initial commit

.envrc

@@ -0,0 +1,4 @@
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.5; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.5/direnvrc" "sha256-RuwIS+QKFj/T9M2TFXScjBsLR6V3A17YVoEW/Q6AZ1w="
+fi
+use flake

.gitignore

@@ -0,0 +1,6 @@
+/.direnv
+
+# files decrypted by vscode-sops
+.decrypted~*
+
+/tmp

.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  - &min 78795D9EBD425CBB3E850BC45DF91852CB14CEFF
+  - &mpl age12pxpwrmws2vpeeptcj6m2dejg53qgsqtl2uevls4rty22xqtgpvqhtgtpc
+creation_rules:
+  - path_regex: secrets/mpl\.yaml$
+    key_groups:
+      - pgp:
+          - *min
+        age:
+          - *mpl

.vscode/settings.json

@@ -0,0 +1,12 @@
+{
+    "nix.enableLanguageServer": true,
+    "nix.serverSettings": {
+        "nil": {
+            "formatting": {
+                "command": [
+                    "alejandra"
+                ]
+            }
+        }
+    },
+}

README.md

@@ -0,0 +1,3 @@
+# nixos-configs
+
+NixOS configurations for personal devices

flake.lock

@@ -0,0 +1,153 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735048446,
+        "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735053786,
+        "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1734945620,
+        "narHash": "sha256-olIfsfJK4/GFmPH8mXMmBDAkzVQ1TWJmeGT3wBGfQPY=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "d000479f4f41390ff7cf9204979660ad5dd16176",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1734954597,
+        "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "def1d472c832d77885f174089b0d34854b007198",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1734991663,
+        "narHash": "sha256-8T660guvdaOD+2/Cj970bWlQwAyZLKrrbkhYOFcY1YE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "6c90912761c43e22b6fb000025ab96dd31c971ff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1733096140,
+        "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "flake-parts": "flake-parts",
+        "home-manager": "home-manager",
+        "impermanence": "impermanence",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734546875,
+        "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,64 @@
+{
+  description = "nixos configurations";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    disko.url = "github:nix-community/disko";
+    disko.inputs.nixpkgs.follows = "nixpkgs";
+
+    impermanence.url = "github:nix-community/impermanence";
+
+    nixos-hardware.url = "github:nixos/nixos-hardware";
+    nixos-hardware.inputs.nixpkgs.follows = "nixpkgs";
+
+    home-manager.url = "github:nix-community/home-manager";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  nixConfig = {
+    extra-substituters = [
+      "https://nix-community.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+
+  outputs = inputs @ {self, ...}:
+    inputs.flake-parts.lib.mkFlake {inherit inputs;} {
+      flake = let
+        hosts = import ./hosts {inherit inputs;};
+      in {
+        inherit (hosts) nixosConfigurations homeConfigurations;
+      };
+
+      systems = ["x86_64-linux"];
+
+      perSystem = {
+        system,
+        pkgs,
+        ...
+      }: {
+        devShells.default = pkgs.mkShell {
+          packages = with pkgs; [
+            sops
+            ssh-to-age
+            # not included: age, gpg, pcscd, scdaemon, etc.
+
+            disko
+
+            nil
+            alejandra
+            statix
+            deadnix
+          ];
+        };
+      };
+    };
+}

hosts/default.nix

@@ -0,0 +1,35 @@
+{inputs, ...}: let
+  systems = ["mpl"];
+
+  inherit (inputs.nixpkgs) lib;
+
+  makeNixosConfigurations = systems:
+    lib.listToAttrs (lib.map
+      (name: let
+        system = import ./${name} {inherit inputs;};
+      in {
+        inherit name;
+        value = lib.nixosSystem {
+          inherit (system) system;
+
+          modules =
+            system.modules
+            ++ [
+              {
+                _module.args = {
+                  inherit inputs;
+                };
+              }
+
+              # ../modules
+            ];
+        };
+      })
+      systems);
+
+  makeHomeConfigurations = systems:
+    builtins.throw "todo";
+in {
+  nixosConfigurations = makeNixosConfigurations systems;
+  homeConfigurations = makeHomeConfigurations systems;
+}

