zfsunlock between fra1-a and vno1-oh2

2023-08-26 23:45:03 +03:00 · 2023-08-26 23:45:03 +03:00 · de4b47b929
parent 1db9253ae6
commit de4b47b929
7 changed files with 66 additions and 15 deletions
--- a/data.nix
+++ b/data.nix
@ -51,6 +51,7 @@ rec {
    "fra1-a.servers.jakst" = rec {
      extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM";
+      initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO";
      publicIP = "168.119.184.134";
      jakstIP = "100.89.176.5";
    };
--- a/flake.nix
+++ b/flake.nix
@ -83,6 +83,7 @@
            age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
            age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
            age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;
+            age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;

            age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
@ -128,6 +129,7 @@
          home-manager.nixosModules.home-manager

          {
+            age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
            age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
            age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
--- a/hosts/fra1-a/configuration.nix
+++ b/hosts/fra1-a/configuration.nix
@ -58,19 +58,40 @@
          publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
        };
      };
+
+      zfsunlock = {
+        enable = true;
+        targets."vno1-oh2.servers.jakst" = let
+          host = myData.hosts."vno1-oh2.servers.jakst";
+        in {
+          sshEndpoint = host.publicIP;
+          pingEndpoint = host.jakstIP;
+          remotePubkey = host.initrdPubKey;
+          pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
+          startAt = "*-*-* *:00/5:00";
+        };
+      };
    };
  };

  services.tailscale.enable = true;

