[host/elysia-clarki] Decommision

flake.nix

@@ -95,7 +95,6 @@
       "helix-texta"
       "murex-pecten"
       "cornu-aspersum"
-      "elysia-clarki"
       "trochulus-hispidus"
       "radix-balthica"
       "faunus-ater"
@@ -204,21 +203,6 @@
             inputs.glados.nixosModules.glados
           ];
         };
-        elysia-clarki = {pkgs, ...}: {
-          imports = [
-            ./hosts/elysia-clarki.nix
-            ./hardware/intel-nuc.nix
-            ./modules/local-build-service.nix
-            ./modules/nginx-reverse-proxy.nix
-            #./modules/binary-cache.nix
-            ./modules/ccqcraft-backups.nix
-            #inputs.hydra.nixosModules.hydra
-          ];
-          config = {
-            # Override kernel version for zfs
-            boot.kernelPackages = pkgs.linuxPackages_5_15;
-          };
-        };
         trochulus-hispidus = {pkgs, ...}: {
           imports = [
             ./hosts/trochulus-hispidus.nix

hosts/cornu-aspersum.nix

@@ -65,10 +65,6 @@
         v4 = "100.86.42.110";
         v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6256:2a6e";
       };
-      elysia-clarki = {
-        v4 = "100.104.138.12";
-        v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6268:8a0c";
-      };
       faunus-ater = {
         v4 = "100.108.135.4";
         v6 = "fd7a:115c:a1e0:ab12:4843:cd96:626c:8704";
@@ -90,7 +86,7 @@
                           1) ; Negative Cache TTL
         @            NS    home.
         ${point "home." cornu-aspersum}
-        ${point "foto" elysia-clarki}
+        ${point "foto" faunus-ater}
         ${point "mc" cornu-aspersum}
         ${point "doc" faunus-ater}
         ${point "sheet" faunus-ater}

hosts/elysia-clarki.nix

@@ -1,114 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
-  sopsPath = key: config.sops.secrets.${key}.path;
-in {
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.supportedFilesystems = ["zfs"];
-
-  networking.hostName = "elysia-clarki";
-  networking.interfaces.eno1.useDHCP = true;
-  networking.hostId = "265bb40a";
-
-  settings.ssh.openOutsideVPN = true;
-
-  virtualisation = {
-    podman = {
-      enable = true;
-      # Create a `docker` alias for podman, to use it as a drop-in replacement
-      dockerCompat = true;
-      dockerSocket.enable = true;
-      defaultNetwork.dnsname.enable = true;
-      extraPackages = with pkgs; [zfs];
-    };
-    oci-containers.backend = "podman";
-    # Override storage driver
-    containers.storage.settings = {
-      storage = {
-        driver = "zfs";
-        graphroot = "/var/lib/containers/storage";
-        runroot = "/run/containers/storage";
-      };
-    };
-  };
-
-  services.photoprism = {
-    enable = true;
-    url = "https://elysia-clarki";
-    port = 2342;
-    rootDir = "/srv/hnd/photoprism";
-    environmentFile = config.sops.secrets."photoprism-env".path;
-  };
-  services.nginx.virtualHosts."foto.home" = {
-    forceSSL = true;
-    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
-    sslCertificateKey = sopsPath "nginx-cert-key";
-    sslCertificate = sopsPath "nginx-cert-crt";
-    locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
-      proxyWebsockets = true;
-    };
-  };
-
-  services.resticConfigured = {
-    enable = true;
-    rootDir = "/srv/hnd/restic";
-    openFirewall = true;
-  };
-
-  # === TASKSERVER ===
-  services.taskserver = {
-    enable = true;
-    dataDir = "/srv/hnd/taskserver";
-    fqdn = "elysia-clarki";
-    listenHost = "0.0.0.0";
-    organisations.default = {
-      users = ["malte"];
-    };
-    pki.manual = {
-      ca.cert = sopsPath "taskserver-ca-cert";
-      server.key = sopsPath "taskserver-server-key";
-      server.crl = sopsPath "taskserver-server-crl";
-      server.cert = sopsPath "taskserver-server-cert";
-    };
-  };
-
-  services.fwupd.enable = true;
-
-  #### RUNTIME SECRETS ####
-  sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-  sops.secrets = let
-    taskserverSecretConfig = {
-      owner = config.users.users.taskd.name;
-      group = config.users.groups.taskd.name;
-      mode = "0440";
-    };
-  in {
-    taskserver-ca-cert = taskserverSecretConfig;
-    taskserver-server-key = taskserverSecretConfig;
-    taskserver-server-crl = taskserverSecretConfig;
-    taskserver-server-cert = taskserverSecretConfig;
-    photoprism-env = {};
-    nginx-cert-key = {
-      owner = config.users.users.nginx.name;
-      mode = "0400";
-    };
-    nginx-cert-crt = {
-      owner = config.users.users.nginx.name;
-      mode = "0400";
-    };
-  };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.05"; # Did you read the comment?
-}

