infrastructure/black-start
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:de4c297252f938de2e94a134b6899d77c212e649
Branches Tags
infrastructure:main
...
compare: infrastructure:main
Branches Tags
infrastructure:main

6 Commits
de4c297252 ... main

Author SHA1 Message Date
William P
8af65b5293 use k3s instead 2026-02-26 20:21:05 -05:00
William P
eeb57bd576 enable all terminfo 2026-02-24 08:08:31 -05:00
William P
8e187a3ea6 implement k8s 2026-02-23 22:47:40 -05:00
William P
c85c68cf3a add attic cache 2026-02-23 22:14:04 -05:00
William P
06bf993fb8 add nix config to base config 2026-02-22 21:10:08 -05:00
William P
2a7521ee77 secrets management with SOPS 2026-02-22 21:02:22 -05:00
12 changed files with 158 additions and 4 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1 +1,2 @@
result result
secrets/

16
common/core.nix
View File

@@ -6,4 +6,20 @@
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
system.stateVersion = "25.11"; system.stateVersion = "25.11";
environment.enableAllTerminfo = true;
nix = {
settings = {
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
trusted-users = ["@wheel"];
substituters = [
"https://nix-cache.dubyatp.xyz/duby"
];
trusted-public-keys = [
"duby:IUVsFbQu499JOaHmUpi/mwhZEVQK7soFn7H6lD2/2T4="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
};
} }

23
flake.lock generated
View File

@@ -40,7 +40,28 @@
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1771735105,
"narHash": "sha256-MJuVJeszZEziquykEHh/hmgIHYxUcuoG/1aowpLiSeU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d7755d820f5fa8acf7f223309c33e25d4f92e74f",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

25
flake.nix
View File

@@ -1,6 +1,18 @@
{ {
description = "Black Start essential infrastructure for cloud operations"; description = "Black Start essential infrastructure for cloud operations";
nixConfig = {
substituters = [
"https://nix-cache.dubyatp.xyz/duby"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"duby:IUVsFbQu499JOaHmUpi/mwhZEVQK7soFn7H6lD2/2T4="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
@@ -8,9 +20,14 @@
url = "github:nix-community/disko/v1.13.0"; url = "github:nix-community/disko/v1.13.0";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, disko }: outputs = { self, nixpkgs, disko, sops-nix, ... }:
{ {
nixosConfigurations = { nixosConfigurations = {
weyma-bs = nixpkgs.lib.nixosSystem { weyma-bs = nixpkgs.lib.nixosSystem {
@@ -19,8 +36,10 @@
disko.nixosModules.disko disko.nixosModules.disko
{ disko.devices.disk.main.device = "/dev/vda"; } { disko.devices.disk.main.device = "/dev/vda"; }
./common/core.nix ./common/core.nix
./security/security.nix
./disko/uefi-nosecure.nix ./disko/uefi-nosecure.nix
./users/users.nix ./users/users.nix
./kubernetes/kubernetes.nix
{ {
config.boot = { config.boot = {
loader = { loader = {
@@ -61,10 +80,12 @@
]; ];
specialArgs = { specialArgs = {
inputs = { inputs = {
inherit self nixpkgs disko; inherit self nixpkgs disko sops-nix;
}; };
}; };
}; };
}; };
packages.x86_64-linux.attic = nixpkgs.legacyPackages.x86_64-linux.attic-client;
}; };
} }

8
kubernetes/kubernetes.nix Normal file
View File

@@ -0,0 +1,8 @@
{
networking.firewall.allowedTCPPorts = [6443];
services.k3s = {
enable = true;
role = "server";
};
}

6
security/security.nix Normal file
View File

@@ -0,0 +1,6 @@
{
imports = [
./ssl.nix
./sops.nix
];
}

23
security/sops.nix Normal file
View File

@@ -0,0 +1,23 @@
{ inputs, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
defaultSopsFile = ./sops_nix.yaml;
#validateSopsFiles = false;
age = {
keyFile = "/var/lib/sops-nix/key.txt";
};
secrets = {
pw_root = {
neededForUsers = true;
};
pw_williamp = {
neededForUsers = true;
};
};
};
}

