fix(hosts/pi4): Now using networking.wg-quick module

Instead of `networking.wireguard` which seems to be broken

.sops.yaml

@@ -1,10 +1,17 @@
 keys:
   - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
   - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
+  - &server_pi4 age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/OVHCloud/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       age:
       - *admin_gaspard
       - *server_ovh
+  - path_regex: secrets/pi4/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      age:
+      - *admin_gaspard
+      - *server_pi4

flake.lock

@@ -479,6 +479,21 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1730828750,
+        "narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1727348695,
@@ -542,6 +557,7 @@
           "hyprland"
         ],
         "jovian": "jovian",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
       }

flake.nix

@@ -56,6 +56,9 @@
       url = "github:Jovian-Experiments/Jovian-NixOS";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Rasoberry PI
+    nixos-hardware.url = "github:nixos/nixos-hardware";
   };
 
   outputs = {
@@ -66,11 +69,12 @@
     sops-nix,
     home-manager,
     jovian,
+    nixos-hardware,
     ...
   } @ inputs: let
     system = "x86_64-linux";
     pkgs = nixpkgs.legacyPackages.${system};
-  in {
+  in rec {
     nixosConfigurations = {
       Zephyrus = nixpkgs.lib.nixosSystem {
         extraArgs = {inherit inputs;};
@@ -91,6 +95,17 @@
           home-manager.nixosModules.home-manager
         ];
       };
+
+      pi4 = nixpkgs.lib.nixosSystem {
+        extraArgs = {inherit inputs;};
+        system = "aarch64-linux";
+        modules = [
+          ./hosts/pi4
+          "${nixpkgs}/nixos/modules/profiles/minimal.nix"
+          nixos-hardware.nixosModules.raspberry-pi-4
+          sops-nix.nixosModules.sops
+        ];
+      };
     };
 
     homeConfigurations = {
@@ -113,17 +128,45 @@
       };
     };
 
-    deploy.nodes.OVHCloud = {
+    deploy.nodes = {
-      hostname = "gasdev.fr";
+      OVHCloud = {
-      profiles.system = {
+        hostname = "gasdev.fr";
-        user = "root";
+        profiles.system = {
-        sshUser = "root";
+          user = "root";
-        sshOpts = ["-p" "22"];
+          sshUser = "root";
-        sudo = "";
+          sshOpts = ["-p" "22"];
-        path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
+          sudo = "";
+          path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.OVHCloud;
+        };
+      };
+      pi4 = {
+        hostname = "10.8.0.31";
+        profiles.system = {
+          user = "root";
+          sshUser = "root";
+          sshOpts = ["-p" "22"];
+          sudo = "";
+          path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi4;
+        };
       };
     };
 
+    images.pi4 =
+      (self.nixosConfigurations.pi4.extendModules {
+        modules = [
+          "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+          {
+            disabledModules = ["profiles/base.nix"];
+          }
+        ];
+      })
+      .config
+      .system
+      .build
+      .sdImage;
+    packages.x86_64-linux.pi4-image = images.pi4;
+    packages.aarch64-linux.pi4-image = images.pi4;
+
     checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
 
     devShells.${system}.default = pkgs.mkShell {

hosts/OVHCloud/sops.nix

@@ -2,7 +2,7 @@
   # This will add secrets.yml to the nix store
   # You can avoid this by adding a string to the full path instead, i.e.
   # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
-  sops.defaultSopsFile = ../../secrets/OVHCloud.yaml;
+  sops.defaultSopsFile = ../../secrets/OVHCloud/default.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
 

hosts/Zephyrus/hardware-configuration.nix

@@ -34,6 +34,7 @@
       };
     };
     tmp.useTmpfs = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
   };
 