+  services.nsd = {
+    enable = true;
+    interfaces = ["0.0.0.0" "::"];
+    zones = {
+      "jakstys.lt.".data = myData.jakstysLTZone;
+    };
+  };
+
  networking = {
    hostId = "bed6fa0b";
    hostName = "fra1-a";
    domain = "servers.jakst";
    useDHCP = true;
    firewall = {
-      allowedUDPPorts = [];
-      allowedTCPPorts = [22];
+      allowedUDPPorts = [53];
+      allowedTCPPorts = [22 53];
      checkReversePath = "loose"; # for tailscale
    };
  };
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@ -163,6 +163,15 @@
          pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
          startAt = "*-*-* *:00/5:00";
        };
+        targets."fra1-a.servers.jakst" = let
+          host = myData.hosts."fra1-a.servers.jakst";
+        in {
+          sshEndpoint = host.publicIP;
+          pingEndpoint = host.jakstIP;
+          remotePubkey = host.initrdPubKey;
+          pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
+          startAt = "*-*-* *:00/5:00";
+        };
      };
    };
  };
--- a/secrets.nix
+++ b/secrets.nix
@ -25,6 +25,7 @@ in
    "secrets/vno1-oh2/zfs-passphrase.age"
  ]
  // mk ([vno1-oh2] ++ motiejus) [
+    "secrets/fra1-a/zfs-passphrase.age"
    "secrets/hel1-a/zfs-passphrase.age"
    "secrets/vno1-oh2/borgbackup/password.age"
    "secrets/grafana.jakstys.lt/oidc.age"
@ -35,6 +36,9 @@ in
    "secrets/synapse/registration_shared_secret.age"
    "secrets/synapse/macaroon_secret_key.age"
  ]
+  // mk ([fra1-a] ++ motiejus) [
+    "secrets/vno1-oh2/zfs-passphrase.age"
+  ]
  // mk (systems ++ motiejus) [
    "secrets/motiejus_passwd_hash.age"
    "secrets/root_passwd_hash.age"
--- a/secrets/fra1-a/zfs-passphrase.age
+++ b/secrets/fra1-a/zfs-passphrase.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 gJrHQg yM+WLlPHrtg9dIM5BRQSCUVuQXeNFSvyKehmGrK26CQ
+LbaVlxObDhAFEVKQPlIe9BXCgxSxxojRgT93qdy3htg
+-> X25519 0VgHhZcxmleNElntzfLEAqOoTXLJr6Xkup37f7A2Dx4
+WxyGH19oAiFTXE9gruVmw9KPWbsIQ5oovpuk0KYvGc0
+-> piv-p256 +y2G/w AzBsHl2IJv3Lw/meLZ1hnY3dExQIHTvPG14txC1W9dAS
+ippCpnSLKf+9n8Ay5Ews2YCO6OKnDhk5tg+KWzPTMMk
+-> piv-p256 jNqd3A Azjgv04Hejs2X9o2DqdpBWeH8ElxzWtBOhIbIlIU8kSS
+AuBruFlr7DMv52LUH4Pzr/FLwGb+W26tCETedFrGtQw
+-> fLwx-grease
+egHHlmILLWmY6o8rkrGc3acnHejaeXlDK5LJEtLxw5AR2zLUgHx2xu1XJyH/Rds
+v1WxS7Fh2RIXqTSPMqwOaE376eW6g2GTgIg+k+mdBBT6ohU+4mZEu2UlU9X5PC8
+--- r/PbL6kPBz3+a3JXIVp28+VVW5mblyiDcNofOCxhqeQ
+ñ12	%}¦¡º"™õR¥ï±DÀ:b`
+«$	Dº¡ýü¥Š]Éåˆ)¥ä¬£<C2AC>á
--- a/secrets/vno1-oh2/zfs-passphrase.age
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@ -1,14 +1,13 @@
 age-encryption.org/v1
-> ssh-ed25519 vDjOfg hQz/8dKNzISetnpTQAqSGyAzlxJxVKiTMc4iA38yXyE
-2TEo7UV6EyASIByWwliiLTqP0smmfKDi/UkDi8PMwwY
-> X25519 KlnATfXI6zqAaVTSNO78la8rmyWMtVRww9BlF8/h7nc
-O5Digx7rg+JsCTncY6/aNVPNQeYHKpCf1EYwHIWdnvQ
-> piv-p256 +y2G/w AgbNt1GusrDSgdy5tFoRrfga6alFvEph85HuU9NQ6lJE
-csay3X8DFRj3VEBrCGDz1ItIcL8lmZUEIQC7VMXExA4
-> piv-p256 jNqd3A A1kYMKCBVoNt1a7ntDlxB75zZLEpkK+B2S/oEVtLb3L4
-Eim5jOLs+LeFtBW6Mx3Qum1ush7hLc5xm5sskPxkF9c
-> czlN+-grease Ixf
-B8uHZdeLS17u6pLgeHiCCjNTvctel5Tby+GatAEssp9SzxZYZEKr2w42KpJe0k/F
-iKao
--- w4iT5CdobRQzEKBiGyU60DIHxAn9SsJ++X0vYrECmuM
-öÍ_‰	‘<>ÿÀÁÏW+@#Ì|3ž:; õà<C3B5>žU—`2÷ÊÚõÅebcÆgîíTÐU
+-> ssh-ed25519 qDkIVA bLw5WFgsPKhFO3EIHu/XW9rOP9f0XJEm0xPt9BvRyxE
+NiZ9Svg7rQ+5NvWRzYR8rhKkXeAbsNrvMuSkIHmqUOA
+-> X25519 OrIe+578PwiU5A/0H9pat0x/xBLAhwlWbltJ7iKS5SQ
+MqofA2gYoCzsCRupCDa4TxJcYOyNA1JsyCUDLih6nSQ
+-> piv-p256 +y2G/w A6ZNlsq/fpWTmaPovU/YocLivnPUvw4qDCIaPeIdJdxF
+B4IeN0DOpe8tfWspmyulpoGAdmn54lXNoRI7Fw3/vBA
+-> piv-p256 jNqd3A A/eBOEHyI7dT7qhikm8AXgUKzFalgXwK8MRON0HlWETx
+k5JSCyzzWVJnKDwjA5zLIWfUpMZS+5QD+sOt0O8dgiA
+-> 2D-grease Y7 @ oC,o/9m \OhPaN>H
+2frTiWy//1jNwg
+--- +XRRJvxig1nkYEHu3JBZiak/hysLvORYyDvzHJq74zw
+ÿ[ÆB×RÆw²ÛÕ‘02—=âPlÓ¦ÞV¨kv¼r<>ñ@'K–„yªƒM‡L1V±