fix(hosts/pi4): Now using networking.wg-quick module

Instead of `networking.wireguard` which seems to be broken
feat(flake): Added pi4 deploy node
2024-11-06 01:02:16 +01:00 · 2024-11-06 00:58:57 +01:00 · 2024-11-06 00:18:28 +01:00 · 2024-11-06 00:13:48 +01:00 · 2024-11-05 23:42:08 +01:00 · 2024-11-05 23:40:18 +01:00
13 changed files with 217 additions and 20 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,10 +1,17 @@
 keys:
  - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
  - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
+  - &server_pi4 age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/OVHCloud/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - pgp:
      age:
      - *admin_gaspard
      - *server_ovh
+  - path_regex: secrets/pi4/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      age:
+      - *admin_gaspard
+      - *server_pi4
--- a/flake.lock
+++ b/flake.lock
@ -479,6 +479,21 @@
        "type": "github"
      }
    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1730828750,
+        "narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1727348695,
@ -542,6 +557,7 @@
          "hyprland"
        ],
        "jovian": "jovian",
+        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "sops-nix": "sops-nix"
      }
--- a/flake.nix
+++ b/flake.nix
@ -56,6 +56,9 @@
      url = "github:Jovian-Experiments/Jovian-NixOS";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    # Rasoberry PI
+    nixos-hardware.url = "github:nixos/nixos-hardware";
  };

  outputs = {
@ -66,11 +69,12 @@
    sops-nix,
    home-manager,
    jovian,
+    nixos-hardware,
    ...
  } @ inputs: let
    system = "x86_64-linux";
    pkgs = nixpkgs.legacyPackages.${system};
-  in {
+  in rec {
    nixosConfigurations = {
      Zephyrus = nixpkgs.lib.nixosSystem {
        extraArgs = {inherit inputs;};
@ -91,6 +95,17 @@
          home-manager.nixosModules.home-manager
        ];
      };
+
+      pi4 = nixpkgs.lib.nixosSystem {
+        extraArgs = {inherit inputs;};
+        system = "aarch64-linux";
+        modules = [
+          ./hosts/pi4
+          "${nixpkgs}/nixos/modules/profiles/minimal.nix"
+          nixos-hardware.nixosModules.raspberry-pi-4
+          sops-nix.nixosModules.sops
+        ];
+      };
    };

    homeConfigurations = {
@ -113,17 +128,45 @@
      };
    };

-    deploy.nodes.OVHCloud = {
-      hostname = "gasdev.fr";
-      profiles.system = {
-        user = "root";
-        sshUser = "root";
-        sshOpts = ["-p" "22"];
-        sudo = "";
-        path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
+    deploy.nodes = {
+      OVHCloud = {
+        hostname = "gasdev.fr";
+        profiles.system = {
+          user = "root";
+          sshUser = "root";
+          sshOpts = ["-p" "22"];
+          sudo = "";
+          path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
+        };
+      };
+      pi4 = {
+        hostname = "10.8.0.31";
+        profiles.system = {
+          user = "root";
+          sshUser = "root";
+          sshOpts = ["-p" "22"];
+          sudo = "";
+          path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi4;
+        };
      };
    };

+    images.pi4 =
+      (self.nixosConfigurations.pi4.extendModules {
+        modules = [
+          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+          {
+            disabledModules = ["profiles/base.nix"];
+          }
+        ];
+      })
+      .config
+      .system
+      .build
+      .sdImage;
+    packages.x86_64-linux.pi4-image = images.pi4;
+    packages.aarch64-linux.pi4-image = images.pi4;
+
    checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;

    devShells.${system}.default = pkgs.mkShell {
--- a/hosts/OVHCloud/sops.nix
+++ b/hosts/OVHCloud/sops.nix
@ -2,7 +2,7 @@
  # This will add secrets.yml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
+  sops.defaultSopsFile = ../../secrets/OVHCloud/default.yaml;
  # This will automatically import SSH keys as age keys
  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

--- a/hosts/Zephyrus/hardware-configuration.nix
+++ b/hosts/Zephyrus/hardware-configuration.nix
@ -34,6 +34,7 @@
      };
    };
    tmp.useTmpfs = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
  };