   # Network & Bluetooth

hosts/pi4/default.nix

@@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # Nix
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  environment.systemPackages = with pkgs; [
+    helix
+    git
+  ];
+
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PasswordAuthentication = false;
+    };
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyRXFQ6iA5p0vDuoGSHZfajiVZPAGIyqhTziM7QgBV gaspard@nixos"
+  ];
+
+  networking = {
+    interfaces."wlan0".useDHCP = true;
+    wireless = {
+      interfaces = ["wlan0"];
+      enable = true;
+      networks = {
+        "TestNetwork".psk = "not_an_actual_password_leak";
+      };
+    };
+  };
+
+  # SOPS
+  sops.defaultSopsFile = ../../secrets/pi4/default.yaml;
+  sops.secrets."wireguard/private_key".owner = "root";
+
+  # Wireguard
+  networking.firewall = {
+    allowedUDPPorts = [51820];
+  };
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = ["10.8.0.31/32"];
+      listenPort = 51820; # Should match firewall allowedUDPPorts
+      privateKeyFile = config.sops.secrets."wireguard/private_key".path;
+
+      peers = [
+        {
+          publicKey = "KLULII6VEUWMhyIba6oxxHdZsVP3TMVlNY1Vz49q7jg=";
+          allowedIPs = ["0.0.0.0/0"];
+          endpoint = "vpn.gasdev.fr:993";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  system.stateVersion = "24.11";
+}

hosts/pi4/hardware-configuration.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  # "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
+  # disk with this label on first boot. Therefore, we need to keep it. It is the
+  # only information from the installer image that we need to keep persistent
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+  };
+  boot = {
+    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+    loader = {
+      generic-extlinux-compatible.enable = lib.mkDefault true;
+      grub.enable = lib.mkDefault false;
+    };
+  };
+}

secrets/OVHCloud/default.yaml

@@ -34,7 +34,7 @@ outline:
 penpot:
     SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
     OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
-    SMTP_HOST: ENC[AES256_GCM,data:grXf4aoolCIEF+xomL9ziE4=,iv:HeUUuJJEjq/CWCWfrxe8ujBaMidFM6B49oHedjD7b3M=,tag:fnsUU8DhgUjtjoKkqw3c4g==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
     SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
     SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
     SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
@@ -78,8 +78,8 @@ sops:
             MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
             y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-04T21:15:49Z"
+    lastmodified: "2024-11-05T13:47:17Z"
-    mac: ENC[AES256_GCM,data:/0c7+XlYMN+CYvhLhpo6ivwI33uLVUGpm8ypN4dJzxFWFCMlVRm4lDxb0u0/6Qudri7RQRqo1AtuK5jP0jBnZQBaKdvHWqV+uTBQNjtdh5PUNT+34eBBh1eT22OzED6CeXWRTlDiFZ6z3rQYpi6j3D7h13VMokvWGRNdpGgcKWw=,iv:LPrWXUgvxKum8hvp4hC01hOinyctafODE1/VJaPLRBc=,tag:rFjJkRIDipCUUhDV8C+dSA==,type:str]
+    mac: ENC[AES256_GCM,data:Lku06chnlLsqvvd5ud/ovY/ymGknyIxcPirvQ2lrc/+7jMa6cGu3Q9piVv/gx6jMhQIuYnNjS5AKoNvNfXRgrpakzET5aNzLtWkaUplNQCAy+yuKkIdmGoMZ+J+l4SyMydKERpZmN+pLWAld8U+CFRaWGoCLHHQ8i60u4Gti7DY=,iv:DVcjFoncW0vPhBEA042DAWxJLnSCfwsJeYQcmhsWrbI=,tag:dL6L5CfrB4ZVMytkGfPSYA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

