Add full homelab in a single repo, along with dotfiles

.sops.yaml

@@ -0,0 +1,27 @@
+keys:
+  - &ereslibre age137w3427xc70f65mchg658ak3tsrym2rdh5tm7yun0e2tmf5pr5rsa64zv8
+  - &host-nuc-1 age1jsrzvlyj5fzf6c3rysd79f68drmpgvh4myxqsl7mlm7gyhfunywq573mss
+  - &host-nuc-2 age1ph4vt4lhrw4q974gm2g0xue3y8swy8qw9k8kg68hzxs7s04cxyzs5jujvs
+  - &host-nuc-3 age1jt7ucv03v82ccuwwhaulgywswsc5h2uxauyrdmra8gsd47ajfyasyp4r9q
+  - &host-pi-desktop age1vlf2h45puhwd8zms7l0nnhk3m2w0l6meejhz8pdgduqw5ljleujqyp8l0h
+creation_rules:
+  - path_regex: nuc-1/secrets\.yaml$
+    key_groups:
+      - age:
+          - *ereslibre
+          - *host-nuc-1
+  - path_regex: nuc-2/secrets\.yaml$
+    key_groups:
+      - age:
+          - *ereslibre
+          - *host-nuc-2
+  - path_regex: nuc-3/secrets\.yaml$
+    key_groups:
+      - age:
+          - *ereslibre
+          - *host-nuc-3
+  - path_regex: pi-desktop/secrets\.yaml$
+    key_groups:
+      - age:
+          - *ereslibre
+          - *host-pi-desktop

.switch.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+if [[ "$(uname -o)" == "Darwin" ]]; then
+    nix --extra-experimental-features nix-command --extra-experimental-features flakes run nix-darwin -- switch --flake .#"$@"
+else
+    sudo nixos-rebuild --flake .#"$@" switch
+fi

README.md

@@ -1,30 +1,33 @@
-# dotfiles
+# Personal homelab
 
-My dotfiles. Set as a [home-manager](https://github.com/nix-community/home-manager)
-[flake](https://nixos.wiki/wiki/Flakes).
+## Bootstrap a machine
 
-## Configure
+```
+# sudo nixos-install --flake "github:ereslibre/homelab#<hostname>"
+```
 
-1. Install the [`nix`](https://nixos.org/) package manager.
+## Update a machine
 
-   ```console
-   $ make install-nix
-   ```
+```
+# sudo nixos-rebuild --flake "github:ereslibre/homelab#$(hostname)" switch
+```
 
-1. Activate the home-manager profile matching the machine you are at.
+## Specific node tailscale configuration
 
-   ```console
-   $ make
-   ```
+### nuc-1
 
-> Note: on Mac OS X, run afterwards:
->
-> ```bash
-> $ launchctl load ~/Library/LaunchAgents/es.ereslibre.emacs.plist
-> ```
->
-> So the agent is loaded without the need to restart the session,
-> starting the emacs daemon.
+```
+# sudo tailscale up --accept-dns=false --accept-routes --advertise-routes=10.0.1.0/24,10.0.2.0/24,10.0.3.0/24,10.0.4.0/24
+```
 
+### nuc-2
 
-Done! :)
+```
+# sudo tailscale up --accept-dns=false
+```
+
+### nuc-3
+
+```
+# sudo tailscale up --accept-dns=false
+```

common/aliases/default.nix

@@ -0,0 +1,5 @@
+{
+  environment.shellAliases = {
+    nixos-upgrade = ''sudo nixos-rebuild --flake "github:ereslibre/homelab#''${HOST}" switch'';
+  };
+}

common/home-node/default.nix

@@ -0,0 +1,5 @@
+{
+  networking.nameservers = [
+    "10.0.4.1"
+  ];
+}

common/mdns-reflector/default.nix

@@ -0,0 +1,6 @@
+{
+  services.avahi = {
+    enable = true;
+    reflector = true;
+  };
+}

common/network-ingress/default.nix

@@ -0,0 +1,6 @@
+{
+  networking.nat = {
+    enable = true;
+    externalInterface = "tailscale0";
+  };
+}

common/nixos/default.nix

@@ -0,0 +1,10 @@
+{
+  nix = {
+    extraOptions = "experimental-features = nix-command flakes";
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+    };
+    settings.trusted-users = ["root" "builder" "ereslibre"];
+  };
+}

