config/hosts/fra1-a/configuration.nix

{
  config,
  myData,
  modulesPath,
  ...
}:
{
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

  zfs-root = {
    boot = {
      enable = true;
      devNodes = "/dev/disk/by-id/";
      bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ];
      immutable = false;
      availableKernelModules = [
        "xhci_pci"
        "virtio_pci"
        "virtio_scsi"
        "usbhid"
        "sr_mod"
        "virtio_gpu"
      ];
      removableEfi = true;
      kernelParams = [ "console=tty" ];
      sshUnlock = {
        enable = true;
        authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
          myData.hosts."vno1-oh2.servers.jakst".publicKey
        ];
      };
    };
  };

  mj = {
    stateVersion = "23.05";
    timeZone = "UTC";
    username = "motiejus";

    base = {
      users = {
        enable = true;
        root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
        user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
      };

      unitstatus = {
        enable = true;
        email = "motiejus+alerts@jakstys.lt";
      };

      snapshot = {
        enable = true;
        mountpoints = [ "/var/lib" ];
      };
    };

    services = {
      node_exporter.enable = true;
      sshguard.enable = true;
      tailscale.enable = true;

      remote-builder.server = {
        enable = true;
        uidgid = myData.uidgid.remote-builder;
        sshAllowSubnet = myData.subnets.tailscale.sshPattern;
        publicKeys = map (h: myData.hosts.${h}.publicKey) [
          "vno1-oh2.servers.jakst"
          "fwminex.motiejus.jakst"
          "mtworx.motiejus.jakst"
        ];
      };

      postfix = {
        enable = true;
        saslPasswdPath = config.age.secrets.sasl-passwd.path;
      };

      deployerbot = {
        follower = {
          publicKeys = [
            myData.hosts."vno1-oh2.servers.jakst".publicKey
            myData.hosts."fwminex.motiejus.jakst".publicKey
          ];

          enable = true;
          sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
          uidgid = myData.uidgid.updaterbot-deployee;
        };
      };

      zfsunlock = {
        enable = false;
        targets."vno1-oh2.servers.jakst" =
          let
            host = myData.hosts."vno1-oh2.servers.jakst";
          in
          {
            sshEndpoint = host.publicIP;
            pingEndpoint = host.jakstIP;
            remotePubkey = host.initrdPubKey;
            pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
            startAt = "*-*-* *:00/5:00";
          };
      };
    };
  };

  services = {
    nsd = {
      enable = true;
      interfaces = [
        "0.0.0.0"
        "::"
      ];
      zones = {
        "jakstys.lt.".data = myData.jakstysLTZone;
        "11sync.net.".data = myData.e11syncZone;
      };
    };
  };

  networking = {
    hostId = "bed6fa0b";
    hostName = "fra1-a";
    domain = "servers.jakst";
    useDHCP = true;
    firewall = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [
        22
        53
      ];
    };
  };

  nixpkgs.hostPlatform = "aarch64-linux";
}
fra1-a 2023-08-26 07:18:27 +03:00			`{`
			`config,`
			`myData,`
			`modulesPath,`
			`...`
nix fmt 2024-07-29 15:39:54 +03:00			`}:`
			`{`
			`imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];`
fra1-a 2023-08-26 07:18:27 +03:00
			`zfs-root = {`
			`boot = {`
			`enable = true;`
			`devNodes = "/dev/disk/by-id/";`
nix fmt 2024-07-29 15:39:54 +03:00			`bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ];`
fra1-a 2023-08-26 07:18:27 +03:00			`immutable = false;`
nix fmt 2024-07-29 15:39:54 +03:00			`availableKernelModules = [`
			`"xhci_pci"`
			`"virtio_pci"`
			`"virtio_scsi"`
			`"usbhid"`
			`"sr_mod"`
			`"virtio_gpu"`
			`];`
fra1-a 2023-08-26 07:18:27 +03:00			`removableEfi = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`kernelParams = [ "console=tty" ];`
fra1-a 2023-08-26 07:18:27 +03:00			`sshUnlock = {`
			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [`
			`myData.hosts."vno1-oh2.servers.jakst".publicKey`
			`];`
fra1-a 2023-08-26 07:18:27 +03:00			`};`
			`};`
			`};`

