH*1VH+urabcCCLO!-hwgQ}}?z z!rNlZ{g)OdvW9S?2nae+DRS2`&r@+ELHe9!Km1`ceg#-CHw)I>>#YHr%d8aALkG1| IrO;d%q=zfokpKVy diff --git a/secrets/traefik.env.age b/secrets/traefik.env.age new file mode 100644 index 0000000..54abd02 --- /dev/null +++ b/secrets/traefik.env.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 bXMX40Vz9sJqcVcb3ote48FAUxB+GzTQ4rOP8rI8O34 +KlAn7X9p9EqKxmiBOBg/apVLCSMAoOTsEF4BW8pBxng +-> piv-p256 Kmn3OQ A5tjfx5HhP+RRxXD3dQmuZnxezXp1SdmlGbhBazV8EMz +B/6jGDqQagB2ZSxC2WhZcDcu6YfJokHTR0DtrIJ45Tk +-> f!=YO-grease (YufTYP (VD px s8\X~Fzn +WYavDbOneKQ/pdc369k8fqDS2ITD+rQ +--- HE0AabwaJ9U/2CWSqIghcWxhIW9fwNCqCkZFhcb+xnU +?169C77jܲm0, ' +:fxB蝤R]b \7^kh>æ|[xj dI +U"erRY@6=4}w \ No newline at end of file diff --git a/systems/x86_64-linux/beryllium/default.nix b/systems/x86_64-linux/beryllium/default.nix index 326ccba..84c841c 100644 --- a/systems/x86_64-linux/beryllium/default.nix +++ b/systems/x86_64-linux/beryllium/default.nix @@ -3,6 +3,7 @@ # NUC / HomeLab environment { lib, + config, pkgs, ... }: { @@ -48,23 +49,72 @@ users = ["christopher"]; secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf"; + needs = { + smbSecrets = "smb-secrets.age"; + }; }; }; + networking.firewall.enable = false; + networking.dhcpcd.IPv6rs = false; + + users.users.christopher.linger = true; # autostart of quadlets before login + users.users.christopher.autoSubUidGidRange = true; users.users.christopher.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"]; + users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"]; services = { - openssh.enable = true; - openssh.ports = [7319]; - openssh.settings.PasswordAuthentication = false; + openssh = { + enable = true; + ports = [7319]; + settings.PasswordAuthentication = false; + }; - beszel-agent.enable = true; - beszel-agent.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T"; + beszel-agent = { + enable = true; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T"; + }; }; - virtualisation.podman.enable = true; + boot.kernel.sysctl = { + # We require this so that a rootless traefik can bind to port 80. + "net.ipv4.ip_unprivileged_port_start" = "80"; + }; + + # virtualisation.quadlet.enable = true; + virtualisation.podman = { + enable = true; + defaultNetwork.settings = { + dns_enabled = true; + # Override the default subnet as it overlaps with my LAN. + subnets = [ + { + gateway = "172.16.0.1"; + subnet = "172.16.0.0/16"; + } + ]; + }; + }; + + fileSystems."/mnt/nuc/_NAS_Media" = { + device = "//10.1.0.1/_NAS_Media"; + fsType = "cifs"; + options = let + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"]; + }; + + fileSystems."/mnt/nuc/Ix" = { + device = "//10.1.0.1/Ix"; + fsType = "cifs"; + options = let + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"]; + }; environment.systemPackages = with pkgs; [ + cifs-utils + helix podman-compose ]; } diff --git a/systems/x86_64-linux/beryllium/hardware.nix b/systems/x86_64-linux/beryllium/hardware.nix index 05213be..418dfa2 100644 --- a/systems/x86_64-linux/beryllium/hardware.nix +++ b/systems/x86_64-linux/beryllium/hardware.nix @@ -14,4 +14,14 @@ virtualisation.virtualbox.guest.enable = true; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + fileSystems."/mnt/external" = { + device = "/dev/disk/by-uuid/0fc53086-d326-4663-973c-aa224a3f8589"; + fsType = "ext4"; + options = [ + "nofail" + "exec" + "users" + ]; + }; }