Feat: add dns02 (#37)

* feat: add overlays * Auto lint/format * feat: fix dns01 firewall ports * chore: new keys for dns01 * fix: dupe key * chore: fix cfdyn * feat: add dns02 --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> Co-authored-by: truxnell <truxnell@users.noreply.github.com>
truxnell · Mar 30, 2024 · a4a8b05 · a4a8b05
1 parent 662806a
commit a4a8b05
Show file tree

Hide file tree

Showing 9 changed files with 153 additions and 177 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -11,7 +11,8 @@
 keys:
   - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
   - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
-  - &dns01 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
+  - &dns01 age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+  - &dns02 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
   - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
   - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
 
@@ -22,5 +23,6 @@ creation_rules:
           - *nixosvm
           - *nixosvm2
           - *dns01
+          - *dns02
           - *citadel
           - *rickenbacker
diff --git a/flake.nix b/flake.nix
@@ -142,6 +142,19 @@
             ];
           };
 
+          "dns02" = mkNixosConfig {
+            # Rpi for DNS and misc services
+
+            hostname = "dns02";
+            system = "aarch64-linux";
+            hardwareModules = [
+              ./nixos/profiles/hw-rpi4.nix
+              inputs.nixos-hardware.nixosModules.raspberry-pi-4
+            ];
+            profileModules = [
+              ./nixos/profiles/role-server.nix
+            ];
+          };
 
           # # nix build .#images.rpi4
           # rpi4 = nixpkgs.lib.nixosSystem {
@@ -189,8 +202,10 @@
           };
         in
         {
-          dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
           rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker;
+          dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
+          dns02 = mkDeployConfig "10.8.10.10" self.nixosConfigurations.dns02;
+
 
           # dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
         };

diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix
@@ -24,7 +24,7 @@
 
   fileSystems."/" =
     {
-      device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      device = "/dev/disk/by-label/NIXOS_SD";
       fsType = "ext4";
     };
 

diff --git a/nixos/hosts/dns02/default.nix b/nixos/hosts/dns02/default.nix
@@ -7,96 +7,28 @@
 , ...
 }: {
   imports = [
-    # Host-specific
-    ./hardware-configuration.nix
 
-    # Common imports
-    ../common/nixos
-    ../common/nixos/users/truxnell
-    ../common/optional/fish.nix
-    ../common/optional/monitoring.nix
-    ../common/optional/reboot-required.nix
-    ../common/optional/sops-nix.nix
 
-    ../common/optional/dnscrypt-proxy2.nix
-    ../common/optional/cloudflare-dyndns.nix
-    ../common/optional/maddy.nix
   ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  mySystem.services = {
 
-  networking.hostName = "dns01"; # Define your hostname.
+    openssh.enable = true;
+    dnscrypt-proxy.enable = true;
+    cfDdns.enable = true;
+  };
 
-  # Pick only one of the below networking options.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+  networking.hostName = "dns02"; # Define your hostname.
+  networking.useDHCP = lib.mkDefault true;
 
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
 
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkb.options in tty.
-  # };
+  swapDevices = [ ];
 
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
 
-  # Configure keymap in X11
-  # services.xserver.xkb.layout = "us";
-  # services.xserver.xkb.options = "eurosign:e,caps:escape";
 
