diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0214a90 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.qcow2 +result \ No newline at end of file diff --git a/examples/homeassistant/README.md b/examples/homeassistant/README.md new file mode 100644 index 0000000..0e84ca9 --- /dev/null +++ b/examples/homeassistant/README.md @@ -0,0 +1,51 @@ +# Use a VM to run this example + +Build VM with: + +```bash +nixos-rebuild build-vm --fast -I nixos-config=./configuration.nix -I nixpkgs=. +``` + +Start VM with: + +```bash +QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-nixos-vm +``` + +User is `nixos`, password is `nixos`. + +Ssh into VM with `ssh -p 2222 nixos@localhost`. + +If you get into issues with ssh trying too many public keys and failing, try instead: `ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no -p 2222 nixos@localhost`. + +For more information about running this example in a vm, see [NixOS_modules#Developing_modules](https://nixos.wiki/wiki/NixOS_modules#Developing_modules). + +For more information about writing tests, see [the manual](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests). + +Create your secret key which prints the public key used for `admin`: + +```bash +nix-shell -p age --run 'age-keygen -o keys.txt' +``` + +Get target host age key which prints the public key used for `vm`: + +```bash +nix-shell -p ssh-to-age --run 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age' +``` + +Update `admin` and `vm` keys in sops.yaml. + +Edit secret itself with: + +```bash +nix-shell -p sops --run 'sops --config sops.yaml secrets.yaml' +``` + +Deploy with: + +```bash +nix-shell -p colmena --run 'colmena apply' +``` + +Took 12 minutes for first deploy on my machine. Next deploys take about 12 seconds. diff --git a/examples/homeassistant/configuration.nix b/examples/homeassistant/configuration.nix new file mode 100644 index 0000000..54b40e5 --- /dev/null +++ b/examples/homeassistant/configuration.nix @@ -0,0 +1,36 @@ +{ config, pkgs, ... }: + +{ + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelModules = [ "kvm-intel" ]; + fileSystems."/" = + { device = "/dev/vda"; + fsType = "ext4"; + }; + system.stateVersion = "22.11"; + + # As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user + # ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + initialPassword = "nixos"; + }; + + security.sudo.extraRules = [ + { users = [ "nixos" ]; + commands = [ + { command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + + services.openssh.enable = true; + services.openssh = { + permitRootLogin = "no"; + passwordAuthentication = true; + }; +} diff --git a/examples/homeassistant/flake.lock b/examples/homeassistant/flake.lock new file mode 100644 index 0000000..d52ee13 --- /dev/null +++ b/examples/homeassistant/flake.lock @@ -0,0 +1,100 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1687681650, + "narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1687031877, + "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1686628398, + "narHash": "sha256-jXEuS/dex59Oon4tll+Jb8aVl6B8HX/aREigHjt2S6E=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "202850e1a11a939364cef0f326cb1352b3f2d8cd", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "selfhostblocks": "selfhostblocks", + "sops-nix": "sops-nix" + } + }, + "selfhostblocks": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": [ + "sops-nix" + ] + }, + "locked": { + "lastModified": 1687501773, + "narHash": "sha256-NtASNHmf+WeVMoGDUk8cMZLEHIOzs9DAaTafWtt9PhY=", + "type": "git", + "url": "file:///home/timi/Projects/selfhostblocks" + }, + "original": { + "type": "git", + "url": "file:///home/timi/Projects/selfhostblocks" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1687398569, + "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2ff6973350682f8d16371f8c071a304b8067f192", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/examples/homeassistant/flake.nix