motiejus
/
config
1
Fork 0
Code Packages Releases Activity

rm fra1-a

This commit is contained in:
Motiejus Jakštys 2024-07-31 09:06:53 +03:00
parent 613a7ec3f3
commit bd10c64250
10 changed files with 2 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -5,7 +5,7 @@ Flakes:
$ deploy --interactive '#vno1-oh2' $ deploy --interactive '#vno1-oh2'
$ nix build .#deploy.nodes.fra1-a.profiles.system.path $ nix build .#deploy.nodes.fra1-b.profiles.system.path
Other: Other:

20
data.nix
View File

@ -69,25 +69,6 @@ rec {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBudUFFEBpUVdr26vLJup8Hk6wj1iDbOPPQnJbv6GUGC"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBudUFFEBpUVdr26vLJup8Hk6wj1iDbOPPQnJbv6GUGC";
jakstIP = "100.89.176.2"; jakstIP = "100.89.176.2";
}; };
"fra1-a.servers.jakst" = rec {
extraHostNames = [
"fra1-a.jakstys.lt"
publicIP
jakstIP
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM";
initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO";
publicIP = "168.119.184.134";
jakstIP = "100.89.176.5";
system = "aarch64-linux";
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
"gccarch-armv8-a"
];
};
"fra1-b.servers.jakst" = rec { "fra1-b.servers.jakst" = rec {
extraHostNames = [ extraHostNames = [
"fra1-b.jakstys.lt" "fra1-b.jakstys.lt"
@ -186,7 +167,6 @@ rec {
ns1 A ${vno1} ns1 A ${vno1}
ns2 A ${fra1b} ns2 A ${fra1b}
www A ${vno1} www A ${vno1}
admin A ${hosts."fra1-a.servers.jakst".jakstIP}
key1._domainkey CNAME key1.11sync.net._domainkey.migadu.com. key1._domainkey CNAME key1.11sync.net._domainkey.migadu.com.
key2._domainkey CNAME key2.11sync.net._domainkey.migadu.com. key2._domainkey CNAME key2.11sync.net._domainkey.migadu.com.
key3._domainkey CNAME key3.11sync.net._domainkey.migadu.com. key3._domainkey CNAME key3.11sync.net._domainkey.migadu.com.

37
flake.nix
View File

@ -169,7 +169,6 @@
age.secrets = { age.secrets = {
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age; root-passwd-hash.file = ./secrets/root_passwd_hash.age;
zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
@ -270,31 +269,6 @@
} // inputs; } // inputs;
}; };
fra1-a = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
{ nixpkgs.overlays = overlays; }
agenix.nixosModules.default
home-manager.nixosModules.home-manager
./hosts/fra1-a/configuration.nix
./modules
{
age.secrets = {
zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
borgbackup-password.file = ./secrets/fra1-a/borgbackup-password.age;
motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
root-passwd-hash.file = ./secrets/root_passwd_hash.age;
sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
};
}
];
specialArgs = {
inherit myData;
} // inputs;
};
}; };
deploy.nodes = { deploy.nodes = {
@ -342,17 +316,6 @@
}; };
}; };
fra1-a = {
hostname = myData.hosts."fra1-a.servers.jakst".jakstIP;
profiles = {
system = {
sshUser = "motiejus";
path = self.nixosConfigurations.fra1-a.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
user = "root";
};
};
};
fra1-b = { fra1-b = {
hostname = myData.hosts."fra1-b.servers.jakst".jakstIP; hostname = myData.hosts."fra1-b.servers.jakst".jakstIP;
profiles = { profiles = {

138
hosts/fra1-a/configuration.nix
View File

@ -1,138 +0,0 @@
{
config,
myData,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
zfs-root = {
boot = {
enable = true;
devNodes = "/dev/disk/by-id/";
bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ];
immutable = false;
availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
"sr_mod"
"virtio_gpu"
];
removableEfi = true;
kernelParams = [ "console=tty" ];
sshUnlock = {
enable = true;
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."vno1-oh2.servers.jakst".publicKey
];
};
};
};
mj = {
stateVersion = "23.05";
timeZone = "UTC";
username = "motiejus";
base = {
users = {
enable = true;
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
unitstatus = {
enable = true;
email = "motiejus+alerts@jakstys.lt";
};
snapshot = {
enable = true;
mountpoints = [ "/var/lib" ];
};
};
services = {
node_exporter.enable = true;
sshguard.enable = true;
tailscale.enable = true;
remote-builder.server = {
enable = true;
uidgid = myData.uidgid.remote-builder;
sshAllowSubnet = myData.subnets.tailscale.sshPattern;
publicKeys = map (h: myData.hosts.${h}.publicKey) [
"vno1-oh2.servers.jakst"
"fwminex.motiejus.jakst"
"mtworx.motiejus.jakst"
];
};
postfix = {
enable = true;
saslPasswdPath = config.age.secrets.sasl-passwd.path;
};
deployerbot = {
follower = {
publicKeys = [
myData.hosts."vno1-oh2.servers.jakst".publicKey
myData.hosts."fwminex.motiejus.jakst".publicKey
];
enable = true;
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
zfsunlock = {
enable = false;
targets."vno1-oh2.servers.jakst" =
let
host = myData.hosts."vno1-oh2.servers.jakst";
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
startAt = "*-*-* *:00/5:00";
};
};
};
};
services = {
nsd = {
enable = true;
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
};
};
};
networking = {
hostId = "bed6fa0b";
hostName = "fra1-a";
domain = "servers.jakst";
useDHCP = true;
firewall = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [
22
53
];
};
};
nixpkgs.hostPlatform = "aarch64-linux";
}