hosts/mpl/audio.nix

@@ -0,0 +1,15 @@
+{...}: {
+  # Enable sound.
+  services.pipewire = {
+    enable = true;
+
+    pulse.enable = true;
+
+    alsa.enable = true;
+    alsa.support32Bit = true;
+  };
+
+  security.rtkit.enable = true;
+
+  hardware.framework.laptop13.audioEnhancement.enable = true;
+}

hosts/mpl/bootloader.nix

@@ -0,0 +1,12 @@
+{...}: {
+  # TODO: lanzaboote
+  boot.loader = {
+    efi.canTouchEfiVariables = true;
+
+    timeout = 2;
+    systemd-boot = {
+      enable = true;
+      configurationLimit = 3;
+    };
+  };
+}

hosts/mpl/configuration.nix

@@ -0,0 +1,46 @@
+{...}: {
+  imports = [
+    ./audio.nix
+    ./bootloader.nix
+    ./disk-config.nix
+    ./hardware.nix
+    ./mounts.nix
+    ./secrets.nix
+  ];
+
+  networking.hostName = "mpl"; # Define your hostname.
+  networking.networkmanager.enable = true;
+
+  # Allow unfree packages (firmware)
+  nixpkgs.config.allowUnfree = true;
+
+  # Set your time zone.
+  time.timeZone = "America/New_York";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  services.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.min = {
+    isNormalUser = true;
+    extraGroups = ["wheel"]; # Enable ‘sudo’ for the user.
+  };
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+    # TODO: pinentryPackage - rofi/bemenu maybe
+  };
+  services.pcscd.enable = true;
+
+  system.stateVersion = "24.11";
+}

hosts/mpl/default.nix

@@ -0,0 +1,13 @@
+{inputs, ...}: {
+  system = "x86_64-linux";
+  modules = [
+    inputs.nixos-hardware.nixosModules.framework-13-7040-amd
+    inputs.sops-nix.nixosModules.sops
+    inputs.disko.nixosModules.disko
+    inputs.impermanence.nixosModules.impermanence
+    ./configuration.nix
+  ];
+  homes = [
+    "min"
+  ];
+}

hosts/mpl/disk-config.nix

@@ -0,0 +1,70 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_2000GB_23234H800567";
+        content = {
+          type = "gpt";
+
+          partitions = {
+            esp = {
+              name = "ESP";
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = ["defaults" "umask=0077"];
+              };
+            };
+
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "encrypted";
+                extraOpenArgs = [];
+                settings = {
+                  allowDiscards = true;
+                  bypassWorkqueues = true;
+                };
+                passwordFile = "/tmp/luks-pw";
+                content = {
+                  type = "btrfs";
+                  extraArgs = ["-f"];
+                  subvolumes = {
+                    "/nix" = {
+                      mountpoint = "/nix";
+                      mountOptions = ["noatime"];
+                    };
+                    "/persist" = {
+                      mountpoint = "/persist";
+                      mountOptions = ["compress=zstd" "noatime"];
+                    };
+                    "/swap" = {
+                      mountpoint = "/.swapvol";
+                      swap.swap1.size = "16G";
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+
+    nodev = {
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "size=16G"
+          "mode=755"
+        ];
+      };
+    };
+  };
+}

hosts/mpl/hardware.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod"];
+      kernelModules = [];
+    };
+    kernelModules = ["kvm-amd"];
+    extraModulePackages = [];
+  };
+
+  hardware.enableAllFirmware = true;
+
+  # let networkmanager handle it
+  networking.useDHCP = lib.mkDefault false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/mpl/mounts.nix

