[host/elysia-clarki] Decommision

This commit is contained in:
Malte Tammena 2022-09-26 17:11:16 +02:00
parent d419488294
commit 3430cb28db
12 changed files with 42 additions and 258 deletions

View file

@ -95,7 +95,6 @@
"helix-texta"
"murex-pecten"
"cornu-aspersum"
"elysia-clarki"
"trochulus-hispidus"
"radix-balthica"
"faunus-ater"
@ -204,21 +203,6 @@
inputs.glados.nixosModules.glados
];
};
elysia-clarki = {pkgs, ...}: {
imports = [
./hosts/elysia-clarki.nix
./hardware/intel-nuc.nix
./modules/local-build-service.nix
./modules/nginx-reverse-proxy.nix
#./modules/binary-cache.nix
./modules/ccqcraft-backups.nix
#inputs.hydra.nixosModules.hydra
];
config = {
# Override kernel version for zfs
boot.kernelPackages = pkgs.linuxPackages_5_15;
};
};
trochulus-hispidus = {pkgs, ...}: {
imports = [
./hosts/trochulus-hispidus.nix

View file

@ -65,10 +65,6 @@
v4 = "100.86.42.110";
v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6256:2a6e";
};
elysia-clarki = {
v4 = "100.104.138.12";
v6 = "fd7a:115c:a1e0:ab12:4843:cd96:6268:8a0c";
};
faunus-ater = {
v4 = "100.108.135.4";
v6 = "fd7a:115c:a1e0:ab12:4843:cd96:626c:8704";
@ -90,7 +86,7 @@
1) ; Negative Cache TTL
@ NS home.
${point "home." cornu-aspersum}
${point "foto" elysia-clarki}
${point "foto" faunus-ater}
${point "mc" cornu-aspersum}
${point "doc" faunus-ater}
${point "sheet" faunus-ater}

View file

@ -1,114 +0,0 @@
{
config,
pkgs,
lib,
...
}: let
sopsPath = key: config.sops.secrets.${key}.path;
in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = ["zfs"];
networking.hostName = "elysia-clarki";
networking.interfaces.eno1.useDHCP = true;
networking.hostId = "265bb40a";
settings.ssh.openOutsideVPN = true;
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
dockerSocket.enable = true;
defaultNetwork.dnsname.enable = true;
extraPackages = with pkgs; [zfs];
};
oci-containers.backend = "podman";
# Override storage driver
containers.storage.settings = {
storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
};
};
services.photoprism = {
enable = true;
url = "https://elysia-clarki";
port = 2342;
rootDir = "/srv/hnd/photoprism";
environmentFile = config.sops.secrets."photoprism-env".path;
};
services.nginx.virtualHosts."foto.home" = {
forceSSL = true;
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
sslCertificateKey = sopsPath "nginx-cert-key";
sslCertificate = sopsPath "nginx-cert-crt";
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
proxyWebsockets = true;
};
};
services.resticConfigured = {
enable = true;
rootDir = "/srv/hnd/restic";
openFirewall = true;
};
# === TASKSERVER ===
services.taskserver = {
enable = true;
dataDir = "/srv/hnd/taskserver";
fqdn = "elysia-clarki";
listenHost = "0.0.0.0";
organisations.default = {
users = ["malte"];
};
pki.manual = {
ca.cert = sopsPath "taskserver-ca-cert";
server.key = sopsPath "taskserver-server-key";
server.crl = sopsPath "taskserver-server-crl";
server.cert = sopsPath "taskserver-server-cert";
};
};
services.fwupd.enable = true;
#### RUNTIME SECRETS ####
sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets = let
taskserverSecretConfig = {
owner = config.users.users.taskd.name;
group = config.users.groups.taskd.name;
mode = "0440";
};
in {
taskserver-ca-cert = taskserverSecretConfig;
taskserver-server-key = taskserverSecretConfig;
taskserver-server-crl = taskserverSecretConfig;
taskserver-server-cert = taskserverSecretConfig;
photoprism-env = {};
nginx-cert-key = {
owner = config.users.users.nginx.name;
mode = "0400";
};
nginx-cert-crt = {
owner = config.users.users.nginx.name;
mode = "0400";
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

