From cc11726ed7ffe3de9639bd99a52cc82d4256ae75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sun, 27 Aug 2023 15:16:52 +0300 Subject: [PATCH] remove hel1-a --- README.md | 2 +- data.nix | 10 -- flake.nix | 38 ------- hosts/fra1-a/configuration.nix | 1 - hosts/hel1-a/configuration.nix | 144 ------------------------ hosts/hel1-a/hardware-configuration.nix | 69 ------------ hosts/hel1-a/zfs.nix | 35 ------ hosts/vno1-oh2/configuration.nix | 16 +-- modules/base/default.nix | 1 - modules/base/initrd/default.nix | 38 ------- secrets.nix | 9 +- 11 files changed, 4 insertions(+), 359 deletions(-) delete mode 100644 hosts/hel1-a/configuration.nix delete mode 100644 hosts/hel1-a/hardware-configuration.nix delete mode 100644 hosts/hel1-a/zfs.nix delete mode 100644 modules/base/initrd/default.nix diff --git a/README.md b/README.md index 87f0b1c..cbf4c93 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Flakes: $ deploy --interactive '#vno1-oh2' - $ nix build .#deploy.nodes.hel1-a.profiles.system.path + $ nix build .#deploy.nodes.fra1-a.profiles.system.path Other: diff --git a/data.nix b/data.nix index 6cf49e5..29b2ef8 100644 --- a/data.nix +++ b/data.nix @@ -55,13 +55,6 @@ rec { publicIP = "168.119.184.134"; jakstIP = "100.89.176.5"; }; - "hel1-a.servers.jakst" = rec { - extraHostNames = ["hel1-a.jakstys.lt" publicIP jakstIP]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu"; - initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzt0eaSRTAfM2295x4vACEd5VFqVeYJPV/N9ZUq+voP"; - publicIP = "65.21.7.119"; - jakstIP = "100.89.176.3"; - }; "fwmine.motiejus.jakst" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPi4N6NhUjAwZNSbi/Eb9zliZtrCzNEHmKb4UGRsJqF"; jakstIP = "100.89.176.6"; @@ -88,7 +81,6 @@ rec { }; jakstysLTZone = let - hel1a = hosts."hel1-a.servers.jakst".publicIP; fra1a = hosts."fra1-a.servers.jakst".publicIP; vno1 = hosts."vno1-oh2.servers.jakst".publicIP; in '' @@ -105,8 +97,6 @@ rec { git A ${vno1} auth A ${vno1} dl A ${vno1} - fwmine A ${hel1a} - hel1-a A ${hel1a} fra1-a A ${fra1a} vno1 A ${vno1} diff --git a/flake.nix b/flake.nix index ef61070..b3584a9 100644 --- a/flake.nix +++ b/flake.nix @@ -44,31 +44,6 @@ # specialArgs = {inherit myData;} // inputs; #}; - nixosConfigurations.hel1-a = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - ./hosts/hel1-a/configuration.nix - ./hosts/hel1-a/hardware-configuration.nix - ./hosts/hel1-a/zfs.nix - - ./modules - - agenix.nixosModules.default - home-manager.nixosModules.home-manager - - { - age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; - age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; - - age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age; - age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; - } - ]; - - specialArgs = {inherit myData;} // inputs; - }; - nixosConfigurations.vno1-oh2 = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ @@ -82,7 +57,6 @@ { age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; - age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age; age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; @@ -139,18 +113,6 @@ specialArgs = {inherit myData;} // inputs; }; - deploy.nodes.hel1-a = { - hostname = myData.hosts."hel1-a.servers.jakst".jakstIP; - profiles = { - system = { - sshUser = "motiejus"; - path = - deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.hel1-a; - user = "root"; - }; - }; - }; - deploy.nodes.vno1-oh2 = { hostname = myData.hosts."vno1-oh2.servers.jakst".jakstIP; profiles = { diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index e782586..ec12485 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -22,7 +22,6 @@ authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [ - myData.hosts."hel1-a.servers.jakst".publicKey myData.hosts."vno1-oh2.servers.jakst".publicKey ]; }; diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix deleted file mode 100644 index 138b548..0000000 --- a/hosts/hel1-a/configuration.nix +++ /dev/null @@ -1,144 +0,0 @@ -{ - config, - pkgs, - lib, - agenix, - myData, - ... -}: { - imports = [ - ./hardware-configuration.nix - ./zfs.nix - ]; - - mj = { - stateVersion = "22.11"; - timeZone = "UTC"; - - base = { - zfs.enable = true; - - users.passwd = { - root.passwordFile = config.age.secrets.root-passwd-hash.path; - motiejus.passwordFile = config.age.secrets.motiejus-passwd-hash.path; - }; - - initrd = { - enable = true; - authorizedKeys = - (builtins.attrValues myData.people_pubkeys) - ++ [myData.hosts."vno1-oh2.servers.jakst".publicKey]; - hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; - }; - snapshot = { - enable = true; - mountpoints = ["/var/lib" "/var/log"]; - }; - - zfsborg = { - enable = true; - passwordPath = config.age.secrets.borgbackup-password.path; - mountpoints = { - "/var/lib" = { - repo = "zh2769@zh2769.rsync.net:hel1-a.servers.jakst-var_lib"; - paths = [ - "/var/lib/.snapshot-latest/headscale" - ]; - backup_at = "*-*-* 00:05:00"; - }; - }; - }; - - unitstatus = { - enable = true; - email = "motiejus+alerts@jakstys.lt"; - }; - }; - - services = { - node_exporter.enable = true; - - headscale = { - enable = false; - clientOidcPath = config.age.secrets.headscale-client-oidc.path; - subnetCIDR = myData.tailscale_subnet.cidr; - }; - deployerbot = { - follower = { - enable = true; - uidgid = myData.uidgid.updaterbot-deployee; - publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; - }; - }; - postfix = { - enable = true; - saslPasswdPath = config.age.secrets.sasl-passwd.path; - }; - - zfsunlock = { - enable = true; - targets."vno1-oh2.servers.jakst" = let - host = myData.hosts."vno1-oh2.servers.jakst"; - in { - sshEndpoint = host.publicIP; - pingEndpoint = host.jakstIP; - remotePubkey = host.initrdPubKey; - pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path; - startAt = "*-*-* *:00/5:00"; - }; - }; - }; - }; - - environment.systemPackages = with pkgs; [ - nixos-option - graphicsmagick - ]; - - services = { - tailscale.enable = true; - - nsd = { - enable = true; - interfaces = ["0.0.0.0" "::"]; - zones = { - "jakstys.lt.".data = myData.jakstysLTZone; - }; - }; - - logrotate = { - settings = { - "/var/log/caddy/access-jakstys.lt.log" = { - rotate = -1; - frequency = "daily"; - dateext = true; - dateyesterday = true; - compress = true; - compresscmd = "${pkgs.zstd}/bin/zstd"; - compressext = ".zst"; - compressoptions = "--long -19"; - uncompresscmd = "${pkgs.zstd}/bin/unzstd"; - postrotate = "${pkgs.systemd}/bin/systemctl restart caddy"; - }; - }; - }; - }; - - networking = { - hostName = "hel1-a"; - domain = "servers.jakst"; - firewall = { - allowedTCPPorts = [ - 53 - 80 - 443 - ]; - allowedUDPPorts = [ - 53 - 443 - 41641 # tailscale - ]; - checkReversePath = "loose"; # for tailscale - }; - }; -} diff --git a/hosts/hel1-a/hardware-configuration.nix b/hosts/hel1-a/hardware-configuration.nix deleted file mode 100644 index c193503..0000000 --- a/hosts/hel1-a/hardware-configuration.nix +++ /dev/null @@ -1,69 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; - boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "rpool/nixos/root"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; - }; - - fileSystems."/home" = { - device = "rpool/nixos/home"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; - }; - - fileSystems."/var/lib" = { - device = "rpool/nixos/var/lib"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; - }; - - fileSystems."/var/log" = { - device = "rpool/nixos/var/log"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; - }; - - fileSystems."/boot" = { - device = "bpool/nixos/root"; - fsType = "zfs"; - options = ["zfsutil" "X-mount.mkdir"]; - }; - - fileSystems."