diff --git a/README.md b/README.md index 8184c89..1eb1888 100644 --- a/README.md +++ b/README.md @@ -37,26 +37,25 @@ In the unlikely case that you actually read this and have any questions please d - [x] steveej-t14 - [x] contabo vps - [x] sj-pve0 -- [ ] use an existing secret management framework -- [ ] adapt (or abandon?) _just_ recipes - - [ ] `rebuild-this-device` - - [ ] `update-this-device` - - [ ] `rebuild-remote-device` - - [ ] `update-remote-device` +- [x] use an existing secret management framework +- [x] adapt (or abandon?) _just_ recipes + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` evaluate, and understand a path to using these tools in a pull-based fashion: - [x] [colmena](https://github.com/zhaofengli/colmena) * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs -- [ ] 🚧 find a better alternative for the qtile-desktop - +- [x] 🚧 find a better alternative for the qtile-desktop current issues: - floating windows often get lost in the background - plugging in-/out- screen crashes the desktop evaluate: - - [ ] 🚧 gnome3 + pop-shell - - [ ] leftwm + eww (+ wayland?) + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine @@ -96,12 +95,4 @@ just --list 1. offline-bitwise copy of drive 2. disconnect remove the previous drive 3. replace the driveId in the device's hw.nix -4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group - -## Backup - -### Copy existing subvolumes to new backup target - -``` -`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/ -``` +4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group \ No newline at end of file diff --git a/nix/os/devices/sj-bm-hostkey0/.gitignore b/nix/os/devices/sj-bm-hostkey0/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/sj-bm-hostkey0/README.md b/nix/os/devices/sj-bm-hostkey0/README.md new file mode 100644 index 0000000..d70e379 --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/README.md @@ -0,0 +1,7 @@ +## bootstrapping + +``` +# TODO: generate an SSH host-key and deploy it via --extra-files +nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 +``` + diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix new file mode 100644 index 0000000..00beac1 --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -0,0 +1,122 @@ +{ + modulesPath, + repoFlake, + packages', + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + ... +}: let +in { + disabledModules = [ + # "services/networking/hostapd.nix" + ]; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../profiles/common/user.nix + + # TODO + # ./network.nix + # ./monitoring.nix + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + # rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + } + ]; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + + # No local firewall. + nat.enable = true; + firewall.enable = false; + }; + + disko.devices = let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + in { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + sdc = disk "sdc"; + sdd = disk "sdd"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "23.05"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.includeDefaultModules = true; + boot.initrd.kernelModules = [ + "dm-raid" + "dm-integrity" + "xhci_pci_renesas" + ]; + + hardware.enableRedistributableFirmware = true; + + environment.systemPackages = [ + pkgs.hdparm + ]; +} diff --git a/nix/os/devices/sj-bm-hostkey0/default.nix b/nix/os/devices/sj-bm-hostkey0/default.nix new file mode 100644 index 0000000..53bc253 --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/default.nix @@ -0,0 +1,34 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let + system = "x86_64-linux"; +in { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake system; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "185.130.227.252"; + deployment.replaceUnknownProfiles = false; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/sj-bm-hostkey0/flake.lock b/nix/os/devices/sj-bm-hostkey0/flake.lock new file mode 100644 index 0000000..514af4f --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699781810, + "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700695018, + "narHash": "sha256-MAiPLgBF4GLzSOlhnPCDWkWW5CDx4i7ApIYaR+TwTVg=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "134deb46abd5d0889d913b8509413f6f38b0811e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-23_05": { + "locked": { + "lastModified": 1700501263, + "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1700390070, + "narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixos-23_05": "nixos-23_05", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700704312, + "narHash": "sha256-xjzksktEQMd+JCNMp7l+/6DjlQrv/KStm9WDbkY6mmQ=", + "owner": "numtide", + "repo": "srvos", + "rev": "71fca17388b50899341c78294a0861031527cc53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-bm-hostkey0/flake.nix