  # Network & Bluetooth
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Nix
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  environment.systemPackages = with pkgs; [
+    helix
+    git
+  ];
+
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+    };
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
+  ];
+
+  networking = {
+    interfaces."wlan0".useDHCP = true;
+    wireless = {
+      interfaces = ["wlan0"];
+      enable = true;
+      networks = {
+        "TestNetwork".psk = "not_an_actual_password_leak";
+      };
+    };
+  };
+
+  # SOPS
+  sops.defaultSopsFile = ../../secrets/pi4/default.yaml;
+  sops.secrets."wireguard/private_key".owner = "root";
+
+  # Wireguard
+  networking.firewall = {
+    allowedUDPPorts = [51820];
+  };
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = ["10.8.0.31/32"];
+      listenPort = 51820; # Should match firewall allowedUDPPorts
+      privateKeyFile = config.sops.secrets."wireguard/private_key".path;
+
+      peers = [
+        {
+          publicKey = "KLULII6VEUWMhyIba6oxxHdZsVP3TMVlNY1Vz49q7jg=";
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "vpn.gasdev.fr:993";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  system.stateVersion = "24.11";
+}
--- a/hosts/pi4/hardware-configuration.nix
+++ b/hosts/pi4/hardware-configuration.nix
@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
+  # disk with this label on first boot. Therefore, we need to keep it. It is the
+  # only information from the installer image that we need to keep persistent
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+  };
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+    loader = {
+      generic-extlinux-compatible.enable = lib.mkDefault true;
+      grub.enable = lib.mkDefault false;
+    };
+  };
+}
--- a/secrets/OVHCloud/default.yaml
+++ b/secrets/OVHCloud/default.yaml
@ -34,7 +34,7 @@ outline:
 penpot:
    SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
-    SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
    SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
    SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
    SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
@ -78,8 +78,8 @@ sops:
            MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
            y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-04T21:15:49Z"
-    mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str]
+    lastmodified: "2024-11-05T13:47:17Z"
+    mac: ENC[AES256_GCM,data:Lku06chnlLsqvvd5ud/ovY/ymGknyIxcPirvQ2lrc/+7jMa6cGu3Q9piVv/gx6jMhQIuYnNjS5AKoNvNfXRgrpakzET5aNzLtWkaUplNQCAy+yuKkIdmGoMZ+J+l4SyMydKERpZmN+pLWAld8U+CFRaWGoCLHHQ8i60u4Gti7DY=,iv:DVcjFoncW0vPhBEA042DAWxJLnSCfwsJeYQcmhsWrbI=,tag:dL6L5CfrB4ZVMytkGfPSYA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/secrets/pi4/default.yaml
+++ b/secrets/pi4/default.yaml
@ -0,0 +1,31 @@
+wireguard:
+    private_key: ENC[AES256_GCM,data:L6FD+kBF7AoIrm3pMM6/pmWtX2FP5dUrJ9hUCuW9n4SlJ/JhpxI9m/1owIg=,iv:ok4pyUUv80kPY9n4WQmBGYHmMsPJnG0tnF+vbNhqc3s=,tag:OPribO7RoVCkFkTrYrHw7w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJamxiNDlnRWJ6ZGFRaEtu
+            bGRveE9aWWY4c2duYkFYU2NKQlBSYjNWT3dZClNtNkpiRENNRFdUcTN6MENhU1Z1
+            YzVDa21peTluVkFoQURnK0xZQjNFZm8KLS0tIGpPbE95NVM2aUNrWWlEVGUybXpP
+            cXpCMmsxTkxKSXBjSmV2azNIcW04a1UKF8O99FpHDZSO0XFeCzWyoxJvjmvjvWFH
+            aOFSWHO64UDlSY/1eQmIYr/xad/BxxYnkrqlJib5tpmPkoi1qyuZVg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlDMzJQSEM3cjdnZmpy
+            RUgzZTYvT3RrQ2RMUmNNNWRvL2NjSUJvdW1jCkFvaVFOZUdPMWQxNnhGLzgwa2w4
+            MHpwVzJkQjZvd25oaENqbzdrT1dmazQKLS0tIE1MdmVrNVRscGlXeTB0NXV6SUMv
+            RDNob1FNdFZQUUk0SmVDUnZBc3FNdVEKcyNWzjvIZIBR39kQkUsSSmHJ+gePPtbS
+            PUcLp6jYFvPDyldLm+PqIApEL9X0d/0ccvY+wwkPCiqSPFZbBLitgg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-05T22:30:48Z"
+    mac: ENC[AES256_GCM,data:GI5Hb8zvafTdWhpm+D6qp9iefMD9NwYPRBKcxrIL9M1wTMzMzD4QsrbMDKQELfTYK3QhLZ0G4KTmLfoSB1zYO/GtslRDAAHmFzLuNNVJ9/8gIrd/Gb12JLnUDjJrxYEeF15NKnyqRMKUVQiJgYd8ggLGzT9pRqaMNTKCYutqsaE=,iv:XB/Ddi7mU9SdRD7nHkyAZR+gTZ9ZY2ZrvHlb0kFK/4Q=,tag:OgEw78w4o44CamP/4C6Y7g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/services/authelia/configuration.yml
+++ b/services/authelia/configuration.yml
@ -74,8 +74,9 @@ storage:
    path: /data/db.sqlite3

 notifier:
+  disable_startup_check: true
  smtp:
-    address: 'smtp.mail.ovh.net'
+    address: 'smtp://smtp.gasdev.fr:25'
    username: 'postmaster@gasdev.fr'
    sender: 'Authelia <authelia@gasdev.fr>'

