From 856dd0ff5167f06e214712c6fbecdf8850809317 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 31 Aug 2024 15:37:15 +0100 Subject: [PATCH] rename pi and more shenanigans --- hosts/nixos.nix | 4 +- .../{raspberry => raspberry-pi5}/hardware.nix | 38 ++++- .../raspberry-pi5.nix} | 2 +- hosts/raspberry-pi5/secrets.nix | 143 ++++++++++++++++++ scripts/deploy/raspberry-pi5.sh | 9 ++ 5 files changed, 192 insertions(+), 4 deletions(-) rename hosts/{raspberry => raspberry-pi5}/hardware.nix (78%) rename hosts/{raspberry/raspberry.nix => raspberry-pi5/raspberry-pi5.nix} (95%) create mode 100644 hosts/raspberry-pi5/secrets.nix create mode 100755 scripts/deploy/raspberry-pi5.sh diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 2c80e7d..6d6fb6e 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -51,10 +51,10 @@ in rec { modules = defaultModules ++ [./hetzner-arm/hetzner-arm.nix]; }; - raspberry = nixosUnstableSystem { + raspberry-pi5 = nixosUnstableSystem { specialArgs = defaultSpecialArgs; system = "aarch64-linux"; - modules = defaultModules ++ [./raspberry/raspberry.nix]; + modules = defaultModules ++ [./raspberry-pi5/raspberry-pi5.nix]; }; } diff --git a/hosts/raspberry/hardware.nix b/hosts/raspberry-pi5/hardware.nix similarity index 78% rename from hosts/raspberry/hardware.nix rename to hosts/raspberry-pi5/hardware.nix index 695aa49..c2b14c5 100644 --- a/hosts/raspberry/hardware.nix +++ b/hosts/raspberry-pi5/hardware.nix @@ -71,7 +71,7 @@ // piBootFwFiles; in { imports = with tree; [ - presets.nixos.encryptedDrive + presets.nixos.serverEncryptedDrive ]; boot = { @@ -81,6 +81,11 @@ in { "8250.nr_uarts=11" "console=ttyAMA10,115200" "console=tty0" + + "ip=192.168.178.26::192.168.178.1:255.255.255.0:raspberry:end0:any" + "boot.shell_on_fail" + "nohibernate" + "loglevel=4" ]; loader = { systemd-boot = { @@ -116,4 +121,35 @@ in { fwFiles )} ''; + + systemd.network = { + enable = true; + networks."end0" = { + name = "end0"; + networkConfig.DHCP = "no"; + address = [ + # v4 + "192.168.178.26/24" + + # v6 + "fe80::715e:ef0c:5429:e9cc/64" + "2a02:8012:7883:0:1072:c180:2363:1c92/64" + ]; + + routes = [ + # v4 + { + Destination = "192.168.178.1"; + } + { + Gateway = "192.168.178.1"; + GatewayOnLink = true; + } + # v6 + { + Gateway = "fe80::1"; + } + ]; + }; + }; } diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry-pi5/raspberry-pi5.nix similarity index 95% rename from hosts/raspberry/raspberry.nix rename to hosts/raspberry-pi5/raspberry-pi5.nix index 80d7b36..533aa51 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry-pi5/raspberry-pi5.nix @@ -41,7 +41,7 @@ in { allowedTCPPorts = [22]; }; - networking.hostName = "raspberry"; + networking.hostName = "raspberry-pi5"; time.timeZone = "Europe/London"; system.stateVersion = "24.05"; diff --git a/hosts/raspberry-pi5/secrets.nix b/hosts/raspberry-pi5/secrets.nix new file mode 100644 index 0000000..a2eeef9 --- /dev/null +++ b/hosts/raspberry-pi5/secrets.nix @@ -0,0 +1,143 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm"; + }; + + packages = with pkgs; [ + apacheHttpd + ]; + + requiredVaultPaths = [ + + "api-keys/data/backblaze/Chaos-Backups" + + "private-public-keys/data/restic/Social" + "api-keys/data/chaos_mail/gotosocial" + + "private-public-keys/data/restic/Forgejo" + + "api-keys/data/mpd" + "api-keys/data/music-stream" + + "api-keys/data/radicale" + "private-public-keys/data/restic/Radicale" + + "private-public-keys/data/restic/Vault" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + ssh_host_ed25519_key = { + path = "/etc/ssh/ssh_host_ed25519_key"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile" + ''; + }; + ssh_host_ed25519_key_pub = { + path = "/etc/ssh/ssh_host_ed25519_key.pub"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile" + ''; + }; + + # this doesn't need to be a secret and can be generated at install time + # but it makes it easier to install. + # it's stored in /nix store anyway + initrd_ssh_host_ed25519_key = { + path = "/initrd_ssh_host_ed25519_key"; + permissions = "600"; + fetchScript = '' + simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile" + ''; + }; + + # B2 Keys for all backups + restic_backups_env = { + fetchScript = '' + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF + ''; + }; + + restic_password_social = { + fetchScript = '' + simple_get "/private-public-keys/restic/Social" .password > "$secretFile" + ''; + }; + + gotosocial_env = { + fetchScript = '' + smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" + ''; + }; + + restic_password_forgejo = { + fetchScript = '' + simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile" + ''; + }; + + mpd_control_password = { + user = "mpd"; + group = "mpd"; + fetchScript = '' + simple_get "/api-keys/mpd" .password > "$secretFile" + ''; + }; + + music_stream_passwd = { + user = "nginx"; + group = "nginx"; + fetchScript = '' + username=$(simple_get "/api-keys/music-stream" .username) + password=$(simple_get "/api-keys/music-stream" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; + + radicale_htpasswd = { + user = "radicale"; + group = "radicale"; + fetchScript = '' + if [ -f "$secretFile" ]; then + rm "$secretFile" + fi + + touch "$secretFile" + + data=$(kv_get "/api-keys/radicale" | base64) + for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do + password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"") + htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null + done + ''; + }; + + restic_password_radicale = { + fetchScript = '' + simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile" + ''; + }; + + restic_password_vault = { + fetchScript = '' + simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" + ''; + }; + }; + }; +} diff --git a/scripts/deploy/raspberry-pi5.sh b/scripts/deploy/raspberry-pi5.sh new file mode 100755 index 0000000..88e5f9f --- /dev/null +++ b/scripts/deploy/raspberry-pi5.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR +cd $(git rev-parse --show-toplevel) + +DEFAULT_HOST="root@192.168.178.26" +TARGET_HOST=${HOST:-${DEFAULT_HOST}} +nixos-rebuild switch --flake .#raspberry-pi5 --target-host "$TARGET_HOST" --impure --no-build-nix --fast --use-substitutes -s "$@" \ No newline at end of file