secrets/pi4/default.yaml

@@ -0,0 +1,31 @@
+wireguard:
+    private_key: ENC[AES256_GCM,data:L6FD+kBF7AoIrm3pMM6/pmWtX2FP5dUrJ9hUCuW9n4SlJ/JhpxI9m/1owIg=,iv:ok4pyUUv80kPY9n4WQmBGYHmMsPJnG0tnF+vbNhqc3s=,tag:OPribO7RoVCkFkTrYrHw7w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJamxiNDlnRWJ6ZGFRaEtu
+            bGRveE9aWWY4c2duYkFYU2NKQlBSYjNWT3dZClNtNkpiRENNRFdUcTN6MENhU1Z1
+            YzVDa21peTluVkFoQURnK0xZQjNFZm8KLS0tIGpPbE95NVM2aUNrWWlEVGUybXpP
+            cXpCMmsxTkxKSXBjSmV2azNIcW04a1UKF8O99FpHDZSO0XFeCzWyoxJvjmvjvWFH
+            aOFSWHO64UDlSY/1eQmIYr/xad/BxxYnkrqlJib5tpmPkoi1qyuZVg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18gts35ruwj67kjgjtgrgrxup83apr8ekgrp98r434wcn2pf0l9sqnq5j2y
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQmlDMzJQSEM3cjdnZmpy
+            RUgzZTYvT3RrQ2RMUmNNNWRvL2NjSUJvdW1jCkFvaVFOZUdPMWQxNnhGLzgwa2w4
+            MHpwVzJkQjZvd25oaENqbzdrT1dmazQKLS0tIE1MdmVrNVRscGlXeTB0NXV6SUMv
+            RDNob1FNdFZQUUk0SmVDUnZBc3FNdVEKcyNWzjvIZIBR39kQkUsSSmHJ+gePPtbS
+            PUcLp6jYFvPDyldLm+PqIApEL9X0d/0ccvY+wwkPCiqSPFZbBLitgg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-05T22:30:48Z"
+    mac: ENC[AES256_GCM,data:GI5Hb8zvafTdWhpm+D6qp9iefMD9NwYPRBKcxrIL9M1wTMzMzD4QsrbMDKQELfTYK3QhLZ0G4KTmLfoSB1zYO/GtslRDAAHmFzLuNNVJ9/8gIrd/Gb12JLnUDjJrxYEeF15NKnyqRMKUVQiJgYd8ggLGzT9pRqaMNTKCYutqsaE=,iv:XB/Ddi7mU9SdRD7nHkyAZR+gTZ9ZY2ZrvHlb0kFK/4Q=,tag:OgEw78w4o44CamP/4C6Y7g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

services/authelia/configuration.yml

@@ -74,8 +74,9 @@ storage:
     path: /data/db.sqlite3
 
 notifier:
+  disable_startup_check: true
   smtp:
-    address: 'smtp.mail.ovh.net'
+    address: 'smtp://smtp.gasdev.fr:25'
     username: 'postmaster@gasdev.fr'
     sender: 'Authelia <authelia@gasdev.fr>'
 

services/outline/default.nix

@@ -28,7 +28,7 @@
     };
 
     smtp = {
-      host = "smtp.mail.ovh.net";
+      host = "smtp.gasdev.fr";
       port = 465;
       username = "postmaster@gasdev.fr";
       passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;

services/stalwart-mail/default.nix

@@ -1,16 +1,20 @@
 {config, ...}: let
-  domain = "mail.gasdev.fr";
+  domain = "gasdev.fr";
 in {
   sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
 
   services.caddy.virtualHosts."${domain}".extraConfig = ''
+    redir https://www.gasdev.fr
+  '';
+
+  services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
     reverse_proxy 127.0.0.1:8080
   '';
 
   services.stalwart-mail = {
     enable = true;
     settings = {
-      lookup.default.hostname = "${domain}";
+      lookup.default.hostname = "mail.${domain}";
       server = {
         tls.certificate = "default";
         http = {
@@ -82,7 +86,7 @@ in {
     };
   };
 
-  networking.firewall.allowedTCPPorts = [22 465 993];
+  networking.firewall.allowedTCPPorts = [25 465 993];
 
   systemd.timers."stalwart-mail-update-certs" = {
     wantedBy = ["timers.target"];
@@ -107,7 +111,7 @@ in {
       cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
 
       chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
-      chmod -R 0600 "''\${STALWART_CERT_DIR}"
+      chmod -R 0700 "''\${STALWART_CERT_DIR}"
     '';
     serviceConfig = {
       Type = "oneshot";

services/wireguard/default.nix

@@ -51,6 +51,11 @@
           publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
           allowedIPs = ["10.8.0.11/32"];
         }
+        {
+          # pi4
+          publicKey = "F9AkCI0FGkrFhCq+SvCT1F2RG2ApNUy+SeIj1+VPtXI=";
+          allowedIPs = ["10.8.0.31/32"];
+        }
       ];
     };
   };