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable sound.
-  # sound.enable = true;
-  # hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # List services that you want to enable:
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "23.11"; # Did you read the comment?
 }
diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml
@@ -1,8 +1,8 @@
 system:
     networking:
-        #ENC[AES256_GCM,data:bHeRWJyZgBuMalt5K3j4xtffim6aSCq+/c4+t1pxIlr2JAI+i+PO3S09GVahSGlUpn4buJbkE1H80/w0UrdPWtR/ZAn1ZMoXCuKnXg==,iv:f1MerFEkn76dNWwYNVGotKfDbaSy2ndvt8q4ul53HGw=,tag:eNjmJtRMxbu5j2rssXHYHA==,type:comment]
+        #ENC[AES256_GCM,data:y2k8WKDdMW/+lCc7OnJTPd21DZFkjXqRSDRuIHTvN3p8AZ0KB0ERjf5/Fzpgq9wRjktcGMfFRzl9AaLN0DNXLseV5hoeX8pzXrZddA==,iv:hMuTiccA2PSUKGK5bZ9YCGHYgj58+TMbid7/FOXqK6A=,tag:B9A3H4ssQsi3aD/bUvh8IA==,type:comment]
         cloudflare-dyndns:
-            apiTokenFile: ENC[AES256_GCM,data:t2SR+EyOzBW3+5bZE/4Kpa4kpyZi7IErHDkjyC6r6su8thstVynSpfWDCi4Xj4Th11kU0YO3h8RBqAmss1wHTPGti+1ha3LlSJfemKWIN2qtYfJLeZ5ZBoC+xctW8u5+ahur/3tjUjsXgERCUuQiuMe5Tw==,iv:CTWKFyIi/mYu6eW6WMFWsF2ds3lkqqcQcE/5xy9qQac=,tag:muZ1RC2M3fB7vjissXCPtQ==,type:str]
+            apiTokenFile: ENC[AES256_GCM,data:AQA6X+GoPgudn+qwGpNnX3PmWNfgYFuvYGbthoOXPTiAs54oPrH6XGyFjGS5skqe9vypjPbl/Zj+z8q4rLGKrZt9cgF5JywoS2pyjscDW9QI74mAS6bcH8eJ/PMLopDYybKEMS8w1cMeGP5J46Uhg2HLJA==,iv:vjzMXBt9NbFcoqzpew/s/h1OXNWEnDLY0JuyASvbojM=,tag:8Ca+0ieZUZ9Wk9Q2UigF0A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -12,50 +12,59 @@ sops:
         - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbVFkcXJoWjJweUowdDU5
-            bTdTSVBDK041MVFoclRiRk1tYjBvVGFCTUhjCkhZbXB0ZURua0Yvb0EyV3ZzWEJ6
-            NU1LaUgwZ1NjWEd3K3VWNEY0d1dkc2cKLS0tIDRHMDk5TFdCRk5jNVNPd2srT1ZY
-            VVBMZFJzVGcweUErRGpyWm5JU2M0YmsKiqThEaJubMZalyA/7nhh0L1IK0Ro0y5X
-            8mgZh6rx8BzZJodiuRjGeCgsVnUREX4Mr1IKaFtG9GFyzc0yeTStjQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHR0VlFlL21SNzJJQ2F0
+            UUJ3Vy9mem0veTJlV3FKbVNGd1htRHNOQkI4Ckd3QXk5bVR0WmNkaXZUZXBZY0px
+            NTJJZ3NKRDBLZTRJd2xOZ0pBazk2SFEKLS0tIG1zQTlCcUFSUUthaUxLeHlyZWpQ
+            NXBYeUx6bmYwSXFrZlNmZitYM1ZlK28KvKU5iig3qg1tGOX8jDsXjXJ9ly8cP+4y
+            tcsCDuQWxiJ2v2U4FD47iRs2IfxZadYGJM2nOToOKHnuTTSpvNXAVQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aE92YzM2WmlRK01qZ3RC
-            dHBhc1dvSG1ReGdrZzkyUUtPRVYraGFScHpnCjRGaTM2KzRxTGFkN05mc0xFSGxO
-            MkVrYVZkWlFoWmEzSWhQTTZZK0dwREUKLS0tIGRhenlKV29WbkJVVVlEaUkrNUpl
-            c1hEMnBuVFBKUjl2ZHM0OXAwcnFJZzAK+Pf1YDIbiqsKGsA3geTbP9alkBG2uomZ
-            KeY+goK6MwNcZwKkSd83Lf6j6Fezv9C+gR2lTdZ4EFITlRWaxt6nmA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZzEyRkZZbTcvOVRLU3JH
+            bWZ4eXdUZlAxQjNkN2c1SzNiQVdkWU1FR24wClYwVjdGYm1xditOYWxIMGNmVDFr
+            cXZLdHhqOS9yNHEzQ29aKzVCNU5uMWMKLS0tIHoveWJmcS80MENxSnVXNlpJN0lx
+            bFNWU3dUTXFkMDZaWjUxWVlVd2x6dkUKKEBaUX/euYu9VEzhudWs4PUb+xVvpjQQ
+            GoOcFJvp+A60X2pK5mDxzgyWWudr+ZjiQNn3A/6XE4KfLhzmmI5Bsg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSkNCTFZaSTYyYjRwN0lP
+            Qzd4R3krZVJlREtueHlqUTBPRTNhcU5ORVNzCmdkYWFUQWRNajB4UEc3bzA2anIr