17
security/sops_nix.yaml Normal file
View File

@@ -0,0 +1,17 @@
pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
sops:
age:
- recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeHl6YW5XaDVYeitwUDlM
cEVrNGtoQVljclVPV0pBSUJsS1lFQmlCZFcwCkZoSVNWUmVQK0VWcHRsN1hPY1Nl
TmVTQU1pMHhoMnRkV3I1OSt3WElGR28KLS0tIEtmMlFWUUNsdnhyZWkvTW1yWmE1
Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-23T01:50:31Z"
mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

30
security/ssl.nix Normal file
View File

@@ -0,0 +1,30 @@
{
security = {
pki.certificates = [
''
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIUBURUWatoNahkcEbEfsHu8XfvRD8wDQYJKoZIhvcNAQEL
BQAwJTEjMCEGA1UEAxMad2V5bWEtY2EuaW5mcmEuZHVieWF0cC54eXowHhcNMjUw
NTA3MTkwODUyWhcNMzUwNTA1MTkwOTIyWjAlMSMwIQYDVQQDExp3ZXltYS1jYS5p
bmZyYS5kdWJ5YXRwLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKRMM0GABCHa8s1jnGyRyoOZs8lhY0amPs2Z3ojxLd/aNoYyeF1D/lg3lriDalZI
vMabTo0b4Y1lKbMQdDfk6HvVd/1eeV48NhCynxt3ssZgHtYwho/kPdJMlsnxguaS
iUuMMgXzjnksonQO2UjKOo6P8hyouY8z7P8JFAeD3s1pO2fmvA/iZnSxBnGOzqvA
LHrnfsU03u9ma3iiufaF7HhpL9pxvC1gonfyxwMUa/WIHhziB4t0DijR7FY3K/CU
EFoR+B2LVJCjzt2d17DUS9A78H2YdQwqaNNGecGGG78eRcJJTUK9MxduhiO5FpjG
/K7E3GMMRuUnWc5vJCmljJkCAwEAAaOBizCBiDAOBgNVHQ8BAf8EBAMCAQYwDwYD
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU21dLq6kC5DAdR9wI9KT9DoMGdZ8wHwYD
VR0jBBgwFoAU21dLq6kC5DAdR9wI9KT9DoMGdZ8wJQYDVR0RBB4wHIIad2V5bWEt
Y2EuaW5mcmEuZHVieWF0cC54eXowDQYJKoZIhvcNAQELBQADggEBAFnfte2iJqvI
htJLnnIeoYnKo0l68MVL1kn2xVAciqHsoGnnbyDelGSYJU9Tc5aUEgrCECbM+Ssp
Fc8ZEA0y0gLyRIVs53obtCPBQ2yVS5LE95dd6g+o3ZSPbhZqu2ioT579BIVGyTxH
/DPA0QdMI5hGLL+ZgsooS2Q4IsIvlzSJEBd5G+qbXnC1p0UVzMlsAM6ubIKnCD9e
urnpvvYP68Re+U1H9xa0is1r7zcCQOyVgRk4ttqJ9ye9eRP11IDHmhZSpQtj8LR5
V43pqIG7H/yUOlHmhCl+anLWnuDUYMHRvFXhnfc6sybVL0ibUJZJOs6VaNJ8zdnM
Dh0mNAKi790=
-----END CERTIFICATE-----
''
];
};
}

7
users/root.nix Normal file
View File

@@ -0,0 +1,7 @@
{ config, ... }:
{
users.users.root = {
hashedPasswordFile = config.sops.secrets.pw_root.path;
};
}

1
users/users.nix
View File

@@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./williamp.nix ./williamp.nix
./root.nix
]; ];
} }

3
users/williamp.nix
View File

@@ -1,6 +1,9 @@
{ config, ... }:
{ {
users.users.williamp = { users.users.williamp = {
isNormalUser = true; isNormalUser = true;
hashedPasswordFile = config.sops.secrets.pw_williamp.path;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5lZ0/JJyLLwSrFfSs+DF/v0EkV2i/SVDf18+/K5NDV me@williamtpeebles.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5lZ0/JJyLLwSrFfSs+DF/v0EkV2i/SVDf18+/K5NDV me@williamtpeebles.com"
]; ];