motiejus/config
1
Fork 0
Code Packages Releases Activity

zfsunlock between fra1-a and vno1-oh2

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-08-26 23:45:03 +03:00
parent 1db9253ae6
commit de4b47b929
7 changed files with 66 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
data.nix
View File

@ -51,6 +51,7 @@ rec {
"fra1-a.servers.jakst" = rec { "fra1-a.servers.jakst" = rec {
extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP]; extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM";
initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO";
publicIP = "168.119.184.134"; publicIP = "168.119.184.134";
jakstIP = "100.89.176.5"; jakstIP = "100.89.176.5";
}; };

2
flake.nix
View File

@ -83,6 +83,7 @@
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age; age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;
age.secrets.zfs-passphrase-fra1-a.file = ./secrets/fra1-a/zfs-passphrase.age;
age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; age.secrets.headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
@ -128,6 +129,7 @@
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age; age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age; age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age; age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;

25
hosts/fra1-a/configuration.nix
View File

@ -58,19 +58,40 @@
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
}; };
}; };
zfsunlock = {
enable = true;
targets."vno1-oh2.servers.jakst" = let
host = myData.hosts."vno1-oh2.servers.jakst";
in {
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
startAt = "*-*-* *:00/5:00";
};
};
}; };
}; };
services.tailscale.enable = true; services.tailscale.enable = true;
services.nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
};
};
networking = { networking = {
hostId = "bed6fa0b"; hostId = "bed6fa0b";
hostName = "fra1-a"; hostName = "fra1-a";
domain = "servers.jakst"; domain = "servers.jakst";
useDHCP = true; useDHCP = true;
firewall = { firewall = {
allowedUDPPorts = []; allowedUDPPorts = [53];
allowedTCPPorts = [22]; allowedTCPPorts = [22 53];
checkReversePath = "loose"; # for tailscale checkReversePath = "loose"; # for tailscale
}; };
}; };

9
hosts/vno1-oh2/configuration.nix
View File

@ -163,6 +163,15 @@
pwFile = config.age.secrets.zfs-passphrase-hel1-a.path; pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
startAt = "*-*-* *:00/5:00"; startAt = "*-*-* *:00/5:00";
}; };
targets."fra1-a.servers.jakst" = let
host = myData.hosts."fra1-a.servers.jakst";
in {
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
startAt = "*-*-* *:00/5:00";
};
}; };
}; };
}; };

4
secrets.nix
View File

@ -25,6 +25,7 @@ in
"secrets/vno1-oh2/zfs-passphrase.age" "secrets/vno1-oh2/zfs-passphrase.age"
] ]
// mk ([vno1-oh2] ++ motiejus) [ // mk ([vno1-oh2] ++ motiejus) [
"secrets/fra1-a/zfs-passphrase.age"
"secrets/hel1-a/zfs-passphrase.age" "secrets/hel1-a/zfs-passphrase.age"
"secrets/vno1-oh2/borgbackup/password.age" "secrets/vno1-oh2/borgbackup/password.age"
"secrets/grafana.jakstys.lt/oidc.age" "secrets/grafana.jakstys.lt/oidc.age"
@ -35,6 +36,9 @@ in
"secrets/synapse/registration_shared_secret.age" "secrets/synapse/registration_shared_secret.age"
"secrets/synapse/macaroon_secret_key.age" "secrets/synapse/macaroon_secret_key.age"
] ]
// mk ([fra1-a] ++ motiejus) [
"secrets/vno1-oh2/zfs-passphrase.age"
]
// mk (systems ++ motiejus) [ // mk (systems ++ motiejus) [
"secrets/motiejus_passwd_hash.age" "secrets/motiejus_passwd_hash.age"
"secrets/root_passwd_hash.age" "secrets/root_passwd_hash.age"