@@ -0,0 +1,54 @@
+{pkgs, ...}: {
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/etc/secureboot"
+      "/etc/ssh"
+      "/etc/secrets"
+      "/etc/NetworkManager/system-connections"
+
+      "/var/log"
+      "/var/lib"
+      "/var/db/sudo"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+
+    users.min = {
+      directories = [
+        # cli tools
+        {
+          directory = ".gnupg";
+          mode = "0700";
+        }
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+        ".local/share/direnv"
+
+        # languages
+        ".cargo"
+
+        # generic folders
+        "Documents"
+        "Downloads"
+        "Videos"
+        "Pictures"
+        # TODO: "Music" should probably be mounted via NFS
+        "p"
+      ];
+    };
+  };
+  environment.systemPackages = [pkgs.ncdu];
+
+  fileSystems = {
+    "/".neededForBoot = true;
+    "/etc/ssh" = {
+      depends = ["/persist"];
+      neededForBoot = true;
+    };
+    "/persist".neededForBoot = true; # no further config is needed, disko handles the rest
+  };
+}

hosts/mpl/nebula.nix

@@ -0,0 +1,29 @@
+{config, ...}: let
+  inherit (import ../../modules/nebula/shared.nix) userGroup;
+in {
+  sops.secrets."nebula-key" = {
+    mode = "0440";
+    owner = userGroup;
+    group = userGroup;
+  };
+
+  # TODO: why?
+  networking.firewall.allowedUDPPorts = [4242];
+
+  gen.nebula = {
+    enable = true;
+    enableLighthouse = false;
+
+    cert = ../../keys/n-usr-min-fwl.crt;
+    key = config.sops.secrets."nebula-key".path;
+
+    extraInbound = [
+      # Allow iperf3 from anyone
+      {
+        port = 5201;
+        proto = "any";
+        host = "any";
+      }
+    ];
+  };
+}

hosts/mpl/secrets.nix

@@ -0,0 +1,9 @@
+{...}: {
+  sops = {
+    defaultSopsFile = ../../secrets/mpl.yaml;
+    age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
+
+    secrets."root-pw" = {neededForUsers = true;};
+    secrets."user-pw" = {neededForUsers = true;};
+  };
+}

keys/ca.crt

@@ -0,0 +1,5 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CjkKB20uaW5mcmEorIy3uAYwrPO7xwY6ILUb5mS0HBCYrAhWPXwqvtnBmmqz1lKc
+NOG84dEk3/biQAESQAEi7CVxFVDlG7ihV3nuosvEpodNZqS/RJ8GGKUBuLMz1BfE
+XdnMkMj44YQ2owDKYKgvZFc3nQGsrq5/4cWAdgs=
+-----END NEBULA CERTIFICATE-----

keys/n-usr-min-fwl.crt

@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE-----
+CmoKDW4tdXNyLW1pbi1md2wSCYGQt1CAgPz/Dyj2vJy5BjCr87vHBjogCTA+pJbo
+LAzdHXEVYrcoedDTJQkV99zAx4gVOOaqK3NKIC9yiWnXjCJT2HfiClMu+en3Out6
+l4ReySH/GXaXDNbjEkBxU7tvkXbINQ0TIHRiF+CJEtbQcwBfTuVpM0HkzhasF4KF
+Ilr7wBLRNEbrGybtNIW8XeLo9gkuSkhUhJns400J
+-----END NEBULA CERTIFICATE-----

modules/default.nix

@@ -0,0 +1,46 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./nebula
+
+    ./networking.nix
+    ./programs.nix
+  ];
+
+  # Immutable users
+  users.mutableUsers = false;
+
+  ### Nix settings ###
+  nix = {
+    # Periodically optimise & collect garbage
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+    optimise = {
+      automatic = true;
+      dates = ["weekly"];
+    };
+
+    # Make sure flakes are enabled
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      flake-registry = "";
+      nix-path = config.nix.nixPath;
+    };
+    extraOptions = ''
+      keep-outputs = true
+      keep-derivations = true
+    '';
+    nixPath = ["nixpkgs=${pkgs.path}"];
+    registry = {
+      self.flake = inputs.self;
+      nixpkgs.flake = inputs.nixpkgs;
+    };
+  };
+}