			`mj = {`
			`stateVersion = "23.05";`
			`timeZone = "UTC";`
vm: fix user propagation, refactor base.users 2024-03-06 10:33:48 +02:00			`username = "motiejus";`

fra1-a 2023-08-26 07:18:27 +03:00			`base = {`
bring back "vm" 2024-02-04 16:18:47 +02:00			`users = {`
			`enable = true;`
vm: fix user propagation, refactor base.users 2024-03-06 10:33:48 +02:00			`root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;`
			`user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;`
fra1-a 2023-08-26 07:18:27 +03:00			`};`
fra1-a: backup e11sync 2024-01-25 14:48:17 +02:00
fra1-a 2023-08-26 07:18:27 +03:00			`unitstatus = {`
			`enable = true;`
			`email = "motiejus+alerts@jakstys.lt";`
			`};`
fra1-a: backup e11sync 2024-01-25 14:48:17 +02:00
			`snapshot = {`
			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`mountpoints = [ "/var/lib" ];`
fra1-a: backup e11sync 2024-01-25 14:48:17 +02:00			`};`
fra1-a 2023-08-26 07:18:27 +03:00			`};`

			`services = {`
			`node_exporter.enable = true;`
sshguard is now optional 2023-09-14 06:41:16 +03:00			`sshguard.enable = true;`
tailscaled: silence logs by default it works. 2023-10-22 20:14:25 +03:00			`tailscale.enable = true;`
fra1-a 2023-08-26 07:18:27 +03:00
add remote builder to vno1-oh2 2024-02-27 22:56:09 +02:00			`remote-builder.server = {`
remote-builder 2024-02-25 20:04:21 +02:00			`enable = true;`
			`uidgid = myData.uidgid.remote-builder;`
			`sshAllowSubnet = myData.subnets.tailscale.sshPattern;`
			`publicKeys = map (h: myData.hosts.${h}.publicKey) [`
			`"vno1-oh2.servers.jakst"`
			`"fwminex.motiejus.jakst"`
mtworx: use the fra1-a remote builder 2024-06-07 23:45:30 +03:00			`"mtworx.motiejus.jakst"`
remote-builder 2024-02-25 20:04:21 +02:00			`];`
			`};`

fra1-a 2023-08-26 07:18:27 +03:00			`postfix = {`
			`enable = true;`
			`saslPasswdPath = config.age.secrets.sasl-passwd.path;`
			`};`

			`deployerbot = {`
			`follower = {`
deployerbot: allow fwminex too 2024-07-28 22:25:58 +03:00			`publicKeys = [`
			`myData.hosts."vno1-oh2.servers.jakst".publicKey`
			`myData.hosts."fwminex.motiejus.jakst".publicKey`
			`];`
enable statx 2023-10-01 23:14:05 +03:00
fra1-a 2023-08-26 07:18:27 +03:00			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];`
fra1-a 2023-08-26 07:18:27 +03:00			`uidgid = myData.uidgid.updaterbot-deployee;`
			`};`
			`};`
zfsunlock between fra1-a and vno1-oh2 2023-08-26 23:45:03 +03:00
			`zfsunlock = {`
fra1-a: disable zfsunlock 2023-09-12 12:25:30 +03:00			`enable = false;`
nix fmt 2024-07-29 15:39:54 +03:00			`targets."vno1-oh2.servers.jakst" =`
			`let`
			`host = myData.hosts."vno1-oh2.servers.jakst";`
			`in`
			`{`
			`sshEndpoint = host.publicIP;`
			`pingEndpoint = host.jakstIP;`
			`remotePubkey = host.initrdPubKey;`
			`pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;`
			`startAt = "--* *:00/5:00";`
			`};`
zfsunlock between fra1-a and vno1-oh2 2023-08-26 23:45:03 +03:00			`};`
fra1-a 2023-08-26 07:18:27 +03:00			`};`
			`};`

e11sync 2024-01-17 13:17:19 +02:00			`services = {`
			`nsd = {`
			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`interfaces = [`
			`"0.0.0.0"`
			`"::"`
			`];`
e11sync 2024-01-17 13:17:19 +02:00			`zones = {`
			`"jakstys.lt.".data = myData.jakstysLTZone;`
			`"11sync.net.".data = myData.e11syncZone;`
			`};`
zfsunlock between fra1-a and vno1-oh2 2023-08-26 23:45:03 +03:00			`};`
			`};`

fra1-a 2023-08-26 07:18:27 +03:00			`networking = {`
			`hostId = "bed6fa0b";`
			`hostName = "fra1-a";`
			`domain = "servers.jakst";`
			`useDHCP = true;`
			`firewall = {`
fra1-a: disable caddy 2024-07-29 16:48:08 +03:00			`allowedUDPPorts = [ 53 ];`
nix fmt 2024-07-29 15:39:54 +03:00			`allowedTCPPorts = [`
			`22`
			`53`
			`];`
fra1-a 2023-08-26 07:18:27 +03:00			`};`
			`};`

			`nixpkgs.hostPlatform = "aarch64-linux";`
			`}`