steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

update README

Browse source
This commit is contained in:
steveej 2023-11-23 16:03:07 +01:00
parent 658f9449fc
commit 44713c6933
9 changed files with 422 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

27
README.md
View file

@ -37,26 +37,25 @@ In the unlikely case that you actually read this and have any questions please d
- [x] steveej-t14 - [x] steveej-t14
- [x] contabo vps - [x] contabo vps
- [x] sj-pve0 - [x] sj-pve0
- [ ] use an existing secret management framework - [x] use an existing secret management framework
- [ ] adapt (or abandon?) _just_ recipes - [x] adapt (or abandon?) _just_ recipes
- [ ] `rebuild-this-device` - [x] `rebuild-this-device`
- [ ] `update-this-device` - [x] `update-this-device`
- [ ] `rebuild-remote-device` - [x] `rebuild-remote-device`
- [ ] `update-remote-device` - [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion: evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena) - [x] [colmena](https://github.com/zhaofengli/colmena)
* bootstrapping: https://github.com/zhaofengli/colmena/issues/68 * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs - [ ] deploy-rs
- [ ] 🚧 find a better alternative for the qtile-desktop - [x] 🚧 find a better alternative for the qtile-desktop
current issues: current issues:
- floating windows often get lost in the background - floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop - plugging in-/out- screen crashes the desktop
evaluate: evaluate:
- [ ] 🚧 gnome3 + pop-shell - [x] ~~🚧 gnome3 + pop-shell~~
- [ ] leftwm + eww (+ wayland?) - [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process - [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine - [ ] a new machine
@ -97,11 +96,3 @@ just --list
2. disconnect remove the previous drive 2. disconnect remove the previous drive
3. replace the driveId in the device's hw.nix 3. replace the driveId in the device's hw.nix
4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group 4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group
## Backup
### Copy existing subvolumes to new backup target
```
`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/
```

1
nix/os/devices/sj-bm-hostkey0/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
result

7
nix/os/devices/sj-bm-hostkey0/README.md Normal file
View file

@ -0,0 +1,7 @@
## bootstrapping
```
# TODO: generate an SSH host-key and deploy it via --extra-files
nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252
```

122
nix/os/devices/sj-bm-hostkey0/configuration.nix Normal file
View file

@ -0,0 +1,122 @@
{
modulesPath,
repoFlake,
packages',
pkgs,
lib,
config,
nodeFlake,
nodeName,
system,
...
}: let
in {
disabledModules = [
# "services/networking/hostapd.nix"
];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
repoFlake.inputs.sops-nix.nixosModules.sops
../../profiles/common/user.nix
# TODO
# ./network.nix
# ./monitoring.nix
{
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
users.commonUsers = {
enable = true;
enableNonRoot = true;
# rootPasswordFile = config.sops.secrets.passwords-root.path;
};
}
];
boot = {
kernel = {
sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
};
};
networking = {
hostName = nodeName;
useNetworkd = true;
useDHCP = true;
# No local firewall.
nat.enable = true;
firewall.enable = false;
};
disko.devices = let
disk = id: {
type = "disk";
device = "/dev/${id}";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
mdadm = {
size = "100%";
content = {
type = "mdraid";
name = "raid0";
};
};
};
};
};
in {
disk = {
sda = disk "sda";
sdb = disk "sdb";
sdc = disk "sdc";
sdd = disk "sdd";
};
mdadm = {
raid0 = {
type = "mdadm";
level = 0;
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/";
};
};
};
};
};
};
};
system.stateVersion = "23.05";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.includeDefaultModules = true;
boot.initrd.kernelModules = [
"dm-raid"
"dm-integrity"
"xhci_pci_renesas"
];
hardware.enableRedistributableFirmware = true;
environment.systemPackages = [
pkgs.hdparm
];
}

34
nix/os/devices/sj-bm-hostkey0/default.nix Normal file
View file

@ -0,0 +1,34 @@
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "185.130.227.252";
deployment.replaceUnknownProfiles = false;
# nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system};
imports = [
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
networking.hostName = nodeName;
};
}