modules/nebula/default.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  inherit (import ./shared.nix) netName interface service;
+
+  ca = ../../keys/ca.crt;
+
+  baseFirewall = {
+    outbound = [
+      # Allow all outbound traffic
+      {
+        port = "any";
+        proto = "any";
+        host = "any";
+      }
+    ];
+    inbound = [
+      # Allow pings from anyone
+      {
+        port = "any";
+        proto = "icmp";
+        host = "any";
+      }
+    ];
+  };
+
+  baseServer = {
+    isLighthouse = true;
+
+    listen = {
+      host = "0.0.0.0";
+      port = 4242;
+    };
+  };
+  baseClient = let
+    lhs = {"10.13.0.1" = ["min.rip:4242"];};
+    lhsInternal = attrNames lhs;
+  in {
+    lighthouses = lhsInternal;
+    staticHostMap = lhs;
+
+    settings.punchy = {
+      punch = true;
+      respond = true;
+    };
+  };
+
+  cfg = config.gen.nebula;
+in {
+  options.gen.nebula = {
+    enable = mkEnableOption "nebula mesh vpn";
+    enableLighthouse = mkEnableOption "lighthouse functionality";
+
+    cert = mkOption {
+      type = types.path;
+      description = "nebula node cert path";
+    };
+    key = mkOption {
+      type = types.path;
+      description = "nebula node key path";
+    };
+
+    extraInbound = mkOption {
+      type = types.listOf types.attrs;
+      description = "extra inbound firewall rules";
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable {
+      networking.firewall.trustedInterfaces = [interface];
+
+      services.nebula.networks.${netName} = mkMerge [
+        {
+          inherit ca;
+          inherit (cfg) cert key;
+
+          firewall = {
+            inherit (baseFirewall) outbound;
+            inbound = baseFirewall.inbound ++ cfg.extraInbound;
+          };
+        }
+        (mkIf cfg.enableLighthouse baseServer)
+        (mkIf (!cfg.enableLighthouse) baseClient)
+      ];
+    })
+    (mkIf config.services.openssh.enable {
+      # Make sure sshd starts after nebula
+      # TODO: is this necessary?
+      systemd.services.sshd.after = [service];
+    })
+  ];
+}

modules/nebula/shared.nix

@@ -0,0 +1,8 @@
+rec {
+  netName = "m-infra";
+
+  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix
+  interface = "nebula.${netName}";
+  userGroup = "nebula-${netName}";
+  service = "nebula@${netName}.service";
+}

modules/networking.nix

@@ -0,0 +1,3 @@
+{...}: {
+  networking.nameservers = ["1.1.1.1" "1.0.0.1"];
+}

modules/programs.nix

@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    git
+    tmux
+    helix
+  ];
+}

scripts/install.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# fail on errors
+set -e
+
+die() {
+  echo >&2 "$@"
+  exit 1
+}
+
+# ensure root
+[[ $EUID -ne 0 ]] && die "root is required to install on a system"
+
+# parse args
+POSITIONAL_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -c|--nixos-config)
+      NAME="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -k|--key-dir)
+      KEYDIR="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+# check args
+[ ! -f "$KEYDIR/host.pub" ] && die "host pubkey missing!"
+[ ! -f "$KEYDIR/host" ] && die "host privkey missing!"
+[ ! -f "$KEYDIR/host_initrd.pub" ] && die "host pubkey (initrd) missing!"
+[ ! -f "$KEYDIR/host_initrd" ] && die "host privkey (initrd) missing!"
+[ ! -f "$KEYDIR/luks-pw" ] && die "luks pw missing!"
+
+# temp work dir
+temp=$(mktemp -d)
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# prepare host keys
+echo "Preparing host keys.."
+dir="$temp/persist/etc/ssh"
+install -d -m755 "$dir"
+cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key"
+cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub"
+chmod 600 "$dir/ssh_host_ed25519_key"
+
+# prepare host keys (initrd)
+echo "Preparing host keys.. (initrd)"
+dir="$temp/persist/etc/secrets/initrd"
+install -d -m755 "$dir"
+cp "$KEYDIR/host" "$dir/ssh_host_ed25519_key"
+cp "$KEYDIR/host.pub" "$dir/ssh_host_ed25519_key.pub"
+chmod 600 "$dir/ssh_host_ed25519_key"
+
+# run disko-install
+cp "$KEYDIR/luks-pw" "/tmp/luks-pw"
+disko-install \
+  --extra-files "$temp" "/" \
+  --flake .#$NAME \
+  --write-efi-boot-entries
+
+echo -e "Finished install.\n" \
+        "Make sure to delete the SSH host keys from here if you are done with them."

