diff --git a/data.nix b/data.nix index f028ffb..4ba2fa9 100644 --- a/data.nix +++ b/data.nix @@ -51,6 +51,7 @@ rec { "fra1-a.servers.jakst" = rec { extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP]; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM"; + initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO"; publicIP = "168.119.184.134"; jakstIP = "100.89.176.5"; }; diff --git a/flake.nix b/flake.nix index 202a384..ef61070 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,7 @@ age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age; + age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age; age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; @@ -128,6 +129,7 @@ home-manager.nixosModules.home-manager { + age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age; age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index 7f2aafd..e782586 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -58,19 +58,40 @@ publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; }; }; + + zfsunlock = { + enable = true; + targets."vno1-oh2.servers.jakst" = let + host = myData.hosts."vno1-oh2.servers.jakst"; + in { + sshEndpoint = host.publicIP; + pingEndpoint = host.jakstIP; + remotePubkey = host.initrdPubKey; + pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path; + startAt = "*-*-* *:00/5:00"; + }; + }; }; }; services.tailscale.enable = true; + services.nsd = { + enable = true; + interfaces = ["0.0.0.0" "::"]; + zones = { + "jakstys.lt.".data = myData.jakstysLTZone; + }; + }; + networking = { hostId = "bed6fa0b"; hostName = "fra1-a"; domain = "servers.jakst"; useDHCP = true; firewall = { - allowedUDPPorts = []; - allowedTCPPorts = [22]; + allowedUDPPorts = [53]; + allowedTCPPorts = [22 53]; checkReversePath = "loose"; # for tailscale }; }; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index e02c048..ddc2ff5 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -163,6 +163,15 @@ pwFile = config.age.secrets.zfs-passphrase-hel1-a.path; startAt = "*-*-* *:00/5:00"; }; + targets."fra1-a.servers.jakst" = let + host = myData.hosts."fra1-a.servers.jakst"; + in { + sshEndpoint = host.publicIP; + pingEndpoint = host.jakstIP; + remotePubkey = host.initrdPubKey; + pwFile = config.age.secrets.zfs-passphrase-fra1-a.path; + startAt = "*-*-* *:00/5:00"; + }; }; }; }; diff --git a/secrets.nix b/secrets.nix index b6f9952..d000c27 100644 --- a/secrets.nix +++ b/secrets.nix @@ -25,6 +25,7 @@ in "secrets/vno1-oh2/zfs-passphrase.age" ] // mk ([vno1-oh2] ++ motiejus) [ + "secrets/fra1-a/zfs-passphrase.age" "secrets/hel1-a/zfs-passphrase.age" "secrets/vno1-oh2/borgbackup/password.age" "secrets/grafana.jakstys.lt/oidc.age" @@ -35,6 +36,9 @@ in "secrets/synapse/registration_shared_secret.age" "secrets/synapse/macaroon_secret_key.age" ] + // mk ([fra1-a] ++ motiejus) [ + "secrets/vno1-oh2/zfs-passphrase.age" + ] // mk (systems ++ motiejus) [ "secrets/motiejus_passwd_hash.age" "secrets/root_passwd_hash.age" diff --git a/secrets/fra1-a/zfs-passphrase.age b/secrets/fra1-a/zfs-passphrase.age new file mode 100644 index 0000000..64e5a63 --- /dev/null +++ b/secrets/fra1-a/zfs-passphrase.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 gJrHQg yM+WLlPHrtg9dIM5BRQSCUVuQXeNFSvyKehmGrK26CQ +LbaVlxObDhAFEVKQPlIe9BXCgxSxxojRgT93qdy3htg +-> X25519 0VgHhZcxmleNElntzfLEAqOoTXLJr6Xkup37f7A2Dx4 +WxyGH19oAiFTXE9gruVmw9KPWbsIQ5oovpuk0KYvGc0 +-> piv-p256 +y2G/w AzBsHl2IJv3Lw/meLZ1hnY3dExQIHTvPG14txC1W9dAS +ippCpnSLKf+9n8Ay5Ews2YCO6OKnDhk5tg+KWzPTMMk +-> piv-p256 jNqd3A Azjgv04Hejs2X9o2DqdpBWeH8ElxzWtBOhIbIlIU8kSS +AuBruFlr7DMv52LUH4Pzr/FLwGb+W26tCETedFrGtQw +-> fLwx-grease ++egHHlmILLWmY6o8rkrGc3acnHejaeXlDK5LJEtLxw5AR2zLUgHx2xu1XJyH/Rds +v1WxS7Fh2RIXqTSPMqwOaE376eW6g2GTgIg+k+mdBBT6ohU+4mZEu2UlU9X5PC8 +--- r/PbL6kPBz3+a3JXIVp28+VVW5mblyiDcNofOCxhqeQ +12 %}"RD:b` +$ D])䬣 \ No newline at end of file diff --git a/secrets/vno1-oh2/zfs-passphrase.age b/secrets/vno1-oh2/zfs-passphrase.age index 99d339d..2fe68b3 100644 --- a/secrets/vno1-oh2/zfs-passphrase.age +++ b/secrets/vno1-oh2/zfs-passphrase.age @@ -1,14 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 vDjOfg hQz/8dKNzISetnpTQAqSGyAzlxJxVKiTMc4iA38yXyE -2TEo7UV6EyASIByWwliiLTqP0smmfKDi/UkDi8PMwwY --> X25519 KlnATfXI6zqAaVTSNO78la8rmyWMtVRww9BlF8/h7nc -O5Digx7rg+JsCTncY6/aNVPNQeYHKpCf1EYwHIWdnvQ --> piv-p256 +y2G/w AgbNt1GusrDSgdy5tFoRrfga6alFvEph85HuU9NQ6lJE -csay3X8DFRj3VEBrCGDz1ItIcL8lmZUEIQC7VMXExA4 --> piv-p256 jNqd3A A1kYMKCBVoNt1a7ntDlxB75zZLEpkK+B2S/oEVtLb3L4 -Eim5jOLs+LeFtBW6Mx3Qum1ush7hLc5xm5sskPxkF9c --> czlN+-grease Ixf -B8uHZdeLS17u6pLgeHiCCjNTvctel5Tby+GatAEssp9SzxZYZEKr2w42KpJe0k/F -iKao ---- w4iT5CdobRQzEKBiGyU60DIHxAn9SsJ++X0vYrECmuM -_ W+@#|3:; U`2ebcgTU \ No newline at end of file +-> ssh-ed25519 qDkIVA bLw5WFgsPKhFO3EIHu/XW9rOP9f0XJEm0xPt9BvRyxE +NiZ9Svg7rQ+5NvWRzYR8rhKkXeAbsNrvMuSkIHmqUOA +-> X25519 OrIe+578PwiU5A/0H9pat0x/xBLAhwlWbltJ7iKS5SQ +MqofA2gYoCzsCRupCDa4TxJcYOyNA1JsyCUDLih6nSQ +-> piv-p256 +y2G/w A6ZNlsq/fpWTmaPovU/YocLivnPUvw4qDCIaPeIdJdxF +B4IeN0DOpe8tfWspmyulpoGAdmn54lXNoRI7Fw3/vBA +-> piv-p256 jNqd3A A/eBOEHyI7dT7qhikm8AXgUKzFalgXwK8MRON0HlWETx +k5JSCyzzWVJnKDwjA5zLIWfUpMZS+5QD+sOt0O8dgiA +-> 2D-grease Y7 @ oC,o/9m \OhPaN>H +2frTiWy//1jNwg +--- +XRRJvxig1nkYEHu3JBZiak/hysLvORYyDvzHJq74zw +[BRw Ց02=PlӦVkvr@'KyML1V \ No newline at end of file