zfsunlock between fra1-a and vno1-oh2
This commit is contained in:
parent
1db9253ae6
commit
de4b47b929
1
data.nix
1
data.nix
|
@ -51,6 +51,7 @@ rec {
|
|||
"fra1-a.servers.jakst" = rec {
|
||||
extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP];
|
||||
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM";
|
||||
initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO";
|
||||
publicIP = "168.119.184.134";
|
||||
jakstIP = "100.89.176.5";
|
||||
};
|
||||
|
|
|
@ -83,6 +83,7 @@
|
|||
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
|
||||
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
|
||||
age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;
|
||||
age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
|
||||
|
||||
age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
|
||||
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
|
||||
|
@ -128,6 +129,7 @@
|
|||
home-manager.nixosModules.home-manager
|
||||
|
||||
{
|
||||
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
|
||||
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
|
||||
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
|
||||
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
|
||||
|
|
|
@ -58,19 +58,40 @@
|
|||
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
||||
};
|
||||
};
|
||||
|
||||
zfsunlock = {
|
||||
enable = true;
|
||||
targets."vno1-oh2.servers.jakst" = let
|
||||
host = myData.hosts."vno1-oh2.servers.jakst";
|
||||
in {
|
||||
sshEndpoint = host.publicIP;
|
||||
pingEndpoint = host.jakstIP;
|
||||
remotePubkey = host.initrdPubKey;
|
||||
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
|
||||
startAt = "*-*-* *:00/5:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.tailscale.enable = true;
|
||||
|
||||
services.nsd = {
|
||||
enable = true;
|
||||
interfaces = ["0.0.0.0" "::"];
|
||||
zones = {
|
||||
"jakstys.lt.".data = myData.jakstysLTZone;
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostId = "bed6fa0b";
|
||||
hostName = "fra1-a";
|
||||
domain = "servers.jakst";
|
||||
useDHCP = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [];
|
||||
allowedTCPPorts = [22];
|
||||
allowedUDPPorts = [53];
|
||||
allowedTCPPorts = [22 53];
|
||||
checkReversePath = "loose"; # for tailscale
|
||||
};
|
||||
};
|
||||
|
|
|
@ -163,6 +163,15 @@
|
|||
pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
|
||||
startAt = "*-*-* *:00/5:00";
|
||||
};
|
||||
targets."fra1-a.servers.jakst" = let
|
||||
host = myData.hosts."fra1-a.servers.jakst";
|
||||
in {
|
||||
sshEndpoint = host.publicIP;
|
||||
pingEndpoint = host.jakstIP;
|
||||
remotePubkey = host.initrdPubKey;
|
||||
pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
|
||||
startAt = "*-*-* *:00/5:00";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -25,6 +25,7 @@ in
|
|||
