diff --git a/machines/congenital-optimist/configuration.nix b/machines/congenital-optimist/configuration.nix index 7f1b1d5..8b2bc00 100644 --- a/machines/congenital-optimist/configuration.nix +++ b/machines/congenital-optimist/configuration.nix @@ -7,7 +7,7 @@ }: { imports = [ ./hardware-configuration.nix - ./network-congenital-optimist.nix + ../../modules/network/network-congenital-optimist.nix # Security modules ../../modules/security/ssh-keys.nix diff --git a/modules/services/SearXNG.nix b/machines/congenital-optimist/networking.nix similarity index 100% rename from modules/services/SearXNG.nix rename to machines/congenital-optimist/networking.nix diff --git a/machines/sleeper-service/configuration.nix b/machines/sleeper-service/configuration.nix index e52d3ee..8ff1dcf 100644 --- a/machines/sleeper-service/configuration.nix +++ b/machines/sleeper-service/configuration.nix @@ -4,9 +4,9 @@ # Security modules ../../modules/security/ssh-keys.nix # Network configuration - ./network-sleeper-service.nix + ../../modules/network/network-sleeper-service.nix # Services - ./nfs.nix + ../../modules/services/nfs.nix ../../modules/system/transmission.nix # User modules - server only needs sma user diff --git a/machines/sleeper-service/networking.nix b/machines/sleeper-service/networking.nix new file mode 100644 index 0000000..e69de29 diff --git a/modules/network/common.nix b/modules/network/common.nix index a50c853..ccb21da 100644 --- a/modules/network/common.nix +++ b/modules/network/common.nix @@ -1,5 +1,5 @@ # Common Network Configuration -# Minimal shared networking settings across all machines +# Shared networking settings across all machines { config, pkgs, ... }: { @@ -8,10 +8,11 @@ # Enable nftables by default for all machines nftables.enable = true; - # Basic firewall settings (SSH handled by security/ssh-keys.nix) + # Common firewall settings firewall = { enable = true; - # SSH port is configured in modules/security/ssh-keys.nix + # SSH is allowed by default on all machines + allowedTCPPorts = [ 22 ]; }; }; @@ -20,6 +21,13 @@ # Tailscale VPN for secure remote access tailscale.enable = true; - # Note: SSH configuration is handled by modules/security/ssh-keys.nix + # SSH access with secure defaults + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; }; } \ No newline at end of file diff --git a/machines/congenital-optimist/network-congenital-optimist.nix b/modules/network/network-congenital-optimist.nix similarity index 91% rename from machines/congenital-optimist/network-congenital-optimist.nix rename to modules/network/network-congenital-optimist.nix index 0d0e4cc..83fb677 100644 --- a/machines/congenital-optimist/network-congenital-optimist.nix +++ b/modules/network/network-congenital-optimist.nix @@ -4,7 +4,7 @@ { imports = [ - ../../modules/network/common.nix + ./common.nix ]; # Machine-specific network configuration diff --git a/machines/sleeper-service/network-sleeper-service.nix b/modules/network/network-sleeper-service.nix similarity index 97% rename from machines/sleeper-service/network-sleeper-service.nix rename to modules/network/network-sleeper-service.nix index b441c0d..9f3cb44 100644 --- a/machines/sleeper-service/network-sleeper-service.nix +++ b/modules/network/network-sleeper-service.nix @@ -4,7 +4,7 @@ { imports = [ - ../../modules/network/common.nix + ./common.nix ]; # Machine-specific network configuration diff --git a/modules/security/ssh-keys.nix b/modules/security/ssh-keys.nix index 32668bd..26f70d6 100644 --- a/modules/security/ssh-keys.nix +++ b/modules/security/ssh-keys.nix @@ -3,9 +3,6 @@ { config, pkgs, lib, ... }: { - # Firewall configuration for SSH - networking.firewall.allowedTCPPorts = [ 22 ]; - # Global SSH daemon configuration services.openssh = { enable = true; diff --git a/machines/sleeper-service/nfs.nix b/modules/services/nfs.nix similarity index 100% rename from machines/sleeper-service/nfs.nix rename to modules/services/nfs.nix diff --git a/notes.md b/notes.md index 934b0f6..1b925ad 100644 --- a/notes.md +++ b/notes.md @@ -1,9 +1,5 @@ # Notes to be use to write blog post +deployment script: rsync -av --delete /home/geir/Home-lab/ sma@sleeper-service:/tmp/home-lab-config/ and ssh sma@sleeper-service "cd /tmp/home-lab-config && sudo nixos-rebuild boot --flake .#sleeper-service" -- research deploy-rs - -# Expansion -## Hardware -- https://sipeed.com/nanocluster - ai cluster -- https://www.bee-link.com/products/beelink-me-mini-n150?variant=47599172845810 - upgrade nas/storage \ No newline at end of file +like the best approach maye we should add a todo for making scripts or research deploy-rs \ No newline at end of file diff --git a/plan.md b/plan.md index 10a7f5f..20c1b10 100644 --- a/plan.md +++ b/plan.md @@ -515,20 +515,7 @@ Home-lab/ - [ ] Configuration validation tests - [ ] Deployment automation - [ ] Monitoring and alerting - -### 6.3 Advanced Deployment Strategies -- [ ] **Research deploy-rs**: Investigate deploy-rs as alternative to custom lab script - - Evaluate Rust-based deployment tool for NixOS flakes - - Compare features: parallel deployment, rollback capabilities, health checks - - Assess integration with existing SSH key management and Tailscale network - - Consider migration path from current rsync + SSH approach -- [ ] **Convert lab script to Guile Scheme**: Explore functional deployment scripting - - Research Guile Scheme for system administration scripting - - Evaluate benefits: better error handling, functional composition, extensibility - - Design modular deployment pipeline with Scheme - - Consider integration with GNU Guix deployment patterns - - Plan migration strategy from current shell script implementation -### 6.4 Writeup +### 6.3 Writeup - [ ] Take all the knowledge we have amassed and make a blog post or a series of blog posts ### Phase 7: goin pro