1
hosts/fwminex/configuration.nix
View File

@ -155,7 +155,6 @@ in
deployDerivations = [ deployDerivations = [
".#fwminex" ".#fwminex"
".#vno1-oh2" ".#vno1-oh2"
".#fra1-a"
".#fra1-b" ".#fra1-b"
".#vno3-rp3b" ".#vno3-rp3b"
]; ];

8
hosts/mtworx/configuration.nix
View File

@ -145,14 +145,6 @@ in
group = "users"; group = "users";
}; };
#remote-builder.client = let
# host = myData.hosts."fra1-a.servers.jakst";
#in {
# enable = true;
# inherit (host) system supportedFeatures;
# hostName = host.jakstIP;
# sshKey = "/etc/ssh/ssh_host_ed25519_key";
#};
}; };
}; };

27
hosts/vno1-oh2/configuration.nix
View File

@ -25,12 +25,6 @@
kernelParams = [ kernelParams = [
"ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp0s21f0u2:off" "ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp0s21f0u2:off"
]; ];
sshUnlock = {
enable = true;
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."fra1-a.servers.jakst".publicKey
];
};
}; };
}; };
@ -229,24 +223,9 @@
macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path; macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path;
}; };
zfsunlock = {
enable = true;
targets."fra1-a.servers.jakst" =
let
host = myData.hosts."fra1-a.servers.jakst";
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
startAt = "*-*-* *:00/5:00";
};
};
remote-builder.client = remote-builder.client =
let let
host = myData.hosts."fra1-a.servers.jakst"; host = myData.hosts."fra1-b.servers.jakst";
in in
{ {
enable = true; enable = true;
@ -478,10 +457,6 @@
job_name = "${config.networking.hostName}.${config.networking.domain}"; job_name = "${config.networking.hostName}.${config.networking.domain}";
static_configs = [ { targets = [ "127.0.0.1:${port}" ]; } ]; static_configs = [ { targets = [ "127.0.0.1:${port}" ]; } ];
} }
{
job_name = "fra1-a.servers.jakst";
static_configs = [ { targets = [ "${myData.hosts."fra1-a.servers.jakst".jakstIP}:${port}" ]; } ];
}
{ {
job_name = "fra1-b.servers.jakst"; job_name = "fra1-b.servers.jakst";
static_configs = [ { targets = [ "${myData.hosts."fra1-b.servers.jakst".jakstIP}:${port}" ]; } ]; static_configs = [ { targets = [ "${myData.hosts."fra1-b.servers.jakst".jakstIP}:${port}" ]; } ];