/boot/efis/scsi-0QEMU_QEMU_HARDDISK_9233346-part1" = { - device = "/dev/disk/by-uuid/B6D7-D52E"; - fsType = "vfat"; - }; - - #fileSystems."/boot/efi" = - # { device = "/boot/efis/scsi-0QEMU_QEMU_HARDDISK_9233346-part1"; - # fsType = "none"; - # options = [ "bind" ]; - # }; - - swapDevices = [{device = "/dev/disk/by-uuid/03ebe703-aa24-4ee5-a7c3-f8614ee779b0";}]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/hel1-a/zfs.nix b/hosts/hel1-a/zfs.nix deleted file mode 100644 index cc28364..0000000 --- a/hosts/hel1-a/zfs.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - pkgs, - ... -}: { - boot.supportedFilesystems = ["zfs"]; - networking.hostId = "cd1a441c"; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - boot.loader.efi.efiSysMountPoint = "/boot/efi"; - boot.loader.efi.canTouchEfiVariables = false; - boot.loader.generationsDir.copyKernels = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.enable = true; - boot.loader.grub.copyKernels = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.zfsSupport = true; - #boot.loader.grub.extraPrepareConfig = '' - # mkdir -p /boot/efis - # for i in /boot/efis/*; do mount $i ; done - # - # mkdir -p /boot/efi - # mount /boot/efi - #''; - #boot.loader.grub.extraInstallCommands = '' - #ESP_MIRROR=$(mktemp -d) - #cp -r /boot/efi/EFI $ESP_MIRROR - #for i in /boot/efis/*; do - # cp -r $ESP_MIRROR/EFI $i - #done - #rm -rf $ESP_MIRROR - #''; - boot.loader.grub.devices = [ - "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_9233346" - ]; -} diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 7227bb0..dd653b0 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -19,7 +19,7 @@ enable = true; authorizedKeys = (builtins.attrValues myData.people_pubkeys) - ++ [myData.hosts."hel1-a.servers.jakst".publicKey]; + ++ [myData.hosts."fra1-a.servers.jakst".publicKey]; }; }; }; @@ -125,7 +125,6 @@ repo = "git@git.jakstys.lt:motiejus/config"; deployDerivations = [ ".#vno1-oh2" - ".#hel1-a" ".#vno1-rp3b" ".#fra1-a" ]; @@ -159,15 +158,6 @@ zfsunlock = { enable = true; - targets."hel1-a.servers.jakst" = let - host = myData.hosts."hel1-a.servers.jakst"; - in { - sshEndpoint = host.publicIP; - pingEndpoint = host.jakstIP; - remotePubkey = host.initrdPubKey; - pwFile = config.age.secrets.zfs-passphrase-hel1-a.path; - startAt = "*-*-* *:00/5:00"; - }; targets."fra1-a.servers.jakst" = let host = myData.hosts."fra1-a.servers.jakst"; in { @@ -312,10 +302,6 @@ job_name = "fra1-a.servers.jakst"; static_configs = [{targets = ["${myData.hosts."fra1-a.servers.jakst".jakstIP}:${port}"];}]; } - { - job_name = "hel1-a.servers.jakst"; - static_configs = [{targets = ["${myData.hosts."hel1-a.servers.jakst".jakstIP}:${port}"];}]; - } { job_name = "vno1-rp3b.servers.jakst"; static_configs = [{targets = ["${myData.hosts."vno1-rp3b.servers.jakst".jakstIP}:${port}"];}]; diff --git a/modules/base/default.nix b/modules/base/default.nix index 671be81..91430b7 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -6,7 +6,6 @@ }: { imports = [ ./boot - ./initrd ./fileSystems ./snapshot ./sshd diff --git a/modules/base/initrd/default.nix b/modules/base/initrd/default.nix deleted file mode 100644 index 440d191..0000000 --- a/modules/base/initrd/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - config, - lib, - ... -}: { - options.mj.base.initrd = { - enable = lib.mkEnableOption "Enable base initrd settings"; - - hostKeys = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "ssh private key for use in initrd."; - }; - - authorizedKeys = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = lib.mdDoc "Authorized keys for the root user on initrd."; - }; - }; - - config = lib.mkIf config.mj.base.initrd.enable { - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - authorizedKeys = config.mj.base.initrd.authorizedKeys; - hostKeys = config.mj.base.initrd.hostKeys; - }; - postCommands = '' - tee -a /root/.profile >/dev/null <