--- a/services/outline/default.nix
+++ b/services/outline/default.nix
@ -28,7 +28,7 @@
    };

    smtp = {
-      host = "smtp.mail.ovh.net";
+      host = "smtp.gasdev.fr";
      port = 465;
      username = "postmaster@gasdev.fr";
      passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;
--- a/services/stalwart-mail/default.nix
+++ b/services/stalwart-mail/default.nix
@ -1,16 +1,20 @@
 {config, ...}: let
-  domain = "mail.gasdev.fr";
+  domain = "gasdev.fr";
 in {
  sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";

  services.caddy.virtualHosts."${domain}".extraConfig = ''
+    redir https://www.gasdev.fr
+  '';
+
+  services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
    reverse_proxy 127.0.0.1:8080
  '';

  services.stalwart-mail = {
    enable = true;
    settings = {
-      lookup.default.hostname = "${domain}";
+      lookup.default.hostname = "mail.${domain}";
      server = {
        tls.certificate = "default";
        http = {
@ -82,7 +86,7 @@ in {
    };
  };

-  networking.firewall.allowedTCPPorts = [22 465 993];
+  networking.firewall.allowedTCPPorts = [25 465 993];

  systemd.timers."stalwart-mail-update-certs" = {
    wantedBy = ["timers.target"];
@ -107,7 +111,7 @@ in {
      cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"

      chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
-      chmod -R 0600 "''\${STALWART_CERT_DIR}"
+      chmod -R 0700 "''\${STALWART_CERT_DIR}"
    '';
    serviceConfig = {
      Type = "oneshot";
--- a/services/wireguard/default.nix
+++ b/services/wireguard/default.nix
@ -51,6 +51,11 @@
          publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
          allowedIPs = ["10.8.0.11/32"];
        }
+        {
+          # pi4
+          publicKey = "F9AkCI0FGkrFhCq+SvCT1F2RG2ApNUy+SeIj1+VPtXI=";
+          allowedIPs = ["10.8.0.31/32"];
+        }
      ];
    };
  };
Author	SHA1	Message	Date
GaspardCulis	dff14a180b	fix(hosts/pi4): Now using `networking.wg-quick` module Instead of `networking.wireguard` which seems to be broken	2024-11-06 01:02:16 +01:00
GaspardCulis	bae75ef0a4	feat(flake): Added `pi4` deploy node	2024-11-06 00:58:57 +01:00
GaspardCulis	47f0dbd2d4	chore(sops): Update again pi4 age key	2024-11-06 00:18:28 +01:00
GaspardCulis	a4f8d01313	chore(sops): Sync pi4 secrets according to new age key	2024-11-06 00:13:48 +01:00
GaspardCulis	805e5ee2ae	feat(hosts/pi4): Added wireguard config	2024-11-05 23:42:08 +01:00
GaspardCulis	d8304b993d	feat(sops): Add sops config for pi4	2024-11-05 23:40:18 +01:00
GaspardCulis	a1e3f8cfc3	feat(services): Added new peer for pi4	2024-11-05 23:39:48 +01:00
GaspardCulis	29fc1dbf24	chore(sops): Setup actual pi4 age key	2024-11-05 23:37:57 +01:00
GaspardCulis	fd83bd2dc2	refactor(secrets): Moved host specific secrets to subdirs	2024-11-05 23:31:32 +01:00
GaspardCulis	dab42bd8c2	feat(hosts/pi4): Setup networking	2024-11-05 23:06:13 +01:00
GaspardCulis	1fa4d2bc87	refactor(hosts): Re-work pi config	2024-11-05 22:52:56 +01:00
GaspardCulis	0cb54a4a35	feat(Zephyrus): Enable `binfmt` aarch64 cross-compilation	2024-11-05 22:09:49 +01:00
GaspardCulis	1207101eab	feat: Added new `Pi4` host	2024-11-05 18:37:06 +01:00
GaspardCulis	913b582d2e	chore(services): Tweak SMTP config	2024-11-05 18:35:52 +01:00
GaspardCulis	9046a53e3e	fix(sservices/stalwart-mail): Fix firewall config typo	2024-11-05 14:52:43 +01:00
GaspardCulis	d2f311cbfc	chore(services + secrets): Updated SMTP host	2024-11-05 14:48:31 +01:00