rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add apollo nixos configuration

Browse source
This commit is contained in:
Mohammad Rafiq 2025-03-30 04:17:26 +08:00
parent 7db5d93409
commit 00c219cb05
No known key found for this signature in database
5 changed files with 51 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

22
README.md
View file

@ -33,7 +33,27 @@ wpa_cli
ip addr ip addr
``` ```
On the host machine, run the command `deploy --flake .#<hostname> --target-host <username>@<ip_address>` to build the new system configuration and copy it over SSH along with the sops age key and ssh keys. On the host machine, run the following command to build the new system configuration and copy it over SSH along with the sops age key and ssh keys.
```bash
# WARNING: You must use the IP address of the machine.
# The hostname will not suffice as it will boot into a NixOS installer through kexec.
deploy --flake .#<hostname> --target-host <username>@<ip_address>
```
Complete the setup by running the following on the target system once it is booted into the new install.
```bash
# On the target machine:
sudo rm /etc/ssh/ssh_host_*
sudo ssh-keygen -A
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
# On the host machine:
# Add the host age public key to .sops.yaml
sops updatekeys secrets.yaml
```
# Acknowledgements # Acknowledgements

8
configs/default.nix
View file

@ -40,5 +40,13 @@
}) })
./hardware/cpu_intel.nix ./hardware/cpu_intel.nix
]) ])
(lib.optionals (hostname == "apollo") [
./bootloaders/systemd-boot.nix
(import ./filesystems/impermanence.nix {
inherit inputs lib;
device = "/dev/disk/by-id/nvme-eui.002538d221b47b01";
})
./hardware/cpu_intel.nix
])
]; ];
} }

2
configs/secrets/.sops.yaml
View file

@ -1,9 +1,11 @@
keys: keys:
- &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
- &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh - &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
- &apollo age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9
creation_rules: creation_rules:
- path_regex: .(yaml|json|env|ini)$ - path_regex: .(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *admin - *admin
- *nemesis - *nemesis
- *apollo

29
configs/secrets/secrets.yaml
View file

@ -11,20 +11,29 @@ sops:
- recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBangwRmZaTTlKblBKTXRx
QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r N0lrZWNRa0pHUkF6NjFpVElKY0VwZTZtQWpNCjFUdUppN1N3dUtMSUkvUEZkYzA3
UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU SGZPWEhtemYvdDZwVjZodlFadlF4Q0UKLS0tIDZMRUdBaERoYy9tNE1HUmIxYTky
K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn SlFXVERmUHhYZnFXWjlHMUwzbnk0dGsKLF6YDj04hdVC8ghgvtYDbHwi4bsDxdxE
JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw== Xv+7GZYPcoMajldKjlxkSeLC0y/PYG44QtJZqdn7ji9N/+iODpmZow==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh - recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcnFOdkVuemVPRXVGVmpy
Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2 QjZMQzEySjZKdmJWUjVocjVOd2JEcnFEeWlnCkNwWUxVejlMVnIrUExXS2ExdnBC
ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z K3dIS1ZJMExpaUk4OFIvZ3dVZ3czLzgKLS0tIFc4dVNFcWdTS0JUVGZHUXd6UE9m
WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7 eDhza1RVOEpqcmhTUVJjcXNtbEF2UlkKziDZm9BOS6xScCKqLYnutscGuduH8OLu
v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA== xZLP6Wy+Y2MBsSrIs32470308CMsmbv4p8l8/vBf6FjwSvow7kboIg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yputfxttcyw9w6e9l3tkdyw73tr6z20r90twmrpktl44alywnu5s934fx9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGV0NSc1Evd2x4cytNYXVx
ZG15NGxaSVduT2Z2TTViVkx3Yk1MNFE3eXpJCmx2VGhTY0Ryam1XbnkwY3F2QzJL
R0N2ODF3azJBKzh1cVN6SjRML3R0VW8KLS0tIFQwTEd2MHZWdXBVT3lOa2kzVEha
cTFJZ3ZBTG12enVWbmQrc3JNTjY3akEKSzjApYoZ0i70DBc7/IHo1giziDgVcRNi
E6roLPPJjM+n7ZhEielnc+PjsQZ74ZX6z2D4UY5AGOYY3BOmmTF51g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-27T13:04:25Z" lastmodified: "2025-03-27T13:04:25Z"
mac: ENC[AES256_GCM,data:6eINPO68OJGMhWhORC4MfBiA4Qax30UYzZBGdeqsDsRfjFZ7TCCiLrdHOdGWOr0S9nCelXm9VnTjIjFGudpZ2k3vQ5lM9bt1DZ19Y2XbeHhC7jZJP51ql9NexNMlT10zLdWWUWhxoow8avAszAguUc0nmWgi+R9N+ctrtwAWpmw=,iv:OYBn6dYDZJrJJ6xXUXoK5Ml3fHBULMYnQXAfqM+1rUU=,tag:ScVH3GRaMAKNnLQNNNDgtw==,type:str] mac: ENC[AES256_GCM,data:6eINPO68OJGMhWhORC4MfBiA4Qax30UYzZBGdeqsDsRfjFZ7TCCiLrdHOdGWOr0S9nCelXm9VnTjIjFGudpZ2k3vQ5lM9bt1DZ19Y2XbeHhC7jZJP51ql9NexNMlT10zLdWWUWhxoow8avAszAguUc0nmWgi+R9N+ctrtwAWpmw=,iv:OYBn6dYDZJrJJ6xXUXoK5Ml3fHBULMYnQXAfqM+1rUU=,tag:ScVH3GRaMAKNnLQNNNDgtw==,type:str]

1
flake.nix
View file

@ -30,6 +30,7 @@
nixosConfigurations = builtins.listToAttrs [ nixosConfigurations = builtins.listToAttrs [
(mkSystem "desktop" "nemesis") (mkSystem "desktop" "nemesis")
(mkSystem "desktop" "mellinoe") (mkSystem "desktop" "mellinoe")
(mkSystem "headless" "apollo")
]; ];
}; };