124
nix/os/devices/sj-bm-hostkey0/flake.lock generated Normal file
View file

@ -0,0 +1,124 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1699781810,
"narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"get-flake": {
"locked": {
"lastModified": 1694475786,
"narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=",
"owner": "ursi",
"repo": "get-flake",
"rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1",
"type": "github"
},
"original": {
"owner": "ursi",
"repo": "get-flake",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700695018,
"narHash": "sha256-MAiPLgBF4GLzSOlhnPCDWkWW5CDx4i7ApIYaR+TwTVg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "134deb46abd5d0889d913b8509413f6f38b0811e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
},
"nixos-23_05": {
"locked": {
"lastModified": 1700501263,
"narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1700390070,
"narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"get-flake": "get-flake",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixos-23_05": "nixos-23_05",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1700704312,
"narHash": "sha256-xjzksktEQMd+JCNMp7l+/6DjlQrv/KStm9WDbkY6mmQ=",
"owner": "numtide",
"repo": "srvos",
"rev": "71fca17388b50899341c78294a0861031527cc53",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

73
nix/os/devices/sj-bm-hostkey0/flake.nix Normal file
View file

@ -0,0 +1,73 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
get-flake.url = "github:ursi/get-flake";
home-manager.url = "github:nix-community/home-manager/master";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
srvos.inputs.nixpkgs.follows = "nixpkgs";
};
# outputs = _: {};
outputs = {
self,
get-flake,
nixpkgs,
...
} @ attrs: let
system = "x86_64-linux";
nodeName = "sj-bm-hostkey0";
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
};
modules =
[
./configuration.nix
# flake registry
{
nix.registry.nixpkgs.flake = nixpkgs;
}
{
nixpkgs.overlays = [
(final: previous: {
})
];
}
]
++ extraModules;
}
);
in {
nixosConfigurations = {
native = mkNixosConfiguration {
inherit system;
};
# cross = mkNixosConfiguration {
# extraModules = [
# {
# nixpkgs.buildPlatform.system = "x86_64-linux";
# nixpkgs.hostPlatform.system = system;
# }
# ];
# };
};
};
}