b/nix/os/devices/sj-bm-hostkey0/flake.nix new file mode 100644 index 0000000..5302f9e --- /dev/null +++ b/nix/os/devices/sj-bm-hostkey0/flake.nix @@ -0,0 +1,73 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/master"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = { + self, + get-flake, + nixpkgs, + ... + } @ attrs: let + system = "x86_64-linux"; + nodeName = "sj-bm-hostkey0"; + + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; + + modules = + [ + ./configuration.nix + + # flake registry + { + nix.registry.nixpkgs.flake = nixpkgs; + } + + { + nixpkgs.overlays = [ + (final: previous: { + }) + ]; + } + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; + }; + + # cross = mkNixosConfiguration { + # extraModules = [ + # { + # nixpkgs.buildPlatform.system = "x86_64-linux"; + # nixpkgs.hostPlatform.system = system; + # } + # ]; + # }; + }; + }; +} diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index ad8635f..0a6925c 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -9,37 +9,28 @@ sops: - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2 - aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT - dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W - TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+ - H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB - elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm - dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu - Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO - DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNmZIR2lydktlUGtmcVg0 + c1hHRlFKMWxCT2I2QityYlk2NnU3VnpPWTFjClNwN3loZVp2VldIcHZJN3h6aDVB + K2Q2SmZ4bmZlcjFwM1cyWkl1Nk12dmsKLS0tIHhYQWhuNkdwRDc4ay8zeUtUYzF2 + QjBpY29FZXZQZDJHZGx5Z1N4K1p4TGMKpHkuzC8DR7swxE+KlWLJY8TcgCzJIc6w + b30w0rvAXJ8l3eVMbiUVLEkNmG8kl7hoEfj95OAT7+ZKfzPZ+tcriA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-14T20:50:30Z" mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] pgp: - - created_at: "2023-07-01T21:42:42Z" + - created_at: "2023-11-23T11:43:30Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax - dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo - vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU - 5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V - sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9 - MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG - eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC - Vu3cIGSwFgRRdXUYnLTQCQM/ - =g1+E + wcBMA0SHG/zF3227AQf/f7cZvIbDELJ1f8xMFDTDNdBGbRKMAhgxj1Id4eQThQ5R + djFYEwzeOxYrDyUYwMFaydiW7dHWf7hv2foCVdHqdVoVLF1LyVSlLYWI7R7M4t/Z + hdYwsukAH1f6Pu/49XW30t0fa17gBrJDy7x+fnXqlOW/xkTatiEPqRKeoEx1sWil + uBD+pIsAcctPF0hyaOEOKNshR/nlWXUU91dPu3FzwlBGtDM7TglqsDUCtSb4ebKt + sm3lcersxsefUPsr2wRg3WOY1cwGpLcvQZA86vWNgrYi6ChfUxv2zmR2WXadZ62u + 1rktKclRDNg3fM6E2elzlVrlzxq/8yGcCDVpH1M4pdJRAZdYa0oSRCkhlY4CzzJi + Mgo/bpRhHHwHPyqPMCTIO8UD2L86uC17RByLL5/5LXfHd3QDP0GhXV7sXs+jwcJ3 + nj6Z860TuKdVhWp0FAfM5Bn9 + =oyeE -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted diff --git a/secrets/sj-bm-hostkey0/secrets.yaml b/secrets/sj-bm-hostkey0/secrets.yaml new file mode 100644 index 0000000..a868161 --- /dev/null +++ b/secrets/sj-bm-hostkey0/secrets.yaml @@ -0,0 +1,36 @@ +unused-secret: ENC[AES256_GCM,data:rKIjC2Ri,iv:PIs3Xuv9zEMhawvMyxwN0CI4Xzr1lTpg1o2scsosizs=,tag:++t0A80KDxctiXwxW5Vd2Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk + REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P + T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r + THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv + J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-23T11:45:17Z" + mac: ENC[AES256_GCM,data:VFEtWuEoqlU3wW8SwgWjlnnuv8aJw5Az9j82gc9YfexwR6lNyyQHY5EdZfqPdO4ZRNLen60Xq98kotTYiY7GJ9x3ZR8KPW3puRvqeD8qZf1NMwvkzQliZ+078HCBHmBTeoouWLuvWdP9uv3XOQWdR7/ZfMB/eC4bWS+Acq+tVZ4=,iv:5CRupDm9jNslcn96kUrhQdT5zadEqyKtrKbv+BtcYW0=,tag:ukHLjRdZCTRliB+LXGBHWQ==,type:str] + pgp: + - created_at: "2023-08-11T16:15:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ + NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 + pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 + ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a + 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB + 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY + pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O + v5QlxcXSMuOeGygclwHdxzs+ + =NQjH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3