From bd10c642505fb77eed15224a74d768cebbcf7f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Wed, 31 Jul 2024 09:06:53 +0300 Subject: [PATCH] rm fra1-a --- README.md | 2 +- data.nix | 20 ---- flake.nix | 37 ------- hosts/fra1-a/configuration.nix | 138 ------------------------- hosts/fwminex/configuration.nix | 1 - hosts/mtworx/configuration.nix | 8 -- hosts/vno1-oh2/configuration.nix | 27 +---- secrets.nix | 7 -- secrets/fra1-a/borgbackup-password.age | 14 --- secrets/fra1-a/zfs-passphrase.age | 14 --- 10 files changed, 2 insertions(+), 266 deletions(-) delete mode 100644 hosts/fra1-a/configuration.nix delete mode 100644 secrets/fra1-a/borgbackup-password.age delete mode 100644 secrets/fra1-a/zfs-passphrase.age diff --git a/README.md b/README.md index ad4c62f..ee78b19 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Flakes: $ deploy --interactive '#vno1-oh2' - $ nix build .#deploy.nodes.fra1-a.profiles.system.path + $ nix build .#deploy.nodes.fra1-b.profiles.system.path Other: diff --git a/data.nix b/data.nix index 3e1033a..6293172 100644 --- a/data.nix +++ b/data.nix @@ -69,25 +69,6 @@ rec { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBudUFFEBpUVdr26vLJup8Hk6wj1iDbOPPQnJbv6GUGC"; jakstIP = "100.89.176.2"; }; - "fra1-a.servers.jakst" = rec { - extraHostNames = [ - "fra1-a.jakstys.lt" - publicIP - jakstIP - ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM"; - initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO"; - publicIP = "168.119.184.134"; - jakstIP = "100.89.176.5"; - system = "aarch64-linux"; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - "gccarch-armv8-a" - ]; - }; "fra1-b.servers.jakst" = rec { extraHostNames = [ "fra1-b.jakstys.lt" @@ -186,7 +167,6 @@ rec { ns1 A ${vno1} ns2 A ${fra1b} www A ${vno1} - admin A ${hosts."fra1-a.servers.jakst".jakstIP} key1._domainkey CNAME key1.11sync.net._domainkey.migadu.com. key2._domainkey CNAME key2.11sync.net._domainkey.migadu.com. key3._domainkey CNAME key3.11sync.net._domainkey.migadu.com. diff --git a/flake.nix b/flake.nix index e0d9d2a..3a85ff1 100644 --- a/flake.nix +++ b/flake.nix @@ -169,7 +169,6 @@ age.secrets = { motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age; - zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; @@ -270,31 +269,6 @@ } // inputs; }; - fra1-a = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - modules = [ - { nixpkgs.overlays = overlays; } - agenix.nixosModules.default - home-manager.nixosModules.home-manager - - ./hosts/fra1-a/configuration.nix - ./modules - - { - age.secrets = { - zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; - borgbackup-password.file = ./secrets/fra1-a/borgbackup-password.age; - motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - root-passwd-hash.file = ./secrets/root_passwd_hash.age; - sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - }; - } - ]; - - specialArgs = { - inherit myData; - } // inputs; - }; }; deploy.nodes = { @@ -342,17 +316,6 @@ }; }; - fra1-a = { - hostname = myData.hosts."fra1-a.servers.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = self.nixosConfigurations.fra1-a.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a; - user = "root"; - }; - }; - }; - fra1-b = { hostname = myData.hosts."fra1-b.servers.jakst".jakstIP; profiles = { diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix deleted file mode 100644 index 98239a8..0000000 --- a/hosts/fra1-a/configuration.