+            cm92alRQUWI0UDR2T0c5OTVhZ1hRQ0UKLS0tIFkxUHl1c3psYU1CTUI2NEpmL1hR
+            VnVacXZDQ3UyR1VoVGVQUzdteDRXRUUKkK9LP5sCjS2t2M+tftUqBh8jqwjmfKU6
+            HsIaMzELohiV5/91iq5FlIArQe7F5KFQfY3vRfYuh26I6zgqvVUlrA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MGhXMS9FbUdqckdqcUhs
-            aE1qL1lydy9VVWMwYlNrZTJrVVNxOW5hTWhvCkVGbjZ1RHJLc05HaFJkWm9VNzB0
-            T3dzbTU5YysvclQ5OHVaNU00bmRSWEUKLS0tIFF1cnVqVndtYXNrWWt5OU1IYjd5
-            bUhRTVFad0pCSFhweUNkSElVSUI5SGsKccyy6u6aJagRn7OYlBpbfnzkaD/qYRt+
-            oct41POm3gi8QQ6TYMT/xa0UlOCS9CnvjE4ZV8W5cWyvEEyPEez+Qg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NEJjblpGK2dGMmJ6OHBu
+            bnc0dUg0dXJROUMvQW1mOEcyWlpqb3BzUGc4CjdmT1FkaTdsRndGUXlod1cwSnpm
+            OFNLcjc3NlpPY2ZOMm55Y0ZFSjVpelkKLS0tIDVZV2hmMG1Qd0g1dXFEY0x0ZmhC
+            Y3NleUZ2azM0amdHRlplSGtvcWowd1kK+PNq8czpnC5zfwET60aQkNdcUwQopZ9W
+            nUX+QutTCdFoWoCKGsoQK42uXWQheHNtoPT258s2+8SBtdwLIckHgQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYbWtjd3o3anJqRHI2cWx1
-            NFp4dnF4UzdxODRLek8yeWc3NXMvYXg3Y2pZCmZ1bkg4Y2htRUQ5Kzd1ZlFSRlNv
-            dHJ6UTRUVGlzL0VQRXpLQjJMSGtQT1kKLS0tIElxcGRHUTZxdzd6U0J2cHVad2Z6
-            d0I5T1prNkJtU3dOK2dLU0FQYWl6Y3MKWtTVfqZqwO1DWcqCX3zQKJw+Iru9uYLL
-            oaDFNp7BkyHGAgUGlnryhpHqk/Mfiaz9F3+7E7yxPGmBL5/XGcfYzg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T25vdlB1VGFBVGdYd3k4
+            em42STFmdU9tZW9vVCtTZlBqOFZnUzFHYlZJCnJuSGk0cGlOSkQ1VzlRZ0ZONmlx
+            bXNkQ0hCaFBrMmt3dXZ2dXZzN09UVGsKLS0tIHo5bnVxcWEyQ2JkMk9qK1pxVW1S
+            ZnJ0R0hDVDU4WDFVS1Jka0h3b0R4bjAKcJ88Yzxn2HTqEEu0ujVMZGXJpc9jbypI
+            hlsDzMESTAlrZx7ZmI+nJw36RolDPRTfteHJFGI8LEx6zGXLcBp3LQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZC9xSVVuV1QyaWxQN09F
-            YVplRmZFOFJ2dGJPeS9iTVZpU3lqZk9Pc3kwCmdTV3B3WllwN3Z2dDI5aVl1OUtJ
-            Z0IxRHgxRjROdHE4RmpvOThuZmx4VHMKLS0tIFNJRXRsQ2lRRjB5ZTByczg0ZWg5
-            elVTbm96S2tpb3hPNHc1OU0yZ2FUNVUKCikEO6z7kpDmFlc9JldOSlGXv4JhFh/u
-            8sQSl3jF58lCBllOfM5T0crwbDHGlKI7JQ2H8vhZKk8TfiH3hGWxpg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbmdMeGUxaGN1cTFXVlFV
+            dElYSkVMTm9DMGFLTDRLYzRGQ1dGaUFHSzNRCjk0bkprSHpsUjRRdnNaeWpTbG0y
+            T3BKK1h6VWNCMC96Y3lyQ1ZRcW9mL0kKLS0tIG5GaTI5MVkwMkNEWWcvbmZGanYz
+            VWIybGRha1dWWUdsaWIxOXRLZkVFNlUKLEQI3HO/7Ia7GoOJOKJVbYkDrevqh7m7
+            hjMjnl4RnrcFwq46NuYyruTartHqRPBUHyXdoiMfeHNQQ7QP8A5ZHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-29T22:45:28Z"
-    mac: ENC[AES256_GCM,data:tPhORuf+63E68CdAdSsA/NgdBG9GrnmpVKVLo0O1ibaUDk6WblcmMoFROIo8BuciaUZsEf30NF9lVC/QgsZ35sHc/WcX4Ze80LyhBVgf0wgpy5xSjWLnYHCgFMA/TuYX7lJBLJVFZ3VAdwWp4XznGdlBHulQFM6jBEHz8wW749A=,iv:3aHdxUNfZinz13HRTtb7376era8Hont39C6pa0jnRAk=,tag:zza2Dy6I9R3C+xqEehgRfQ==,type:str]
+    lastmodified: "2024-03-30T01:29:21Z"
+    mac: ENC[AES256_GCM,data:8Z5udmxrut2IxaP9kjP7px8CoQYNBIwIhafCWC8y1+LzOJWdITIfL3S/gW8O3xIH27gS0y2CsBSFf3fB9kF0JPapnCMLwNtA/oqNdSqx4p0Jev3mdtfaboF1kGShuDiYUIhMRVk/eiDtNojakVJiMxZzEtdo5YbgRXlfbYw6gTQ=,iv:UHOH6pAVf3VBtVvGn0HijmhbPWv6d64EESMRJkXC48o=,tag:EJfBjV6qZfGNxyCU9XzuHA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1