diff --git a/.sops.yaml b/.sops.yaml index 9facbab..1148b5c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &erwin_horus age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg - &loki age1m93jeyexus2uqvrk99r7hh0xp7qxk55tgmju4h422dfkf92jce2sxpntu5 - &ci age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l + - &factorio age1j3456p2yhs82wcxp33r8nr7zc70shuusqnpyfxe6992w28rg5ywq83es27 - &frigate age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf - &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd - &gitea-runner age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2 @@ -29,6 +30,12 @@ creation_rules: - *erwin - *erwin_horus - *ci + - path_regex: machines/factorio/[^/]+\.yaml$ + key_groups: + - age: + - *erwin + - *erwin_horus + - *factorio - path_regex: machines/frigate/[^/]+\.yaml$ key_groups: - age: diff --git a/machines/default.nix b/machines/default.nix index 14c87d8..dcea85e 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -10,6 +10,15 @@ inputs: { # tags = [ "container" ]; # }; }; + factorio = { + config = import ./factorio/configuration.nix inputs; + deploy = { + host = "10.0.0.233"; + # host = "factorio.barn-beaver.ts.net"; + targetUser = "erwin"; + tags = [ "container" ]; + }; + }; frigate = { config = import ./frigate/configuration.nix inputs; deploy = { diff --git a/machines/factorio/configuration.nix b/machines/factorio/configuration.nix new file mode 100644 index 0000000..f4e8a06 --- /dev/null +++ b/machines/factorio/configuration.nix @@ -0,0 +1,104 @@ +{ + self, + ... +}: +{ + modulesPath, + config, + ... +}: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + + ../../users/root + ../../users/erwin + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + rust-motd.enable = true; + tailscale.enable = true; + }; + + boot = { + isContainer = true; + }; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "read"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall.trustedInterfaces = [ "tailscale0" ]; + }; + + systemd = { + services.logrotate-checkconf.enable = false; + + network = { + enable = true; + + wait-online.anyInterface = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.208/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + services = { + factorio = { + enable = true; + game-name = "Blocks"; + description = "It's cityblocks"; + lan = true; + openFirewall = true; + saveName = "Blocks"; + admins = [ "eboskma" ]; + allowedPlayers = [ "eboskma" ]; + extraSettingsFile = config.sops.secrets.factorio-config.path; + }; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + factorio-config = { }; + }; + + system.stateVersion = "24.11"; +} diff --git a/machines/factorio/secrets.yaml b/machines/factorio/secrets.yaml new file mode 100644 index 0000000..836f2dd --- /dev/null +++ b/machines/factorio/secrets.yaml @@ -0,0 +1,39 @@ +factorio-config: ENC[AES256_GCM,data:IBC7LYC+QpWMbPs9vpdIrtOld/qPyt+PaVHQKmbFl5iGVkKru0d9iIlV5ZQ=,iv:ArIUnPu1KoNN3o76iyvka3A1g2GEEMQLFT1F6hYE+gs=,tag:kQtoGUAo1fLEH98UY0r2LQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBic2p1NFBXZTJra09NQjY5 + YzcrTnY1dzl1eFJuYWZVMHUwWS9wSVc0Q0RRCkdnSFJnS3lIUWVJd2s2R0hqRzlE + dW9VSVhTZFE5a2taWVdxMzE5RlBsd3cKLS0tIDJSTTY3eTA0R2RyOEpsV0dGYndR + WEhLMEZiWEFSTDJEbU9CbU5jbU9DeVUK4hJHJz3m/lqDkW/MK/4yMoMfp0LPpmmL + S48qlzHsBP0NxbBkR6cxYgd/cI6ppVCgOkQWBAyV1wiAqyNPKAgO+g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBld09PSlFjbnpkT2tqaVI4 + R0RPUlk4bUdjR2lENHdVOHhJV2lWamFnTlVrCnBYSE1tRnZKb0dhMzViUCtIOVVO + QjFZMlVFV04vY0JiQ0E2K21LTGdIYU0KLS0tIGYrUzd2VXN5NFBMWmljN2pnWml4 + T1pqb1dtdlAzdmNLNDBjUGFHajVCdmsKmwiA1FuwfiPG2YLUQHhFDITahl6jcwz9 + CBKRPArsDXqRFQgG3DTievvPS7VmfXbyhHYyUHa5Soarr1PFYBqQ8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j3456p2yhs82wcxp33r8nr7zc70shuusqnpyfxe6992w28rg5ywq83es27 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQUxyZkFoWjJaQ0g2ZSs3 + SU1Qd1c3MFp5S0piM244MTFiM0ppVWp4YjB3CkplNVp3ZUFSQ2xobnZYYkEwMS8x + NmtHMkNHQmxTTytNVXFvSzM4NWp2eWMKLS0tIGovL3pGV253QWQxdGRIKy9KdlpC + K041NXVyYjZabGQzbG9HaExYRVJ3VEkKM1pL72IU2thhKg/irj7t1m5gx3078DD7 + HmyWa6+/A25fsWBHuHktUBMlOy5Jw+4ViysSNyzLMJegYRKBJAVpQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-12T18:54:05Z" + mac: ENC[AES256_GCM,data:BbA9o2hdVkhQWX4fcTUqvVWE1reo2bHVCXxFwbvF8xeXdFzFh+ijO4gqm3AoqCO8xA1nP7C3PwmQ5nx9oYMIukD1V/tW2A5WzIkbvkENva5WMvgiur34HT7TpY9GG6sDBNm2ZznEn3y9vMBOSZKQ5CKeCrMbbrXfDt7PYL1T1QY=,iv:0PhnwdK0Z9o6ffWX0cVuOxggsDBbE0S8pS0l+u4dfS8=,tag:mCBAoebs1rfdb/FzSL/6XQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1