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ - config, - myData, - modulesPath, - ... -}: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - zfs-root = { - boot = { - enable = true; - devNodes = "/dev/disk/by-id/"; - bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ]; - immutable = false; - availableKernelModules = [ - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "usbhid" - "sr_mod" - "virtio_gpu" - ]; - removableEfi = true; - kernelParams = [ "console=tty" ]; - sshUnlock = { - enable = true; - authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [ - myData.hosts."vno1-oh2.servers.jakst".publicKey - ]; - }; - }; - }; - - mj = { - stateVersion = "23.05"; - timeZone = "UTC"; - username = "motiejus"; - - base = { - users = { - enable = true; - root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; - user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; - }; - - unitstatus = { - enable = true; - email = "motiejus+alerts@jakstys.lt"; - }; - - snapshot = { - enable = true; - mountpoints = [ "/var/lib" ]; - }; - }; - - services = { - node_exporter.enable = true; - sshguard.enable = true; - tailscale.enable = true; - - remote-builder.server = { - enable = true; - uidgid = myData.uidgid.remote-builder; - sshAllowSubnet = myData.subnets.tailscale.sshPattern; - publicKeys = map (h: myData.hosts.${h}.publicKey) [ - "vno1-oh2.servers.jakst" - "fwminex.motiejus.jakst" - "mtworx.motiejus.jakst" - ]; - }; - - postfix = { - enable = true; - saslPasswdPath = config.age.secrets.sasl-passwd.path; - }; - - deployerbot = { - follower = { - publicKeys = [ - myData.hosts."vno1-oh2.servers.jakst".publicKey - myData.hosts."fwminex.motiejus.jakst".publicKey - ]; - - enable = true; - sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ]; - uidgid = myData.uidgid.updaterbot-deployee; - }; - }; - - zfsunlock = { - enable = false; - targets."vno1-oh2.servers.jakst" = - let - host = myData.hosts."vno1-oh2.servers.jakst"; - in - { - sshEndpoint = host.publicIP; - pingEndpoint = host.jakstIP; - remotePubkey = host.initrdPubKey; - pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path; - startAt = "*-*-* *:00/5:00"; - }; - }; - }; - }; - - services = { - nsd = { - enable = true; - interfaces = [ - "0.0.0.0" - "::" - ]; - zones = { - "jakstys.lt.".data = myData.jakstysLTZone; - "11sync.net.".data = myData.e11syncZone; - }; - }; - }; - - networking = { - hostId = "bed6fa0b"; - hostName = "fra1-a"; - domain = "servers.jakst"; - useDHCP = true; - firewall = { - allowedUDPPorts = [ 53 ]; - allowedTCPPorts = [ - 22 - 53 - ]; - }; - }; - - nixpkgs.hostPlatform = "aarch64-linux"; -} diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 49905db..9bb1f4b 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -155,7 +155,6 @@ in deployDerivations = [ ".#fwminex" ".#vno1-oh2" - ".#fra1-a" ".#fra1-b" ".#vno3-rp3b" ]; diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix index be6e90d..06c38b6 100644 --- a/hosts/mtworx/configuration.nix +++ b/hosts/mtworx/configuration.nix @@ -145,14 +145,6 @@ in group = "users"; }; - #remote-builder.client = let - # host = myData.hosts."fra1-a.servers.jakst"; - #in { - # enable = true; - # inherit (host) system supportedFeatures; - # hostName = host.jakstIP; - # sshKey = "/etc/ssh/ssh_host_ed25519_key"; - #}; }; }; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 27323fd..ef2ea1a 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -25,12 +25,6 @@ kernelParams = [ "ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp0s21f0u2:off" ]; - sshUnlock = { - enable = true; - authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [ - myData.hosts."fra1-a.servers.jakst".publicKey - ]; - }; }; }; @@ -229,24 +223,9 @@ macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path; }; - zfsunlock = { - enable = true; - targets."fra1-a.servers.jakst" = - let - host = myData.hosts."fra1-a.servers.jakst"; - in - { - sshEndpoint = host.publicIP; - pingEndpoint = host.jakstIP; - remotePubkey = host.initrdPubKey; - pwFile = config.age.secrets.zfs-passphrase-fra1-a.path; - startAt = "*-*-* *:00/5:00"; - }; - }; - remote-builder.client = let - host = myData.hosts."fra1-a.servers.jakst"; + host = myData.hosts."fra1-b.servers.jakst"; in { enable = true; @@ -478,10 +457,6 @@ job_name = "${config.networking.hostName}.${config.networking.domain}"; static_configs = [ { targets = [ "127.0.0.1:${port}" ]; } ]; } - { - job_name = "fra1-a.servers.jakst"; - static_configs = [ { targets = [ "${myData.hosts."fra1-a.servers.jakst".jakstIP}:${port}" ]; } ]; - } { job_name = "fra1-b.servers.jakst"; static_configs = [ { targets = [ "${myData.hosts."fra1-b.servers.jakst".jakstIP}:${port}" ]; } ]; diff --git a/secrets.nix b/secrets.nix index ee4989f..ba793bc 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,12 +8,10 @@ let fwminex = (import ./data.nix).hosts."fwminex.motiejus.jakst".publicKey; mtworx = (import ./data.nix).hosts."mtworx.motiejus.jakst".publicKey; - fra1-a = (import ./data.nix).hosts."fra1-a.servers.jakst".publicKey; fra1-b = (import ./data.nix).hosts."fra1-b.servers.jakst".publicKey; vno1-oh2 = (import ./data.nix).hosts."vno1-oh2.servers.jakst".publicKey; vno3-rp3b = (import ./data.nix).hosts."vno3-rp3b.servers.jakst".publicKey; systems = [ - fra1-a fra1-b vno1-oh2 vno3-rp3b @@ -33,7 +31,6 @@ let in { } // mk ([ vno1-oh2 ] ++ motiejus) [ - "secrets/fra1-a/zfs-passphrase.age" "secrets/vno1-oh2/borgbackup/password.age" "secrets/grafana.jakstys.lt/oidc.age" "secrets/letsencrypt/account.key.age" @@ -48,10 +45,6 @@ in "secrets/vno1-oh2/syncthing/key.pem.age" "secrets/vno1-oh2/syncthing/cert.pem.age" ] -// mk ([ fra1-a ] ++ motiejus) [ - "secrets/vno1-oh2/zfs-passphrase.age" - "secrets/fra1-a/borgbackup-password.age" -] // mk ([ vno3-rp3b ] ++ motiejus) [ "secrets/vno3-rp3b/datapool-passphrase.age" ] // mk ([ mtworx ] ++ motiejus) [ "secrets/motiejus_work_passwd_hash.age" diff --git a/secrets/fra1-a/borgbackup-password.age b/secrets/fra1-a/borgbackup-password.age deleted file mode 100644 index a884a6d..0000000 --- a/secrets/fra1-a/borgbackup-password.age +++ /dev/null @@ -1,14 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 qDkIVA Mp549UjXPnrPEGGtLhittMH/mp4vgjG1vXpIKMK27E8 -X6mJ9FubJfjJEAju7tW+IV9gp08lb3WJhrpRxIUDlVA --> X25519 CChl64dZSLvqnWxEqjpAHaGgIBpPlU/PhkoZO2IE3nc -o3/NX1O+ZjDUdOnsm3UQvR0FUvssJhU3c4TwleNWyGQ --> X25519 MF7jW4oFLPXJvrd4nN/QBJOmvj5noGZywqxD7n2EjFE -q3yixUVdvL/JCu66lDrjc9jRxz8zj/Al1Q8qBQRVk2U --> piv-p256 +y2G/w AxATdCf+nrNcKTUB7R/umEAs2IXfXVw9KnR0A4e8aAsb -PQt7XGJipJSQKwtrnG2xMvOoLxKRDnuMfrtBkV3nQj0 --> piv-p256 jNqd3A AwQKrT5BBsN4qkEaYa+r5Cty++MznmQ23taV2ATb7v5d -/sTrXEUzic8FB4RJO8+tUgsVAyu7sFSPf02VEo3xO6E ---- 7V8vt6ufLJyTC/oPAoIcmd3IpokA/9I/bJ2CjBPdo2E -0ӝ\$GuH -CL ssh-ed25519 gJrHQg UJ9tnFdR1SR+JgJ9qG9tohUhx/DNwiTei1ugGGkzQmw -wSKi261eBVsiCj1srsF/rrJbyqvxE22/EkXTxf576II --> X25519 Rpf59VKUKFRdgdhRGXXj5cfvUJWmyJPNTIrpXsJHEVk -l1KD8JqVD5c6Buh5j+iUvlpDOkREOT3GpYwnIWdcj2k --> X25519 MCrpWTbkRaYk9pu8cLlh0d1bZBnRVVHCNiBrJBbwrC0 -nXATxQ2ECaaEphy4WG8grj6GcgrWxkgsnRxsj9eO2U4 --> piv-p256 +y2G/w A6bqVBnXzhhoY4baDkw8pfjH3/uGrwUFZoPR/IoYTfM+ -yMihTg124+IVta0QBRXFCjU72/yJEuwOHYFwdg7HN68 --> piv-p256 jNqd3A A87fyRdaJuKstFdbc1XGAWruqX/ABWk0E+izavuT36vH -HkT/hGCIwl22Xf832vJPsyCpDmCQiampAEs0iOq/8x8 ---- KIJT1t2apRARDwhLKI4PIirOO4cu5bDSTKT90SYWFcc -?Ȇ -/Y5v|H'ÏxeZTz \ No newline at end of file