[hosts/elysia-clarki] Fix imports and dedup config

2022-01-13 21:23:36 +01:00 · 2022-01-13 21:23:36 +01:00 · 52fe894901
parent 4446faf53a
commit 52fe894901
4 changed files with 94 additions and 102 deletions
--- a/flake.nix
+++ b/flake.nix
@ -210,6 +210,7 @@
          ./modules/nginx-reverse-proxy.nix
          ./modules/binary-cache.nix
          ./modules/ccqcraft-backups.nix
+          ./modules/restic.nix
        ];

        config = {
@ -340,21 +341,7 @@
    # Server @home
    nixosConfigurations.elysia-clarki = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
-      modules = [
-        self.nixosModules.x86_64-linux-basics
-        ./hosts/elysia-clarki.nix
-        ./hardware/intel-nuc.nix
-        ./modules/local-build-service.nix
-        ./modules/nginx-reverse-proxy.nix
-        ./modules/binary-cache.nix
-        ./modules/ccqcraft-backups.nix
-        #./modules/photoprism.nix
-
-        ({ pkgs, ... }: {
-          # Override kernel version for zfs
-          boot.kernelPackages = pkgs.linuxPackages_5_10;
-        })
-      ];
+      modules = [ self.nixosModules.elysia-clarki ];
    };

    # Marie's laptop
--- a/hardware/intel-nuc.nix
+++ b/hardware/intel-nuc.nix
@ -34,5 +34,74 @@
  # === Swap ===
  swapDevices =
    [{ device = "/dev/disk/by-uuid/efc7e294-1c18-4dd9-aca5-f868eb9c47fc"; }];
+} // (
+  # === External drives ===
+  let
+    cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+    unlockLuksService = label: keyfile: overwrites:
+      lib.attrsets.recursiveUpdate {
+        description = "Unlock luks encrypted device '${label}'";
+        bindsTo = [ "dev-${label}.device" ];
+        after = [ "dev-${label}.device" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = ''
+            ${cryptsetup} luksOpen --key-file ${keyfile} /dev/${label} ${label}opened
+          '';
+          ExecStop = ''
+            ${cryptsetup} luksClose ${label}opened
+          '';
+        };
+      } overwrites;

-}
+    disks = {
+      FRA = "8ae45289-82ed-4cf1-9d68-a0e26e5d9bb5";
+      BER = "85ce2e58-72fc-4a66-a376-565bb4fc39a1";
+      HND = "4a3765fc-155e-453d-a348-d1782447bcfe";
+      LEJ = "5e3c2c1e-73f6-43e6-b8f3-71c923cbeb6d";
+    };
+  in {
+    # Unlock all luks devices and import the zfs pools if necessary
+    systemd.services."luks-open-FRA" =
+      unlockLuksService "FRA" "/root/keys/fra" { };
+    systemd.services."luks-open-BER" =
+      unlockLuksService "BER" "/root/keys/ber" {
+        serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zBER";
+      };
+    systemd.services."luks-open-HND" =
+      unlockLuksService "HND" "/root/keys/hnd" {
+        serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zHND";
+      };
+    systemd.services."luks-open-LEJ" =
+      unlockLuksService "LEJ" "/root/keys/lej" { };
+
+    systemd.mounts = [
+      {
+        what = "/dev/mapper/FRAopened";
+        where = "/srv/fra";
+        type = "ext4";
+        wantedBy = [ "default.target" ];
+        requires = [ "luks-open-FRA.service" ];
+        after = [ "luks-open-FRA.service" ];
+      }
+      {
+        what = "/dev/mapper/vg_lej-lv_lej";
+        where = "/srv/lej";
+        type = "ext4";
+        wantedBy = [ "default.target" ];
+        requires = [ "luks-open-LEJ.service" ];
+        after = [ "luks-open-LEJ.service" ];
+      }
+    ];
+
+    # Add udev rules for every disk
+    services.udev.customRules = [{
+      name = "85-rename-and-unlock-disks";
+      rules = lib.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
+        (alias: uuid: ''
+          SUBSYSTEM=="block", ENV{ID_FS_UUID}=="${uuid}", SYMLINK+="${alias}", TAG+="systemd"
+        '') disks);
+    }];
+
+  })
--- a/hosts/elysia-clarki.nix
+++ b/hosts/elysia-clarki.nix
@ -1,39 +1,11 @@
 { config, pkgs, lib, ... }:

-let
-  cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
-  unlockLuksService = label: keyfile: overwrites:
-    lib.attrsets.recursiveUpdate {
-      description = "Unlock luks encrypted device '${label}'";
-      bindsTo = [ "dev-${label}.device" ];
-      after = [ "dev-${label}.device" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = ''
-          ${cryptsetup} luksOpen --key-file ${keyfile} /dev/${label} ${label}opened
-        '';
-        ExecStop = ''
-          ${cryptsetup} luksClose ${label}opened
-        '';
-      };
-    } overwrites;
-
-  disks = {
-    FRA = "8ae45289-82ed-4cf1-9d68-a0e26e5d9bb5";
-    BER = "85ce2e58-72fc-4a66-a376-565bb4fc39a1";
-    HND = "4a3765fc-155e-453d-a348-d1782447bcfe";
-    LEJ = "5e3c2c1e-73f6-43e6-b8f3-71c923cbeb6d";
-  };
-
-in {
-
+{
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "zfs" ];

  networking.hostName = "elysia-clarki";
-  networking.useDHCP = false;
  networking.interfaces.eno1.useDHCP = true;
  networking.hostId = "265bb40a";

@ -48,60 +20,10 @@ in {
    oci-containers.backend = "podman";
  };

-
  services.fwupd.enable = true;

-  services.udev.customRules = [{
-    name = "85-rename-and-unlock-disks";
-    # Create a rule per entry in disks
-    rules = lib.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
-      (alias: uuid: ''
-        SUBSYSTEM=="block", ENV{ID_FS_UUID}=="${uuid}", SYMLINK+="${alias}", TAG+="systemd"
-      '') disks);
-  }];
-
-  # Unlock all luks devices and import the zfs pools if necessary
-  systemd.services."luks-open-FRA" =
-    unlockLuksService "FRA" "/root/keys/fra" { };
-  systemd.services."luks-open-BER" = unlockLuksService "BER" "/root/keys/ber" {
-    serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zBER";
-  };
-  systemd.services."luks-open-HND" = unlockLuksService "HND" "/root/keys/hnd" {
-    serviceConfig.ExecStartPost = "${pkgs.zfs}/bin/zpool import zHND";
-  };
-  systemd.services."luks-open-LEJ" =
-    unlockLuksService "LEJ" "/root/keys/lej" { };
-
-  systemd.mounts = [
-    {
-      what = "/dev/mapper/FRAopened";
-      where = "/srv/fra";
-      type = "ext4";
-      wantedBy = [ "default.target" ];
-      requires = [ "luks-open-FRA.service" ];
-      after = [ "luks-open-FRA.service" ];
-    }
-    {
-      what = "/dev/mapper/vg_lej-lv_lej";
-      where = "/srv/lej";
-      type = "ext4";
-      wantedBy = [ "default.target" ];
-      requires = [ "luks-open-LEJ.service" ];
-      after = [ "luks-open-LEJ.service" ];
-    }
-  ];
-
-  services.restic.server = {
-    enable = true;
-    dataDir = "/srv/hnd/restic";
-    listenAddress = "0.0.0.0:8000";
-    extraFlags = [ "--no-auth" ];
-  };
-  networking.firewall.allowedTCPPorts = [ 8000 ];
-  systemd.services.restic-rest-server.unitConfig = {
-    Requires = lib.mkForce [ "network.target" "luks-open-HND.service" ];
-    After = lib.mkForce [ "network.target" "luks-open-HND.service" ];
-  };
+  sops.defaultSopsFile = ../secrets/elysia-clarki/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  services.ddclient = {
    enable = true;
@ -126,5 +48,4 @@ in {
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "21.05"; # Did you read the comment?
-
 }
--- a/modules/restic.nix
+++ b/modules/restic.nix
@ -1,9 +1,24 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
+
+let
+
+  port = 8000;
+  dataDir = "/srv/hnd/restic";
+
+in {

-{
  services.restic.server = {
    enable = true;
-    dataDir = "/var/lib/restic";
-    listenAddress = ":8342";
+    inherit dataDir;
+    listenAddress = "0.0.0.0:${builtins.toString port}";
+    extraFlags = [ "--no-auth" ];
  };
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  # TODO: Do I actually need this here?
+  systemd.services.restic-rest-server.unitConfig = {
+    Requires = lib.mkForce [ "network.target" "luks-open-HND.service" ];
+    After = lib.mkForce [ "network.target" "luks-open-HND.service" ];
+  };
+
 }