7
secrets.nix
View File

@ -8,12 +8,10 @@ let
fwminex = (import ./data.nix).hosts."fwminex.motiejus.jakst".publicKey; fwminex = (import ./data.nix).hosts."fwminex.motiejus.jakst".publicKey;
mtworx = (import ./data.nix).hosts."mtworx.motiejus.jakst".publicKey; mtworx = (import ./data.nix).hosts."mtworx.motiejus.jakst".publicKey;
fra1-a = (import ./data.nix).hosts."fra1-a.servers.jakst".publicKey;
fra1-b = (import ./data.nix).hosts."fra1-b.servers.jakst".publicKey; fra1-b = (import ./data.nix).hosts."fra1-b.servers.jakst".publicKey;
vno1-oh2 = (import ./data.nix).hosts."vno1-oh2.servers.jakst".publicKey; vno1-oh2 = (import ./data.nix).hosts."vno1-oh2.servers.jakst".publicKey;
vno3-rp3b = (import ./data.nix).hosts."vno3-rp3b.servers.jakst".publicKey; vno3-rp3b = (import ./data.nix).hosts."vno3-rp3b.servers.jakst".publicKey;
systems = [ systems = [
fra1-a
fra1-b fra1-b
vno1-oh2 vno1-oh2
vno3-rp3b vno3-rp3b
@ -33,7 +31,6 @@ let
in in
{ } { }
// mk ([ vno1-oh2 ] ++ motiejus) [ // mk ([ vno1-oh2 ] ++ motiejus) [
"secrets/fra1-a/zfs-passphrase.age"
"secrets/vno1-oh2/borgbackup/password.age" "secrets/vno1-oh2/borgbackup/password.age"
"secrets/grafana.jakstys.lt/oidc.age" "secrets/grafana.jakstys.lt/oidc.age"
"secrets/letsencrypt/account.key.age" "secrets/letsencrypt/account.key.age"
@ -48,10 +45,6 @@ in
"secrets/vno1-oh2/syncthing/key.pem.age" "secrets/vno1-oh2/syncthing/key.pem.age"
"secrets/vno1-oh2/syncthing/cert.pem.age" "secrets/vno1-oh2/syncthing/cert.pem.age"
] ]
// mk ([ fra1-a ] ++ motiejus) [
"secrets/vno1-oh2/zfs-passphrase.age"
"secrets/fra1-a/borgbackup-password.age"
]
// mk ([ vno3-rp3b ] ++ motiejus) [ "secrets/vno3-rp3b/datapool-passphrase.age" ] // mk ([ vno3-rp3b ] ++ motiejus) [ "secrets/vno3-rp3b/datapool-passphrase.age" ]
// mk ([ mtworx ] ++ motiejus) [ // mk ([ mtworx ] ++ motiejus) [
"secrets/motiejus_work_passwd_hash.age" "secrets/motiejus_work_passwd_hash.age"

14
secrets/fra1-a/borgbackup-password.age
View File

@ -1,14 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 qDkIVA Mp549UjXPnrPEGGtLhittMH/mp4vgjG1vXpIKMK27E8
X6mJ9FubJfjJEAju7tW+IV9gp08lb3WJhrpRxIUDlVA
-> X25519 CChl64dZSLvqnWxEqjpAHaGgIBpPlU/PhkoZO2IE3nc
o3/NX1O+ZjDUdOnsm3UQvR0FUvssJhU3c4TwleNWyGQ
-> X25519 MF7jW4oFLPXJvrd4nN/QBJOmvj5noGZywqxD7n2EjFE
q3yixUVdvL/JCu66lDrjc9jRxz8zj/Al1Q8qBQRVk2U
-> piv-p256 +y2G/w AxATdCf+nrNcKTUB7R/umEAs2IXfXVw9KnR0A4e8aAsb
PQt7XGJipJSQKwtrnG2xMvOoLxKRDnuMfrtBkV3nQj0
-> piv-p256 jNqd3A AwQKrT5BBsN4qkEaYa+r5Cty++MznmQ23taV2ATb7v5d
/sTrXEUzic8FB4RJO8+tUgsVAyu7sFSPf02VEo3xO6E
--- 7V8vt6ufLJyTC/oPAoIcmd3IpokA/9I/bJ2CjBPdo2E
«0¨ŒÓ<C592>\$GuH
ºCÄLåûô<U¹sfWÒŽô©ðLðEZn-ÏMÕîP¤ä½X„

14
secrets/fra1-a/zfs-passphrase.age
View File

@ -1,14 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 gJrHQg UJ9tnFdR1SR+JgJ9qG9tohUhx/DNwiTei1ugGGkzQmw
wSKi261eBVsiCj1srsF/rrJbyqvxE22/EkXTxf576II
-> X25519 Rpf59VKUKFRdgdhRGXXj5cfvUJWmyJPNTIrpXsJHEVk
l1KD8JqVD5c6Buh5j+iUvlpDOkREOT3GpYwnIWdcj2k
-> X25519 MCrpWTbkRaYk9pu8cLlh0d1bZBnRVVHCNiBrJBbwrC0
nXATxQ2ECaaEphy4WG8grj6GcgrWxkgsnRxsj9eO2U4
-> piv-p256 +y2G/w A6bqVBnXzhhoY4baDkw8pfjH3/uGrwUFZoPR/IoYTfM+
yMihTg124+IVta0QBRXFCjU72/yJEuwOHYFwdg7HN68
-> piv-p256 jNqd3A A87fyRdaJuKstFdbc1XGAWruqX/ABWk0E+izavuT36vH
HkT/hGCIwl22Xf832vJPsyCpDmCQiampAEs0iOq/8x8
--- KIJT1t2apRARDwhLKI4PIirOO4cu5bDSTKT90SYWFcc
?Ȇ­Æ
´½/ÕÉ5¦î敾Àv¿|Ôù„H'Ã<>¨xÈeÉÒZTz÷