39
secrets/servers/dyndns.yaml
View file

@ -9,37 +9,28 @@ sops:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhT0t1U2hOR2RpVU5HWVU2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNmZIR2lydktlUGtmcVg0
aWpSNklwak9HYUYwSEltaWlUNyt1OENLdTNRCkxyTGZZQ0ZncmZnYTdTMC90RnpT c1hHRlFKMWxCT2I2QityYlk2NnU3VnpPWTFjClNwN3loZVp2VldIcHZJN3h6aDVB
dlRpWGVtNWhtUS9IeEJsb0VpU3greEUKLS0tIHNBQlh4NEFsZC9NQ3hRSTBTdC9W K2Q2SmZ4bmZlcjFwM1cyWkl1Nk12dmsKLS0tIHhYQWhuNkdwRDc4ay8zeUtUYzF2
TjVwOWJVQkZIc2RuWEU3QkxyVnc0UXcKIQm61AimM7hch3tT/KownHqZT7NyLNv+ QjBpY29FZXZQZDJHZGx5Z1N4K1p4TGMKpHkuzC8DR7swxE+KlWLJY8TcgCzJIc6w
H69zogFe63Oj27a5OK5cdcy9W6u4ew7b35ybkpeooMBuy2WbUld5LQ== b30w0rvAXJ8l3eVMbiUVLEkNmG8kl7hoEfj95OAT7+ZKfzPZ+tcriA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWZSRHF6L1d6dVd1dTVB
elBvaGR4V1ZySW03S2Z4SWliZDVscjZQM1JJCjNscTJRM29HUXVxOWhUU0tZZllm
dHRKUlpqTDdjd3paWjViYlIrL2g5RUEKLS0tIEJLdDJVbkVYTDVRd0toZGZVOGxu
Vm8rS25SbE56c2RiRFFtM29pRm1ZR1kK4yKaQ5VP+X+WnIPNpVWniCX+NisVBhaO
DM4Tz7OJuDSSWZ19kVIN+eXrLftQbKCj8+9QgbzzjgoIpER+N2Z28A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-14T20:50:30Z" lastmodified: "2023-07-14T20:50:30Z"
mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str]
pgp: pgp:
- created_at: "2023-07-01T21:42:42Z" - created_at: "2023-11-23T11:43:30Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf/XI/S30xYCkzBweU75bCZBYDwR7hprSygW4xCI5qc8xax wcBMA0SHG/zF3227AQf/f7cZvIbDELJ1f8xMFDTDNdBGbRKMAhgxj1Id4eQThQ5R
dpT5RpIrfPOelxrtjuDvkWCMa5Xfu/A6eQAF0EABZVMNiy1PpMTuarU1Np1Zfgoo djFYEwzeOxYrDyUYwMFaydiW7dHWf7hv2foCVdHqdVoVLF1LyVSlLYWI7R7M4t/Z
vhYJDCe329/kQBlMFT8/6wyxQRi7bEjK19wsYrsFbKA9wSXIpz2Drx6DG5Zck4bU hdYwsukAH1f6Pu/49XW30t0fa17gBrJDy7x+fnXqlOW/xkTatiEPqRKeoEx1sWil
5RvAdeWgZUcnuPAlc0SYZOfl/8EBqKG83U7NW8VdoJpphifYHK2HMJpOD0mxzZ8V uBD+pIsAcctPF0hyaOEOKNshR/nlWXUU91dPu3FzwlBGtDM7TglqsDUCtSb4ebKt
sR93tVdRA856O8ZhxdC1l1HkSSnR+0B+Dku8t4Bmy+4H6Y4KqmMhbKUIMFY+0pW9 sm3lcersxsefUPsr2wRg3WOY1cwGpLcvQZA86vWNgrYi6ChfUxv2zmR2WXadZ62u
MDIPJ8zVGkU4PyCjDwCqoYu/XgoJvTCAYgZFpyCyPdJRAftjWvzD59u31zjJKwiG 1rktKclRDNg3fM6E2elzlVrlzxq/8yGcCDVpH1M4pdJRAZdYa0oSRCkhlY4CzzJi
eyU7I73Q+jDIJDYPIrt8K7+CpEmDBpIZBQxsfmP5xFznNt4LPB07HFgC/yPDmjiC Mgo/bpRhHHwHPyqPMCTIO8UD2L86uC17RByLL5/5LXfHd3QDP0GhXV7sXs+jwcJ3
Vu3cIGSwFgRRdXUYnLTQCQM/ nj6Z860TuKdVhWp0FAfM5Bn9
=g1+E =oyeE
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

36
secrets/sj-bm-hostkey0/secrets.yaml Normal file
View file

@ -0,0 +1,36 @@
unused-secret: ENC[AES256_GCM,data:rKIjC2Ri,iv:PIs3Xuv9zEMhawvMyxwN0CI4Xzr1lTpg1o2scsosizs=,tag:++t0A80KDxctiXwxW5Vd2Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk
REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P
T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r
THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv
J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-23T11:45:17Z"
mac: ENC[AES256_GCM,data:VFEtWuEoqlU3wW8SwgWjlnnuv8aJw5Az9j82gc9YfexwR6lNyyQHY5EdZfqPdO4ZRNLen60Xq98kotTYiY7GJ9x3ZR8KPW3puRvqeD8qZf1NMwvkzQliZ+078HCBHmBTeoouWLuvWdP9uv3XOQWdR7/ZfMB/eC4bWS+Acq+tVZ4=,iv:5CRupDm9jNslcn96kUrhQdT5zadEqyKtrKbv+BtcYW0=,tag:ukHLjRdZCTRliB+LXGBHWQ==,type:str]
pgp:
- created_at: "2023-08-11T16:15:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+
NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3
pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8
ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a
8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB
596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY
pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O
v5QlxcXSMuOeGygclwHdxzs+
=NQjH
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3