View file

@ -200,7 +200,7 @@ in {
in ''
if [ ! -e ~hydra/.setup-is-complete ]; then
# create admin user
${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@elysia-clarki' --password "$USER_PW" --role admin || exit 1
${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@faunus-ater' --password "$USER_PW" --role admin || exit 1
# done
touch ~hydra/.setup-is-complete
fi
@ -239,6 +239,32 @@ in {
};
};
# === Photoprism ===
services.photoprism = {
enable = true;
url = "https://foto.home";
port = 2342;
rootDir = "/data/dirty/photoprism";
environmentFile = config.sops.secrets."photoprism-env".path;
};
services.nginx.virtualHosts."foto.home" = {
forceSSL = true;
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
sslCertificateKey = sopsPath "nginx-cert-key";
sslCertificate = sopsPath "nginx-cert-crt";
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
proxyWebsockets = true;
};
};
# === Restic User Backup ===
services.resticConfigured = {
enable = true;
rootDir = "/data/dirty/restic";
openFirewall = true;
};
# === Grafana ===
services.grafanaHome = {
enable = true;
@ -319,6 +345,7 @@ in {
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets = {
"paperless-admin-password" = {};
"photoprism-env" = {};
"grafana-admin-password" = {
owner = config.users.users.grafana.name;
mode = "0400";

View file

@ -86,9 +86,6 @@
fontconfig = {enable = true;};
};
sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View file

@ -60,8 +60,6 @@ in {
"2a-emulator.cachix.org-1:ijJDEqNsMqhamxxWvqOiaCQNoYhWNw7A+gGICgAH1mE="
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
"nickel.cachix.org-1:ABoCOGpTJbAum7U6c+04VbjvLxG9f0gJP5kYihRRdQs="
# Currently running hydra
"elysia-clarki:/ioV+oXpVgxDOZJvXIWmnyL83ERT4W6eW4SDEpnRbxU="
];
substituters = [
"https://cache.nixos.org"

View file

@ -1,20 +0,0 @@
{
pkgs,
config,
...
}: {
services.nginx.virtualHosts."cache.home.dyn.tammena.rocks" = {
serverAliases = ["cache.elysia-clarki"];
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.nix-serve.port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
# This needs reachability over the inter-webs, which is currently limited to IPv6
enableACME = false;
forceSSL = false;
};
}

View file

@ -1,38 +0,0 @@
{pkgs, ...}: let
targetHosts = ["helix-texta" "elysia-clarki"];
remote = "https://git.sr.ht/~megamanmalte/nixos";
buildForHost = host:
with pkgs; ''
nixos-rebuild build --flake .#${host} || exit 1
'';
build = with pkgs;
writeScriptBin "build" ''
#!${stdenv.shell}
rm -rf nixos
git clone ${remote} || exit 2
cd nixos
${builtins.concatStringsSep "\n" (map buildForHost targetHosts)}
rm result
'';
in {
systemd.services.local-build-service = {
unitConfig = {
Description = ''
Regularly pull and build various configuration to populate the local store
'';
After = ["network.target"];
};
serviceConfig = {
Type = "oneshot";
ExecStart = ["${build}/bin/build"];
RuntimeDirectory = "local-build-service";
CacheDirectory = "local-build-service";
CacheDirectoryMode = "0777";
Environment = with pkgs; "PATH=${git}/bin:${coreutils}/bin:${nixos-rebuild}/bin";
};
};
}

View file

@ -37,8 +37,8 @@ in {
# TODO: This should be moved
systemd.services.restic-rest-server.unitConfig = {
Requires = lib.mkForce ["network.target" "luks-open-HND.service"];
After = lib.mkForce ["network.target" "luks-open-HND.service"];
Requires = lib.mkForce ["network.target"];
After = lib.mkForce ["network.target"];
};
};
}