scripts/make_base_keys.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# fail on errors
+set -e
+
+die() {
+  echo >&2 "$@"
+  exit 1
+}
+
+# set up target folder
+P="$1"
+[[ -z "$P" || -d "$P" ]] && die "specify a non-existent path as a first argument"
+
+mkdir "$P"
+pushd "$P" >/dev/null
+
+# host keys
+echo "Generating SSH host keys.."
+ssh-keygen -t ed25519 -f ./host -q -N "" -C ""
+
+# host pubkey -> age key
+echo "AGE key is: $(cat ./host.pub | ssh-to-age)"
+
+# host keys (initrd)
+echo "Generating SSH host keys.. (initrd)"
+ssh-keygen -t ed25519 -f ./host_initrd -q -N "" -C ""
+
+# luks pw
+echo "Generating LUKS password file.."
+echo -n "$(openssl rand -base64 24)" > ./luks-pw
+
+# we are done
+popd >/dev/null
+echo "Finished generating keys." \
+     "Delete them or put them somewhere else once you're done with them."

scripts/rekey.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+shopt -s globstar
+
+SCRIPT_DIR="$(dirname "$0")"
+ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
+
+pushd "$ROOT_DIR" > /dev/null
+
+rekey_dir() {
+  find $1 | xargs -i sops updatekeys -y {}
+}
+
+rekey_dir "secrets/*"

