host(aquarius): remove old host, and add new host aquarius

2025-09-27 16:53:36 +02:00 · 2025-09-27 16:53:36 +02:00 · 46a8141cc4
commit 46a8141cc4
parent 3e4903361c
8 changed files with 89 additions and 52 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -29,3 +29,7 @@ creation_rules:
    key_groups:
      - age:
        - *primary
+  - path_regex: secrets/aquarius-wg.yaml
+    key_groups:
+      - age:
+        - *primary
--- a/modules/home/cli-apps/fish/default.nix
+++ b/modules/home/cli-apps/fish/default.nix
@ -22,6 +22,7 @@ in
      shellAliases = {
        nix-dns = "nixos-rebuild switch --flake ${flakeRoot}/.#dns --target-host dns-1 --sudo --ask-sudo-password && nixos-rebuild switch --flake ${flakeRoot}/.#dns --target-host dns-2 --sudo --ask-sudo-password";
        nix-blarm = "nixos-rebuild switch --flake ${flakeRoot}/.#blarm --target-host blarm --sudo --ask-sudo-password";
+        nix-aquarius = "nixos-rebuild switch --flake ${flakeRoot}/.#aquarius --target-host aquarius --sudo --ask-sudo-password";
        cd = "z";
        ls = "exa --icons";
        l = "exa";
--- a/overlays/cinny/default.nix
+++ b/overlays/cinny/default.nix
@ -8,16 +8,17 @@ final: prev: {
  awesome-flake = (prev.awesome-flake or { }) // {
    cinny = prev.cinny-unwrapped.overrideAttrs (_old: rec {
      pname = "cinny-unwrapped";
-      version = "65475050d76d6e8da8c3402528215b1425e8ed4e";
+      version = "76ac4e298733e67dbfcd3f0c3a4bae169cd521dd";

      src = final.fetchFromGitHub {
-        owner = "GigiaJ";
+        #owner = "GigiaJ";
+        owner = "cinnyapp";
        repo = "cinny";
        rev = version;
-        hash = "sha256-kJZDc53mcJrGIw3Dl4ANq+1O5O2p0tcO2btQGNGRg4A=";
+        hash = "sha256-tvBaONJwfkCK77aHmWJ/UAAZHq2WIc7geNT2tEFKuZ0=";
      };

-      npmDepsHash = "sha256-GkD+CrblXBv7yPVrTBVIGkz7Wu5llWzlluNq7rmm3CE=";
+      npmDepsHash = "sha256-9faffTlXEI1lMrVrkSyso/tfjs/4W+TVzmiv+bZAv18=";
      npmDeps = final.fetchNpmDeps {
        inherit src;
        name = "${pname}-${version}-npm-deps";
--- a/secrets/aquarius-wg.yaml
+++ b/secrets/aquarius-wg.yaml
@ -0,0 +1,18 @@
+privateKey: ENC[AES256_GCM,data:WtmzHDKRbqbJJ3VXKqqKnqKTcvVDV+yFgFfeKxLv+UErOiEBgqtDhKEs0Io=,iv:admaUfhhKLlu58wKpRvgyGSqOsiY82ix2xJgT0GL8Xs=,tag:eP9Ka0jo2BYxZX0w7eKGqA==,type:str]
+publicKey: ENC[AES256_GCM,data://Kq875vV3gpE3tbMRVt/q7m5LqPRXOka8fzoA2oZzglfE1xtS/kAMPMR44=,iv:5fLk4lBTHwIcGiAM325ykceViCBwRHFLnxZkcqm3Ao4=,tag:g6R0ZSRa2m9JNB2UH3JIJg==,type:str]
+presharedKey: ENC[AES256_GCM,data:EpOJCMzi1XHDbbqdEB+SoC/6LxkHwxZ2DxQINBnGhjXl6JhNYswqTWQuFVU=,iv:GFcxLghV+SQMaJ5J4bQOBPGDQatkSwPLtx57wlWaB+8=,tag:2ofR6eSplwLwe/vYyGyrLg==,type:str]
+sops:
+    age:
+        - recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QWtnVkU1QnVyUU9ROHpO
+            WWp5TU1rTSt6aUlMOHczTXhXTmpUeDIvcDB3CnRRdk5BTnRWOUZiK0R1L0NUNHBn
+            L3FVNnFTbEVmQ2lHUlZwZFJyUWtFRVUKLS0tIFhPcUoxbXgrd3FWYmJMU2ZUTXFv
+            ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
+            f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-08-02T12:06:55Z"
+    mac: ENC[AES256_GCM,data:T9trFCzxJm3eINbuJIDN04feEHViZz6yiaA59yf9+WyJrLB467DagDc4Qv90vdRJXzakwZSYvprDtglrVReT+Wg2GLdVtNIZmPEaLrfpfBgVaBCEZch48dOh+Ytgc09f95ecyXJV/2xNLBtW8YUs3JZsIAcJQTOOrLLhhPjj96A=,iv:wrwIeLhEsN6LFpO/6RF+DE343xdFhshd4TSeF+le+m8=,tag:rNXmYSJsStd5HeDCgtKSRQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/systems/aarch64-linux/aquarius/default.nix
+++ b/systems/aarch64-linux/aquarius/default.nix
@ -19,13 +19,17 @@ with lib.${namespace};
    generic-extlinux-compatible.enable = true;
  };