15
secrets/fra1-a/zfs-passphrase.age Normal file
View File

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 gJrHQg yM+WLlPHrtg9dIM5BRQSCUVuQXeNFSvyKehmGrK26CQ
LbaVlxObDhAFEVKQPlIe9BXCgxSxxojRgT93qdy3htg
-> X25519 0VgHhZcxmleNElntzfLEAqOoTXLJr6Xkup37f7A2Dx4
WxyGH19oAiFTXE9gruVmw9KPWbsIQ5oovpuk0KYvGc0
-> piv-p256 +y2G/w AzBsHl2IJv3Lw/meLZ1hnY3dExQIHTvPG14txC1W9dAS
ippCpnSLKf+9n8Ay5Ews2YCO6OKnDhk5tg+KWzPTMMk
-> piv-p256 jNqd3A Azjgv04Hejs2X9o2DqdpBWeH8ElxzWtBOhIbIlIU8kSS
AuBruFlr7DMv52LUH4Pzr/FLwGb+W26tCETedFrGtQw
-> fLwx-grease
+egHHlmILLWmY6o8rkrGc3acnHejaeXlDK5LJEtLxw5AR2zLUgHx2xu1XJyH/Rds
v1WxS7Fh2RIXqTSPMqwOaE376eW6g2GTgIg+k+mdBBT6ohU+4mZEu2UlU9X5PC8
--- r/PbL6kPBz3+a3JXIVp28+VVW5mblyiDcNofOCxhqeQ
ñ12 %}¦¡º"™õR¥ï±DÀ:b`
«$ Dº¡ýü¥Š]Éåˆ)¥ä¬£<C2AC>á

25
secrets/vno1-oh2/zfs-passphrase.age
View File

@ -1,14 +1,13 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 vDjOfg hQz/8dKNzISetnpTQAqSGyAzlxJxVKiTMc4iA38yXyE -> ssh-ed25519 qDkIVA bLw5WFgsPKhFO3EIHu/XW9rOP9f0XJEm0xPt9BvRyxE
2TEo7UV6EyASIByWwliiLTqP0smmfKDi/UkDi8PMwwY NiZ9Svg7rQ+5NvWRzYR8rhKkXeAbsNrvMuSkIHmqUOA
-> X25519 KlnATfXI6zqAaVTSNO78la8rmyWMtVRww9BlF8/h7nc -> X25519 OrIe+578PwiU5A/0H9pat0x/xBLAhwlWbltJ7iKS5SQ
O5Digx7rg+JsCTncY6/aNVPNQeYHKpCf1EYwHIWdnvQ MqofA2gYoCzsCRupCDa4TxJcYOyNA1JsyCUDLih6nSQ
-> piv-p256 +y2G/w AgbNt1GusrDSgdy5tFoRrfga6alFvEph85HuU9NQ6lJE -> piv-p256 +y2G/w A6ZNlsq/fpWTmaPovU/YocLivnPUvw4qDCIaPeIdJdxF
csay3X8DFRj3VEBrCGDz1ItIcL8lmZUEIQC7VMXExA4 B4IeN0DOpe8tfWspmyulpoGAdmn54lXNoRI7Fw3/vBA
-> piv-p256 jNqd3A A1kYMKCBVoNt1a7ntDlxB75zZLEpkK+B2S/oEVtLb3L4 -> piv-p256 jNqd3A A/eBOEHyI7dT7qhikm8AXgUKzFalgXwK8MRON0HlWETx
Eim5jOLs+LeFtBW6Mx3Qum1ush7hLc5xm5sskPxkF9c k5JSCyzzWVJnKDwjA5zLIWfUpMZS+5QD+sOt0O8dgiA
-> czlN+-grease Ixf -> 2D-grease Y7 @ oC,o/9m \OhPaN>H
B8uHZdeLS17u6pLgeHiCCjNTvctel5Tby+GatAEssp9SzxZYZEKr2w42KpJe0k/F 2frTiWy//1jNwg
iKao --- +XRRJvxig1nkYEHu3JBZiak/hysLvORYyDvzHJq74zw
--- w4iT5CdobRQzEKBiGyU60DIHxAn9SsJ++X0vYrECmuM ÿ[ÆB×RÆw² ÛÕ02—=âPlÓ¦ÞV¨kv¼r<>ñ@'K„yªƒM‡L1V±
öÍ_‰ <>ÿÀÁÏW+@#Ì|3ž:;  õà<C3B5>žU—`2÷ÊÚõÅebc­ÆgîíTÐU