secrets/mpl.yaml

@@ -0,0 +1,43 @@
+root-pw: ENC[AES256_GCM,data:IpF1o3x6Q9doRdAtQ/zpm5JGlzB6FCwLV/g+Dxz3McrQYTkrzjFu6z/JN9bNdwJTmabtzGZ18TkXjtcY0w+DDgBZ3+eDUpx2x5UMwUkSg6wZqYlPt2rht34u+s1LmLgX6awlbYh9aNxLEQ==,iv:tp3476TTwXztrEhiv55GQ+6dhHYNoESOUmp3EdISavo=,tag:0jqFI/AVjToFHZutPEnz1w==,type:str]
+user-pw: ENC[AES256_GCM,data:6LwQhadCK7eEhyLGx8lDygeUXvzeujxJBl+Xn17UCBwD87G+OB4cy6DTtJ/5qo9jY1otIGUGFVu55UfLZ04w0zpOAJpgiEV4t4z2izcpWiCqaOJigpiEDuWMIEmmh+xJP+YoynNnmDY6Eg==,iv:Umce4ho0BTOsLIseuzyOflmKadN7MOOfCdooFfzN3sI=,tag:NJfYW66h7y/TVixCOxPEXQ==,type:str]
+nebula-key: ENC[AES256_GCM,data:b3c4Ikz6RbtAGpVrCKqM53AIjXRDSWLY31Xx6XmoQsi8DNX6bnY0FO/LMaEVVQEzmHRiIU/uA8iSfaWDPD0Ee33vNsveA5s7I/+8qok9GGOPiP41UFPshmeO94nWV/P6RPosplGukioGatWh1at9v97oVzafSTotRaC8pcJB,iv:F9nXtktDEdGLU4FG736X3U0kxndDPXAqMr+Mz1WPskI=,tag:w5sseLEEBiNhlbD9TZXBqw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age12pxpwrmws2vpeeptcj6m2dejg53qgsqtl2uevls4rty22xqtgpvqhtgtpc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VllHS0hIQW9aeERqcDVk
+            SjZucTJYenpSaXp6U1VXdWZZK09QeVVPNHpjCitnMDZrblZidlhlaFMzZ3RFR3E5
+            S3RRV2ZWQ09rV29vKy9DdEljZGR1WVEKLS0tIGhpdDh2YXpZY1VMLzExU3MvV3Ar
+            elFiNmZiTzc0QWxjSEJ1UlUvZGhBTWMKQ7Uu6eq8KsIDCb/P6C2YVmHkChxyG2xs
+            qStNkNib8AkGyng94RPxaY/eRY6gxKdYmwDHx2dnR8SJ9vFJ+bmf/g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-27T22:17:52Z"
+    mac: ENC[AES256_GCM,data:entpJyyWL5imwqwNCInpy0U0vHbwyjkVSfMWeetGQU6cSTUGv8CjSPmBYE6bFVtF9aj+S5X10huhrWWQPqs4boIsZusNqIffYo6uFEABh9iA5wgKbCB6MEJh1SkOB0i2sJGW4rIiAhBU2/Lv9Vi1OyPnNR+qKjaoVY6uOzR7SBE=,iv:06fjdO+yUdcbLAWv+t+zFBNZPi4exMpGJIRI8KeA8SI=,tag:CV0kcL845LSdu2/Nov5XQg==,type:str]
+    pgp:
+        - created_at: "2024-12-26T21:14:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwAAAAAAAAAAAQ/9H5n/uWiw5CloBFI7OpPO+/8sc20bdJ9cGUEId2F6AJjJ
+            mDS3GY41mO7FdnZlkdDEPCWP2kBpggYhovcQ92CJee0BXnRKlCUExnwB0L7+GPCa
+            F7RteklME69ZwF/x1+dWQ/+agr6hZy1fFQBJeE0D7zsLoHQjmdnZSkShb4yjsmQo
+            QnvbIR1Y9fv4SpGUIQz8cRqZNckhYGg/bDwouKibgu2L94FjZrBNLUO7IrEM5LlY
+            ZArHdc/mo0eRuKl3UO+MNm8r2/0aetm/vs0/bePYyokNgAmfQv3WP5hGuuFEP9II
+            +r/isrsNsQniOlxNI3yesbZEGzRzDEEfSnRQMoaYwfTJUM/J4Ampo1pCpQnA+sfF
+            77RAokEHA1SeMNTqaTjCbO8fQBJDj/34AIT8uDbIMoQ1bfeOa4UQREJ8R754hQ5L
+            F96oDloVVwJraqypKtpR9YdelrOIWPm3tRxxHyE85YeQAiAA0PruPazeD1/+7r6a
+            /tEHtfFKCAGqDBzCBmXmMAsEzuK5kT+NcJB+Vrnfqh6hMNYbiGaY0ytmRHs1QwFe
+            fHDyoX9eF2GBp2R00H5IhcK13IwrvYlMrstPXnGgFPDdb6hw1ydE5gPZFtDWtpFi
+            dCKuySzaGn1xsZhm5X4ks9nEVfwICXL2Vc8pVqYEH/jInIUTZUW9t9VpSt9j/fzS
+            XgEOy6uKJwV5MQKNOLpBIsB2VS6hOL0sDe34gOiVl/tpON9dToLcyil4mFJC4Hgm
+            UMrtAHCF8lqVtoD/9ldg3+m//tekAih9+YzK6/caw57C33ZFWKM0IHAJJuclWOA=
+            =TLCY
+            -----END PGP MESSAGE-----
+          fp: 78795D9EBD425CBB3E850BC45DF91852CB14CEFF
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2