"secrets/vno1-oh2/zfs-passphrase.age"
|
||||
]
|
||||
// mk ([vno1-oh2] ++ motiejus) [
|
||||
"secrets/fra1-a/zfs-passphrase.age"
|
||||
"secrets/hel1-a/zfs-passphrase.age"
|
||||
"secrets/vno1-oh2/borgbackup/password.age"
|
||||
"secrets/grafana.jakstys.lt/oidc.age"
|
||||
|
@ -35,6 +36,9 @@ in
|
|||
"secrets/synapse/registration_shared_secret.age"
|
||||
"secrets/synapse/macaroon_secret_key.age"
|
||||
]
|
||||
// mk ([fra1-a] ++ motiejus) [
|
||||
"secrets/vno1-oh2/zfs-passphrase.age"
|
||||
]
|
||||
// mk (systems ++ motiejus) [
|
||||
"secrets/motiejus_passwd_hash.age"
|
||||
"secrets/root_passwd_hash.age"
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 gJrHQg yM+WLlPHrtg9dIM5BRQSCUVuQXeNFSvyKehmGrK26CQ
|
||||
LbaVlxObDhAFEVKQPlIe9BXCgxSxxojRgT93qdy3htg
|
||||
-> X25519 0VgHhZcxmleNElntzfLEAqOoTXLJr6Xkup37f7A2Dx4
|
||||
WxyGH19oAiFTXE9gruVmw9KPWbsIQ5oovpuk0KYvGc0
|
||||
-> piv-p256 +y2G/w AzBsHl2IJv3Lw/meLZ1hnY3dExQIHTvPG14txC1W9dAS
|
||||
ippCpnSLKf+9n8Ay5Ews2YCO6OKnDhk5tg+KWzPTMMk
|
||||
-> piv-p256 jNqd3A Azjgv04Hejs2X9o2DqdpBWeH8ElxzWtBOhIbIlIU8kSS
|
||||
AuBruFlr7DMv52LUH4Pzr/FLwGb+W26tCETedFrGtQw
|
||||
-> fLwx-grease
|
||||
+egHHlmILLWmY6o8rkrGc3acnHejaeXlDK5LJEtLxw5AR2zLUgHx2xu1XJyH/Rds
|
||||
v1WxS7Fh2RIXqTSPMqwOaE376eW6g2GTgIg+k+mdBBT6ohU+4mZEu2UlU9X5PC8
|
||||
--- r/PbL6kPBz3+a3JXIVp28+VVW5mblyiDcNofOCxhqeQ
|
||||
ñ12 %}¦¡º"™õR¥ï±DÀ:b`
|
||||
«$ Dº¡ýü¥Š]Éåˆ)¥ä¬£<C2AC>á
|
|
@ -1,14 +1,13 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 vDjOfg hQz/8dKNzISetnpTQAqSGyAzlxJxVKiTMc4iA38yXyE
|
||||
2TEo7UV6EyASIByWwliiLTqP0smmfKDi/UkDi8PMwwY
|
||||
-> X25519 KlnATfXI6zqAaVTSNO78la8rmyWMtVRww9BlF8/h7nc
|
||||
O5Digx7rg+JsCTncY6/aNVPNQeYHKpCf1EYwHIWdnvQ
|
||||
-> piv-p256 +y2G/w AgbNt1GusrDSgdy5tFoRrfga6alFvEph85HuU9NQ6lJE
|
||||
csay3X8DFRj3VEBrCGDz1ItIcL8lmZUEIQC7VMXExA4
|
||||
-> piv-p256 jNqd3A A1kYMKCBVoNt1a7ntDlxB75zZLEpkK+B2S/oEVtLb3L4
|
||||
Eim5jOLs+LeFtBW6Mx3Qum1ush7hLc5xm5sskPxkF9c
|
||||
-> czlN+-grease Ixf
|
||||
B8uHZdeLS17u6pLgeHiCCjNTvctel5Tby+GatAEssp9SzxZYZEKr2w42KpJe0k/F
|
||||
iKao
|
||||
--- w4iT5CdobRQzEKBiGyU60DIHxAn9SsJ++X0vYrECmuM
|
||||
öÍ_‰ ‘<>ÿÀÁÏW+@#Ì|3ž:; õà<C3B5>žU—`2÷ÊÚõÅebcÆgîíTÐU
|
||||
-> ssh-ed25519 qDkIVA bLw5WFgsPKhFO3EIHu/XW9rOP9f0XJEm0xPt9BvRyxE
|
||||
NiZ9Svg7rQ+5NvWRzYR8rhKkXeAbsNrvMuSkIHmqUOA
|
||||
-> X25519 OrIe+578PwiU5A/0H9pat0x/xBLAhwlWbltJ7iKS5SQ
|
||||
MqofA2gYoCzsCRupCDa4TxJcYOyNA1JsyCUDLih6nSQ
|
||||
-> piv-p256 +y2G/w A6ZNlsq/fpWTmaPovU/YocLivnPUvw4qDCIaPeIdJdxF
|
||||
B4IeN0DOpe8tfWspmyulpoGAdmn54lXNoRI7Fw3/vBA
|
||||
-> piv-p256 jNqd3A A/eBOEHyI7dT7qhikm8AXgUKzFalgXwK8MRON0HlWETx
|
||||
k5JSCyzzWVJnKDwjA5zLIWfUpMZS+5QD+sOt0O8dgiA
|
||||
-> 2D-grease Y7 @ oC,o/9m \OhPaN>H
|
||||
2frTiWy//1jNwg
|
||||
--- +XRRJvxig1nkYEHu3JBZiak/hysLvORYyDvzHJq74zw
|
||||
ÿ[ÆB×RÆw²ÛÕ‘02—=âPlÓ¦ÞV¨kv¼r<>ñ@'K–„yªƒM‡L1V±
|
Loading…
Reference in New Issue