hosts/faunus-ater.nix

@@ -200,7 +200,7 @@ in {
     in ''
       if [ ! -e ~hydra/.setup-is-complete ]; then
         # create admin user
-        ${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@elysia-clarki' --password "$USER_PW" --role admin || exit 1
+        ${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@faunus-ater' --password "$USER_PW" --role admin || exit 1
         # done
         touch ~hydra/.setup-is-complete
       fi
@@ -239,6 +239,32 @@ in {
     };
   };
 
+  # === Photoprism ===
+  services.photoprism = {
+    enable = true;
+    url = "https://foto.home";
+    port = 2342;
+    rootDir = "/data/dirty/photoprism";
+    environmentFile = config.sops.secrets."photoprism-env".path;
+  };
+  services.nginx.virtualHosts."foto.home" = {
+    forceSSL = true;
+    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
+    sslCertificateKey = sopsPath "nginx-cert-key";
+    sslCertificate = sopsPath "nginx-cert-crt";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  # === Restic User Backup ===
+  services.resticConfigured = {
+    enable = true;
+    rootDir = "/data/dirty/restic";
+    openFirewall = true;
+  };
+
   # === Grafana ===
   services.grafanaHome = {
     enable = true;
@@ -319,6 +345,7 @@ in {
   sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
   sops.secrets = {
     "paperless-admin-password" = {};
+    "photoprism-env" = {};
     "grafana-admin-password" = {
       owner = config.users.users.grafana.name;
       mode = "0400";

hosts/trochulus-hispidus.nix

@@ -86,9 +86,6 @@
     fontconfig = {enable = true;};
   };
 
-  sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
-  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

modules/base-system.nix

@@ -60,8 +60,6 @@ in {
         "2a-emulator.cachix.org-1:ijJDEqNsMqhamxxWvqOiaCQNoYhWNw7A+gGICgAH1mE="
         "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
         "nickel.cachix.org-1:ABoCOGpTJbAum7U6c+04VbjvLxG9f0gJP5kYihRRdQs="
-        # Currently running hydra
-        "elysia-clarki:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="
       ];
       substituters = [
         "https://cache.nixos.org"

modules/binary-cache.nix

@@ -1,20 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: {
-  services.nginx.virtualHosts."cache.home.dyn.tammena.rocks" = {
-    serverAliases = ["cache.elysia-clarki"];
-    locations."/" = {
-      proxyPass = "http://localhost:${builtins.toString config.services.nix-serve.port}";
-      extraConfig = ''
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      '';
-    };
-    # This needs reachability over the inter-webs, which is currently limited to IPv6
-    enableACME = false;
-    forceSSL = false;
-  };
-}