b/examples/homeassistant/flake.nix new file mode 100644 index 0000000..192de3c --- /dev/null +++ b/examples/homeassistant/flake.nix @@ -0,0 +1,43 @@ +{ + description = "Home Assistant example for Self Host Blocks"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + sops-nix.url = "github:Mic92/sops-nix"; + + selfhostblocks.url = "/home/timi/Projects/selfhostblocks"; + selfhostblocks.inputs.nixpkgs.follows = "nixpkgs"; + selfhostblocks.inputs.sops-nix.follows = "sops-nix"; + }; + + outputs = inputs@{ self, nixpkgs, sops-nix, selfhostblocks, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + specialArgs = inputs; + }; + + myserver = { + deployment = { + targetHost = "localhost"; + targetPort = 2222; + targetUser = "nixos"; + }; + + imports = [ + ./configuration.nix + sops-nix.nixosModules.default + selfhostblocks.nixosModules.default + ]; + + shb.home-assistant = { + enable = true; + subdomain = "ha"; + sopsFile = ./secrets.yaml; + }; + }; + }; + }; +} diff --git a/examples/homeassistant/keys.txt b/examples/homeassistant/keys.txt new file mode 100644 index 0000000..54b906b --- /dev/null +++ b/examples/homeassistant/keys.txt @@ -0,0 +1,3 @@ +# created: 2023-06-26T21:31:39-07:00 +# public key: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft +AGE-SECRET-KEY-1RE30YJ76UHS0FF3GVL0894SG9J67RRFWT0YQ8K6QGTTS4FDK5QEQRV2436 diff --git a/examples/homeassistant/secrets.yaml b/examples/homeassistant/secrets.yaml new file mode 100644 index 0000000..ab9cc6e --- /dev/null +++ b/examples/homeassistant/secrets.yaml @@ -0,0 +1,30 @@ +home-assistant: ENC[AES256_GCM,data:SnkutANfqF2KZ6fpg1S4yBoeEbXBGZ97doxgiP7GVcsf/w7t1ajP0z6vJ7idBTKZ51t8vlRGr4Bq3RzLsqUlQpxjdFDcGGe506EDZhMQUvr4bn2C9gc=,iv:YYkHnNBmd8J1GAL4EW+SAlb9ILbIxevmk/yhLrwnchw=,tag:owP/F/NC4WUpUkNhCkAclw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU0NGVE9ubkFQN2kvK1Vo + SHVIaVZrN2VobkpXMzZPVFdHcVVqdlpTeFJzCjBXbHVuUTJ5S0MrNkVRcWFhWVE0 + MVRDZ0lOWi9ZeFN6WFQxUUhSVlNCbGcKLS0tIE9YWmtmSTFkZU9CWWp6V3g0ejJS + RS9oRDdZdGkrNGlCZU12TDBCSEtkTFUKIROyBC1UFg4AHz6LgqwPIaZzeDunQSYB + 7MiIp74icMSsl3P3r+6K/brQ5e3DPNvdttr6Q1FhGYfEj55xFqcLMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cTY5b3F3WkJjc3NzcW1X + SkZxdUdaMkNzQXk2Tng3dHNscFpDR0x0amwwCjhkUGRkRnhiWlZEWVU2UVZseTZh + V1FoYjVtd3JIMm8rTHBySThYRWFOMVUKLS0tIDV5ZDRkQitOTFNHOFlYdFEzUUIv + R0N4T1BKRGNkOS95Y1Y2MU10cWR5UWcKpiJ3S1aJOR+jUnVS7u1FaSUo828ZJWGA + YAjb1G749UxZmUHA7wV4W7oBW3TcBml9HmLyyUjefX6MEPadflp8rQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-06-27T05:02:12Z" + mac: ENC[AES256_GCM,data:w/FOB/hc5MUfu0c6+NvLWXG+wNAzD4VZSb44WXXWDxT/Twhb5ASSAXLM6YxCbKGTuug7BiEEPQkBZHEQATuwLmc04R3yKDq4ocyPTI7vbARgwuh/hqw3nAVLi76tH5v2lJLVBFvOzJxB8JBkJgs3VbSlh3APLncvb5+KivPIqis=,iv:zVbMO8zr4uXlZTEin5JsLCos1vOrCKWSDo3Nf3JygXQ=,tag:zMG3D8m2fGa6KMkRrBfffA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/examples/homeassistant/sops.yaml b/examples/homeassistant/sops.yaml new file mode 100644 index 0000000..ec5f7c0 --- /dev/null +++ b/examples/homeassistant/sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft + - &vm age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *admin + - *vm diff --git a/examples/homeassistant/sshkey b/examples/homeassistant/sshkey new file mode 100644 index 0000000..626256a --- /dev/null +++ b/examples/homeassistant/sshkey @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIwAAAJiBL8xSgS/M +UgAAAAtzc2gtZWQyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIw +AAAECzMZfgJIQJUVgyKZ3IYnEVvwnYXJ8nstc4/g1H41dC/vueAR1wO7hRVt7ZnMGEqfYe +E9bQ+USaASlv+SQyJ4UjAAAAEWV4YW1wbGVAbG9jYWxob3N0AQIDBA== +-----END OPENSSH PRIVATE KEY----- diff --git a/examples/homeassistant/sshkey.pub b/examples/homeassistant/sshkey.pub new file mode 100644 index 0000000..685f78a --- /dev/null +++ b/examples/homeassistant/sshkey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueAR1wO7hRVt7ZnMGEqfYeE9bQ+USaASlv+SQyJ4Uj example@localhost