From 00c219cb057118f3e43ce110c8c3283b04c6d58b Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Sun, 30 Mar 2025 04:17:26 +0800 Subject: [PATCH] feat: add apollo nixos configuration --- README.md | 22 +++++++++++++++++++++- configs/default.nix | 8 ++++++++ configs/secrets/.sops.yaml | 2 ++ configs/secrets/secrets.yaml | 29 +++++++++++++++++++---------- flake.nix | 1 + 5 files changed, 51 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 9d32962..5408853 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,27 @@ wpa_cli ip addr ``` -On the host machine, run the command `deploy --flake .# --target-host @` to build the new system configuration and copy it over SSH along with the sops age key and ssh keys. +On the host machine, run the following command to build the new system configuration and copy it over SSH along with the sops age key and ssh keys. + +```bash +# WARNING: You must use the IP address of the machine. +# The hostname will not suffice as it will boot into a NixOS installer through kexec. +deploy --flake .# --target-host @ +``` + +Complete the setup by running the following on the target system once it is booted into the new install. + +```bash +# On the target machine: +sudo rm /etc/ssh/ssh_host_* +sudo ssh-keygen -A +cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age + +# On the host machine: +# Add the host age public key to .sops.yaml +sops updatekeys secrets.yaml + +``` # Acknowledgements diff --git a/configs/default.nix b/configs/default.nix index d6935b0..713c0c0 100644 --- a/configs/default.nix +++ b/configs/default.nix @@ -40,5 +40,13 @@ }) ./hardware/cpu_intel.nix ]) + (lib.optionals (hostname == "apollo") [ + ./bootloaders/systemd-boot.nix + (import ./filesystems/impermanence.nix { + inherit inputs lib; + device = "/dev/disk/by-id/nvme-eui.002538d221b47b01"; + }) + ./hardware/cpu_intel.nix + ]) ]; } diff --git a/configs/secrets/.sops.yaml b/configs/secrets/.sops.yaml index b788f35..13b8470 100644 --- a/configs/secrets/.sops.yaml +++ b/configs/secrets/.sops.yaml @@ -1,9 +1,11 @@ keys: - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 - &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh + - &apollo age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9 creation_rules: - path_regex: .(yaml|json|env|ini)$ key_groups: - age: - *admin - *nemesis + - *apollo diff --git a/configs/secrets/secrets.yaml b/configs/secrets/secrets.yaml index 21ee4f2..3cfec75 100644 --- a/configs/secrets/secrets.yaml +++ b/configs/secrets/secrets.yaml @@ -11,20 +11,29 @@ sops: - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh - QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r - UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU - K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn - JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBangwRmZaTTlKblBKTXRx + N0lrZWNRa0pHUkF6NjFpVElKY0VwZTZtQWpNCjFUdUppN1N3dUtMSUkvUEZkYzA3 + SGZPWEhtemYvdDZwVjZodlFadlF4Q0UKLS0tIDZMRUdBaERoYy9tNE1HUmIxYTky + SlFXVERmUHhYZnFXWjlHMUwzbnk0dGsKLF6YDj04hdVC8ghgvtYDbHwi4bsDxdxE + Xv+7GZYPcoMajldKjlxkSeLC0y/PYG44QtJZqdn7ji9N/+iODpmZow== -----END AGE ENCRYPTED FILE----- - recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u - Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2 - ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z - WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7 - v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcnFOdkVuemVPRXVGVmpy + QjZMQzEySjZKdmJWUjVocjVOd2JEcnFEeWlnCkNwWUxVejlMVnIrUExXS2ExdnBC + K3dIS1ZJMExpaUk4OFIvZ3dVZ3czLzgKLS0tIFc4dVNFcWdTS0JUVGZHUXd6UE9m + eDhza1RVOEpqcmhTUVJjcXNtbEF2UlkKziDZm9BOS6xScCKqLYnutscGuduH8OLu + xZLP6Wy+Y2MBsSrIs32470308CMsmbv4p8l8/vBf6FjwSvow7kboIg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV0NSc1Evd2x4cytNYXVx + ZG15NGxaSVduT2Z2TTViVkx3Yk1MNFE3eXpJCmx2VGhTY0Ryam1XbnkwY3F2QzJL + R0N2ODF3azJBKzh1cVN6SjRML3R0VW8KLS0tIFQwTEd2MHZWdXBVT3lOa2kzVEha + cTFJZ3ZBTG12enVWbmQrc3JNTjY3akEKSzjApYoZ0i70DBc7/IHo1giziDgVcRNi + E6roLPPJjM+n7ZhEielnc+PjsQZ74ZX6z2D4UY5AGOYY3BOmmTF51g== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-27T13:04:25Z" mac: ENC[AES256_GCM,data:6eINPO68OJGMhWhORC4MfBiA4Qax30UYzZBGdeqsDsRfjFZ7TCCiLrdHOdGWOr0S9nCelXm9VnTjIjFGudpZ2k3vQ5lM9bt1DZ19Y2XbeHhC7jZJP51ql9NexNMlT10zLdWWUWhxoow8avAszAguUc0nmWgi+R9N+ctrtwAWpmw=,iv:OYBn6dYDZJrJJ6xXUXoK5Ml3fHBULMYnQXAfqM+1rUU=,tag:ScVH3GRaMAKNnLQNNNDgtw==,type:str] diff --git a/flake.nix b/flake.nix index 7c4b74d..2763d58 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,7 @@ nixosConfigurations = builtins.listToAttrs [ (mkSystem "desktop" "nemesis") (mkSystem "desktop" "mellinoe") + (mkSystem "headless" "apollo") ]; };