File diff suppressed because one or more lines are too long

View file

@ -1,4 +1,5 @@
paperless-admin-password: ENC[AES256_GCM,data:6DFS/9+2K/zsiYr8kbkwrvknqtc1AOypsyoHwvg=,iv:ZdB5TN8x4917ZuIMcdazPO5GpuSq9Xi7Hu2iTFsLqvM=,tag:f8hDRMkR7C+ElA0h54l0Yw==,type:str]
photoprism-env: ENC[AES256_GCM,data:OeZEln/BH1n/LJAmfosImF62sDCHZdVSlRvlSRrJ+iuORe9pirPTzq8jXwdUt3GLQUSNljY996EPCg==,iv:5q6WxR2L4Fo3Ej3LrXmnAh+HdSL+xxCZ1s65A29Mccs=,tag:AB4QZcMb5l9CUI6f182Mqg==,type:str]
grafana-admin-password: ENC[AES256_GCM,data:/pbvx2tWzXd6JeXPHtmMpVA1BTxcjsMJDq+Z7iRXBmCD+OfKvA==,iv:eZjBtG45XZjGIQ4SQjIkC8Ky+9wloMxeMuM4OKUxqa4=,tag:V466dlV1JZfjiNaF+rjaqA==,type:str]
internal-restic-password: ENC[AES256_GCM,data:fL/kqEb4YGD3zV1IpTT30Sq3XQsQymixkiHxjx4DGWBACQ==,iv:m7cW95I2nQ7S9Iz9MICEbpe2UZZsE1DLtz2v1d3kkz4=,tag:s9226vT/KxPdnLsb5Z52Mw==,type:str]
hydra-admin-password: ENC[AES256_GCM,data:fzcFWbU6AjIVP7BaANE3RhPXYKm7HxMnNxj2Trk=,iv:VvOnYhVR3EvNatNazZZvSL7XJ8DpMn+tvGi1+SVdxkA=,tag:Nn1DPlBI2RXCwz+7CHMe9w==,type:str]
@ -22,8 +23,8 @@ sops:
cUZZQ1N4dGxpR2VLR1ZjTlFmTmwvTGsKzvsg2Uh2LzE5vXrdxW+H3ACP9kbFO1Rb
XUyEF6E40UGTR40J8CqV7IvnHVvaLVIekW51MyKVGNyBG1phOne10w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-13T17:43:44Z"
mac: ENC[AES256_GCM,data:b2vwP8h15gYvZJ4y9U2qrJOSQu9DU4Qu7py9Isjdzvcw4Xd5Gg/tIk5+wWTfZXBakxQIt61RoM7UYVVCbJom8VN+tEmMkRjbzdrT/lNTovI4NovLGMdxMBOMX13TAuvoqIfr1zTf/vejOjTPf4byRbt+izRR/OwwSwoezJf4P+Q=,iv:ifBprjx7jG2K3/HkgAvyjGkGcx5XA8o5UgZeKqEAYIY=,tag:a6bAIwYFSSo6bfFEV9oHSg==,type:str]
lastmodified: "2022-09-26T14:58:24Z"
mac: ENC[AES256_GCM,data:cf4V6aClZEK29H6S2C3cMWNRsvlL5JrkYZZd0pgILDXXs0XkcxNBJx7bp9Pbghz31vY/ElcW5cGgWWMYA38BFgRiH+WIBE4oebbUvAxhq2q7Pl4kgu8O4EACu9m3odhuKyxj1L/FJgcbg4qAhBLgJzjweD5jKY5FwKjzDU+M7gI=,iv:lw8BEWzXOI1/VGkVcbAQ+JxhsbHYlqOgf9NYGx6SYH8=,tag:a+S1L6mc96R0KJwLxAal4Q==,type:str]
pgp:
- created_at: "2022-06-04T20:24:49Z"
enc: |
@ -46,4 +47,4 @@ sops:
-----END PGP MESSAGE-----
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
unencrypted_suffix: _unencrypted
version: 3.7.2
version: 3.7.3

View file

@ -13,7 +13,7 @@
resticCmd = "${pkgs.restic}/bin/restic";
inherit (config.home) username;
repository = "rest:http://elysia-clarki:8000/${username}";
repository = "rest:http://faunus-ater:8000/${username}";
passwordFile = nixosConfig.sops.secrets."restic-backup-${username}".path;
defaultPruneOpts = [
"--keep-hourly 5"
@ -51,9 +51,9 @@ in {
# Add the above env variables, so that using restic is easy for them
home.sessionVariables = sessionVars;
# Create a systemd service for the backup
systemd.user.services.restic-backups-to-elysia-clarki = {
systemd.user.services.restic-backups-to-faunus-ater = {
Unit = {
Description = "Backup to elysia-clarki using restic";
Description = "Backup to faunus-ater using restic";
After = ["network.target"];
};
@ -61,14 +61,14 @@ in {
Type = "oneshot";
ExecStart = [
# Start by backing up every directory requested
"${resticCmd} backup --cache-dir=%C/restic-backups-to-elysia-clarki ${
"${resticCmd} backup --cache-dir=%C/restic-backups-to-faunus-ater ${
toString cfg.paths
}"
# Prune old backups to keep the repo tidy
"${resticCmd} forget --prune ${toString cfg.pruneOpts}"
];
RuntimeDirectory = "restic-backups-to-elysia-clarki";
CacheDirectory = "restic-backups-to-elysia-clarki";
RuntimeDirectory = "restic-backups-to-faunus-ater";
CacheDirectory = "restic-backups-to-faunus-ater";
CacheDirectoryMode = "0700";
# Convert the above map of environment variables into a list
# of "KEY=VALUE" entrie
@ -78,7 +78,7 @@ in {
};
};
# Run the above service every hour
systemd.user.timers.restic-backups-to-elysia-clarki = {
systemd.user.timers.restic-backups-to-faunus-ater = {
Unit = {Description = "Run restic backups every hour";};
Install = {WantedBy = ["timers.target"];};
Timer = {