modules/local-build-service.nix

@@ -1,38 +0,0 @@
-{pkgs, ...}: let
-  targetHosts = ["helix-texta" "elysia-clarki"];
-
-  remote = "https://git.sr.ht/~megamanmalte/nixos";
-
-  buildForHost = host:
-    with pkgs; ''
-      nixos-rebuild build --flake .#${host} || exit 1
-    '';
-
-  build = with pkgs;
-    writeScriptBin "build" ''
-      #!${stdenv.shell}
-
-      rm -rf nixos
-      git clone ${remote} || exit 2
-      cd nixos
-      ${builtins.concatStringsSep "\n" (map buildForHost targetHosts)}
-      rm result
-    '';
-in {
-  systemd.services.local-build-service = {
-    unitConfig = {
-      Description = ''
-        Regularly pull and build various configuration to populate the local store
-      '';
-      After = ["network.target"];
-    };
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = ["${build}/bin/build"];
-      RuntimeDirectory = "local-build-service";
-      CacheDirectory = "local-build-service";
-      CacheDirectoryMode = "0777";
-      Environment = with pkgs; "PATH=${git}/bin:${coreutils}/bin:${nixos-rebuild}/bin";
-    };
-  };
-}

modules/restic.nix

@@ -37,8 +37,8 @@ in {
 
     # TODO: This should be moved
     systemd.services.restic-rest-server.unitConfig = {
-      Requires = lib.mkForce ["network.target" "luks-open-HND.service"];
-      After = lib.mkForce ["network.target" "luks-open-HND.service"];
+      Requires = lib.mkForce ["network.target"];
+      After = lib.mkForce ["network.target"];
     };
   };
 }

secrets/hosts/faunus-ater/secrets.yaml

@@ -1,4 +1,5 @@
 paperless-admin-password: ENC[AES256_GCM,data:6DFS/9+2K/zsiYr8kbkwrvknqtc1AOypsyoHwvg=,iv:ZdB5TN8x4917ZuIMcdazPO5GpuSq9Xi7Hu2iTFsLqvM=,tag:f8hDRMkR7C+ElA0h54l0Yw==,type:str]
+photoprism-env: ENC[AES256_GCM,data:OeZEln/BH1n/LJAmfosImF62sDCHZdVSlRvlSRrJ+iuORe9pirPTzq8jXwdUt3GLQUSNljY996EPCg==,iv:5q6WxR2L4Fo3Ej3LrXmnAh+HdSL+xxCZ1s65A29Mccs=,tag:AB4QZcMb5l9CUI6f182Mqg==,type:str]
 grafana-admin-password: ENC[AES256_GCM,data:/pbvx2tWzXd6JeXPHtmMpVA1BTxcjsMJDq+Z7iRXBmCD+OfKvA==,iv:eZjBtG45XZjGIQ4SQjIkC8Ky+9wloMxeMuM4OKUxqa4=,tag:V466dlV1JZfjiNaF+rjaqA==,type:str]
 internal-restic-password: ENC[AES256_GCM,data:fL/kqEb4YGD3zV1IpTT30Sq3XQsQymixkiHxjx4DGWBACQ==,iv:m7cW95I2nQ7S9Iz9MICEbpe2UZZsE1DLtz2v1d3kkz4=,tag:s9226vT/KxPdnLsb5Z52Mw==,type:str]
 hydra-admin-password: ENC[AES256_GCM,data:fzcFWbU6AjIVP7BaANE3RhPXYKm7HxMnNxj2Trk=,iv:VvOnYhVR3EvNatNazZZvSL7XJ8DpMn+tvGi1+SVdxkA=,tag:Nn1DPlBI2RXCwz+7CHMe9w==,type:str]
@@ -22,8 +23,8 @@ sops:
             cUZZQ1N4dGxpR2VLR1ZjTlFmTmwvTGsKzvsg2Uh2LzE5vXrdxW+H3ACP9kbFO1Rb
             XUyEF6E40UGTR40J8CqV7IvnHVvaLVIekW51MyKVGNyBG1phOne10w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-13T17:43:44Z"
-    mac: ENC[AES256_GCM,data:b2vwP8h15gYvZJ4y9U2qrJOSQu9DU4Qu7py9Isjdzvcw4Xd5Gg/tIk5+wWTfZXBakxQIt61RoM7UYVVCbJom8VN+tEmMkRjbzdrT/lNTovI4NovLGMdxMBOMX13TAuvoqIfr1zTf/vejOjTPf4byRbt+izRR/OwwSwoezJf4P+Q=,iv:ifBprjx7jG2K3/HkgAvyjGkGcx5XA8o5UgZeKqEAYIY=,tag:a6bAIwYFSSo6bfFEV9oHSg==,type:str]
+    lastmodified: "2022-09-26T14:58:24Z"
+    mac: ENC[AES256_GCM,data:cf4V6aClZEK29H6S2C3cMWNRsvlL5JrkYZZd0pgILDXXs0XkcxNBJx7bp9Pbghz31vY/ElcW5cGgWWMYA38BFgRiH+WIBE4oebbUvAxhq2q7Pl4kgu8O4EACu9m3odhuKyxj1L/FJgcbg4qAhBLgJzjweD5jKY5FwKjzDU+M7gI=,iv:lw8BEWzXOI1/VGkVcbAQ+JxhsbHYlqOgf9NYGx6SYH8=,tag:a+S1L6mc96R0KJwLxAal4Q==,type:str]
     pgp:
         - created_at: "2022-06-04T20:24:49Z"
           enc: |
@@ -46,4 +47,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
     unencrypted_suffix: _unencrypted
-    version: 3.7.2
+    version: 3.7.3