common/node/default.nix

@@ -0,0 +1,41 @@
+{lib, ...}: {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = ["nohibernate"];
+    kernel.sysctl."net.ipv4.ip_forward" = 1;
+  };
+
+  documentation = {
+    dev.enable = true;
+    man.generateCaches = true;
+  };
+
+  environment.sessionVariables = {
+    LIBVIRT_DEFAULT_URI = "qemu:///system";
+  };
+
+  networking = {
+    useDHCP = lib.mkDefault true;
+    firewall.enable = false;
+  };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  services = {
+    tailscale.enable = true;
+  };
+
+  time.timeZone = "Europe/Madrid";
+
+  users.users.ereslibre.extraGroups = ["libvirtd"];
+  virtualisation.libvirtd.enable = true;
+}

common/packages/default.nix

@@ -0,0 +1,8 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    lm_sensors
+    ltrace
+    man-pages
+    man-pages-posix
+  ];
+}

common/podman/default.nix

@@ -0,0 +1,21 @@
+{pkgs, ...}: {
+  environment = {
+    shellAliases = {
+      docker-compose = "podman-compose";
+    };
+    systemPackages = with pkgs; [
+      conmon
+      podman-compose
+    ];
+  };
+  security.polkit.enable = true;
+  users.users.ereslibre.extraGroups = ["podman"];
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      dockerSocket.enable = true;
+    };
+  };
+}

common/programs/default.nix

@@ -0,0 +1,6 @@
+{
+  programs = {
+    nix-ld.enable = true;
+    zsh.enable = true;
+  };
+}

common/remote-builder/default.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  users.groups.builder = {};
+  users.users.builder = {
+    isSystemUser = true;
+    extraGroups = ["wheel"];
+    group = "builder";
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgXdZGKpuMlgyDqjUt38Yb0fdkEqMWhSdWKvzFDJG4M"
+    ];
+  };
+
+  nix.settings.trusted-users = ["builder"];
+}

common/remote-builds/default.nix

@@ -0,0 +1,25 @@
+{config, ...}: {
+  sops.secrets.hulk-builder-key.mode = "0400";
+
+  programs.ssh.knownHosts = {
+    hulk = {
+      extraHostNames = ["hulk.ereslibre.net" "hulk.lab.ereslibre.local" "10.0.4.20"];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7LVYEeuJKdK8ZGXwLGZxHaiCQNi107DdKl4CiJE8rC";
+    };
+  };
+
+  nix = {
+    buildMachines = [
+      {
+        sshUser = "builder";
+        sshKey = config.sops.secrets.hulk-builder-key.path;
+        hostName = "hulk";
+        systems = ["x86_64-linux" "aarch64-linux"];
+        protocol = "ssh-ng";
+        supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+        mandatoryFeatures = [];
+      }
+    ];
+    distributedBuilds = true;
+  };
+}

common/services/default.nix

@@ -0,0 +1,16 @@
+{lib, ...}: {
+  services = {
+    fwupd.enable = true;
+    openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = lib.mkForce "no";
+      };
+      extraConfig = ''
+        StreamLocalBindUnlink yes
+      '';
+    };
+  };
+}

common/synapse-server/default.nix

@@ -0,0 +1,34 @@
+{pkgs, ...}: let
+  dbName = "matrix-synapse";
+in {
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      database.name = "psycopg2";
+      listeners = [
+        {
+          bind_addresses = [
+            "0.0.0.0"
+          ];
+          port = 8008;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+    };
+  };
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "setup-database" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN;
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C";
+    '';
+  };
+}

common/tailscale/default.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  environment = {
+    systemPackages = with pkgs; [
+      tailscale
+    ];
+  };
+}