-  nix.settings.experimental-features = [
+  nix.settings = {
+    trusted-users = [ "philipp" ];
+    experimental-features = [
      "nix-command"
      "flakes"
    ];
+  };

  # Disable detailed ddocumentation
  documentation.nixos.enable = false;
+  documentation.man.generateCaches = false;

  # Set your time zone.
  time.timeZone = "Europe/Berlin";
@ -38,7 +42,6 @@ with lib.${namespace};
    description = "Philipp Böhm";
    extraGroups = [
      "wheel"
-      "caddy"
    ];
  };

@ -50,16 +53,15 @@ with lib.${namespace};
    };
  };

+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  services.cron = enabled;
+
  awesome-flake = {
    services = {
      ssh = enabled;
-      caddy = enabled;
-      restic = enabled;
-    };
-
-    container = {
-      technitium = enabled;
-      invidious = enabled;
+      technitium-dns-server = enabled;
    };

    system.sops = enabled;
--- a/systems/aarch64-linux/aquarius/networking.nix
+++ b/systems/aarch64-linux/aquarius/networking.nix
@ -0,0 +1,46 @@
+{
+  networking = {
+    hostName = "aquarius";
+    networkmanager.enable = false;
+    dhcpcd.enable = true;
+
+    interfaces.end0.useDHCP = true;
+
+    firewall = {
+      enable = true;
+      allowedUDPPorts = [ 51820 ];
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces."wg0" = {
+        ips = [ "192.168.100.10/24" "fd00:100::10/64" ];
+        listenPort = 51820;
+        mtu = 1400;
+        privateKeyFile = "/run/secrets/privateKey";
+        peers = [
+          {
+            publicKey = "ylsjhpKiq3B6Kv4q2uiHXUJpyxY2b1DOAlGc/FWdflQ=";
+            presharedKeyFile = "/run/secrets/presharedKey";
+            allowedIPs = [ "192.168.100.1/32" "fd00:100::1/128" ];
+            endpoint = "neuruppin.boehm.sh:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    privateKey = {
+      sopsFile = ../../../secrets/aquarius-wg.yaml;
+      key = "privateKey";
+    };
+
+    presharedKey = {
+      sopsFile = ../../../secrets/aquarius-wg.yaml;
+      key = "presharedKey";
+    };
+  };
+
+}
--- a/systems/aarch64-linux/blarm/networking.nix
+++ b/systems/aarch64-linux/blarm/networking.nix
@ -1,33 +0,0 @@
-{
-  networking = {
-    hostName = "blarm";
-    firewall.enable = false;
-    networkmanager.enable = false;
-    dhcpcd.enable = true;
-    defaultGateway.address = "192.168.1.1";
-    interfaces.end0 = {
-      useDHCP = true;
-      ipv4.addresses = [
-        {
-          address = "192.168.1.251";
-          prefixLength = 32;
-        }
-        {
-          address = "192.168.1.202";
-          prefixLength = 32;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fd00:192:168:1::202";
-          prefixLength = 64;
-        }
-        {
-          address = "fd00:192:168:1::251";
-          prefixLength = 64;
-        }
-      ];
-    };
-  };
-
-}
--- a/systems/x86_64-linux/blarm/default.nix
+++ b/systems/x86_64-linux/blarm/default.nix
@ -7,9 +7,7 @@
 }:
 with lib.${namespace};
 {
-  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-  ];
+  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];

  nix.settings = {
    trusted-users = [ "philipp" ];