users/modules/restic-backup.nix

@@ -13,7 +13,7 @@
   resticCmd = "${pkgs.restic}/bin/restic";
   inherit (config.home) username;
 
-  repository = "rest:http://elysia-clarki:8000/${username}";
+  repository = "rest:http://faunus-ater:8000/${username}";
   passwordFile = nixosConfig.sops.secrets."restic-backup-${username}".path;
   defaultPruneOpts = [
     "--keep-hourly 5"
@@ -51,9 +51,9 @@ in {
     # Add the above env variables, so that using restic is easy for them
     home.sessionVariables = sessionVars;
     # Create a systemd service for the backup
-    systemd.user.services.restic-backups-to-elysia-clarki = {
+    systemd.user.services.restic-backups-to-faunus-ater = {
       Unit = {
-        Description = "Backup to elysia-clarki using restic";
+        Description = "Backup to faunus-ater using restic";
         After = ["network.target"];
       };
 
@@ -61,14 +61,14 @@ in {
         Type = "oneshot";
         ExecStart = [
           # Start by backing up every directory requested
-          "${resticCmd} backup --cache-dir=%C/restic-backups-to-elysia-clarki ${
+          "${resticCmd} backup --cache-dir=%C/restic-backups-to-faunus-ater ${
             toString cfg.paths
           }"
           # Prune old backups to keep the repo tidy
           "${resticCmd} forget --prune ${toString cfg.pruneOpts}"
         ];
-        RuntimeDirectory = "restic-backups-to-elysia-clarki";
-        CacheDirectory = "restic-backups-to-elysia-clarki";
+        RuntimeDirectory = "restic-backups-to-faunus-ater";
+        CacheDirectory = "restic-backups-to-faunus-ater";
         CacheDirectoryMode = "0700";
         # Convert the above map of environment variables into a list
         # of "KEY=VALUE" entrie
@@ -78,7 +78,7 @@ in {
       };
     };
     # Run the above service every hour
-    systemd.user.timers.restic-backups-to-elysia-clarki = {
+    systemd.user.timers.restic-backups-to-faunus-ater = {
       Unit = {Description = "Run restic backups every hour";};
       Install = {WantedBy = ["timers.target"];};
       Timer = {