common/users/default.nix

@@ -0,0 +1,20 @@
+{pkgs, ...}: let
+  sshKeys = {
+    ereslibre = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDJz9rVLqUHt9ZFjep4RsN3B5xr9s6MtHSz4PbJHACj3bA3pP7UZwePzzDMofOZLhOIKzMJ+s9H0E28ruEN8xhAv9qPYN6DI15vvPoaMu4VbzyFOGAz4UXoMQpSkr3p9E8C3psJIMpgxOAGelp7PqODlCQS/6DVMqz3DqtkOJYPssAtivH1AfitA2NVPvI9bgswAhF0jArKJmnFPSy6DAc0G2q5DyVEZVfD943kOprd7GkVWdD9FpaHqjmLGd77RfHmmqrj9Tg5+ajYa+VrASJfTBkDJ/lZcFLH9DdfcUFcQzu2pzi/cX94e+FnTtog8TOGwCrWGDAZVPP5YEHmGU3QX0NQBl4vNprWe0oJaSjSzvIT2ZrixUhOWKTjW44To/+7UwIlCc4KWL/LJ+kbwWCpiOhhWqRs380cqUmuMRaq59uTIWCRImBTkqjTqBIxaj7060GV2ZWGzbYKhUsxPchx8KJVWyGxYoox+T/zQjF1KtwvnPVghIt4hiIifYCclxoeY1yAIU5T8LvZXaqBlSYPi715mJg7533IM6NhHMg09ANgkKt6fQmQUNtaYBpHfaIaKI68oSCJOFTiP3e1RYmKaz36GQPWqEBNKT5zaIYsSOMCyLhoecH6pF9Nqvust5iIpYgNSDlRh1qnOd1AUCimyJQiswsiEQTuCClbZHg152x33/6y8CZrpHRSzDh8cBApanvtQ5pmzD4IP9mZ3eGvWaSrVx6EtpYWkr4LSoPkh2dRWHdVu+a27TLVkl7V+2dE5WAIZzRsfpAfQB3JIVD5WmTVlbU1zgIIBSXr7SfGJo0bMQ59JptE9+ffoyGWk8fnbFww2re3QTphXau9Hy+88pUqvXkiYUxsSpHzXlpRAWbfR9wqCS3adKRaz+3vZYvJGP6d66ay9NRkTGeIKxEeYjdBSNues59UGsWiJVOaR9bxfvL5+F+WyIjv9a9yOJln9NXcADp32zUlAMY97+Kw0NRQeBnpX2fF6HjNLj+onlOt50EVNYGE3fS5CW8L9nSuIY4jAycQ8xF2GYG8lGgDfaCrGTVm0cFab6ytvLRFBaKFWqcIh2rYOgKV0p7qzoadQYH5hIH/V5LGt3yRgPdwqGHNd6662n5FKlio/omE1CUpAdedA1l+geMnaIdQpDG5ghjSb8jJnoUsPYVjTLQmg7g2HAnC2ofURbKAxEVfDDIuXmLp+plyb7DGGIhj6wprnoy7mDd/YJBzf9zmRjOz1mKhrgdbSHiDvfpbs0BW5HtodYHY7R6oEU8OtXYOR2bJfoqhspz5M/vmYBbzo5P7cbpBc5b6PW/xFnt2Sabuwrem0YTWh++eDmeDgSOK5F9k4NGQZriJYg5JqICqslht [email protected]"
+    ];
+  };
+in {
+  users = {
+    mutableUsers = false;
+    defaultUserShell = pkgs.zsh;
+    users.ereslibre = {
+      isNormalUser = true;
+      initialHashedPassword = "$6$M8PJiTY.2YaoUNLr$61IUEobA75b.vMbPLPxVkU4d6Rs5CuYB2KlQHX4B2Gr09Zx70Q99w3c1DyJoyt0AvXbNYS6Q7cNKdA35c3ZMU/";
+      extraGroups = ["dialout" "wheel"];
+      uid = 1000;
+      openssh.authorizedKeys.keys = sshKeys.ereslibre;
+    };
+    users.root = {openssh.authorizedKeys.keys = sshKeys.ereslibre;};
+  };
+}

common/vendor/amd/default.nix

@@ -0,0 +1,3 @@
+{
+  hardware.cpu.amd.updateMicrocode = true;
+}

common/vendor/intel/default.nix

@@ -0,0 +1,3 @@
+{
+  hardware.cpu.intel.updateMicrocode = true;
+}

common/vscode-server/default.nix

@@ -0,0 +1,10 @@
+{
+  services.openvscode-server = {
+    enable = true;
+    host = "0.0.0.0";
+    telemetryLevel = "off";
+    user = "ereslibre";
+    group = "users";
+    withoutConnectionToken = true;
+  };
+}