diff --git a/data/piped/pipedClusterConfig.nix b/data/piped/pipedClusterConfig.nix index c0e3e79..43278e1 100644 --- a/data/piped/pipedClusterConfig.nix +++ b/data/piped/pipedClusterConfig.nix @@ -7,30 +7,24 @@ in rec { hosts = { # map of hostname to config for cluster node "piped-fi" = rec { - ip = "${internalWireGuard.hosts.hetzner-vm.ip}"; + ip = "${internalWireGuard.hosts.hetzner-arm.ip}"; - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm + # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-arm joinString = "${ip}:${toString ports.cockroachDB}"; advertiseAddr = joinString; + resticName = "piped-finland"; resticBucket = "Piped-Finland"; - - vaultUserName = "hetzner-vm-container-piped-fi"; - baseDomain = "piped-fi.owo.monster"; }; "piped-uk" = rec { ip = "${internalWireGuard.hosts.raspberry.ip}"; - # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 raspberry joinString = "${ip}:${toString ports.cockroachDB}"; advertiseAddr = joinString; - + resticName = "piped-uk"; resticBucket = "Piped-UK"; - - vaultUserName = "rapsberry-container-piped-uk"; - baseDomain = "piped-uk.owo.monster"; }; }; diff --git a/data/serverIPs.nix b/data/serverIPs.nix index 767fe26..3f47067 100644 --- a/data/serverIPs.nix +++ b/data/serverIPs.nix @@ -1,8 +1,4 @@ rec { - "hetzner-vm" = { - ipv4 = "65.21.182.73"; - ipv6 = "2a01:4f9:c010:8beb::1"; - }; "hetzner-arm" = { ipv4 = "65.21.145.62"; ipv6 = "2a01:4f9:c012:9dbf::1"; diff --git a/data/wireguard/chaosInternalWireGuard.nix b/data/wireguard/chaosInternalWireGuard.nix index 41e7fa9..e0d7caf 100644 --- a/data/wireguard/chaosInternalWireGuard.nix +++ b/data/wireguard/chaosInternalWireGuard.nix @@ -2,10 +2,10 @@ let pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json); in rec { hosts = { - "hetzner-vm" = { + "hetzner-arm" = { ip = "10.69.42.1"; - public = pubkeys."hetzner-vm"; - endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; + public = pubkeys."hetzner-arm"; + endpoint = "hetzner-arm.servers.genderfucked.monster:51820"; }; "vault" = { ip = "10.69.42.2"; @@ -25,11 +25,5 @@ in rec { public = pubkeys."raspberry"; endpoint = "raspberry.servers.genderfucked.monster:51820"; }; - # TODO: make this .1 again after migration like hetzner-vm - "hetzner-arm" = { - ip = "10.69.42.6"; - public = pubkeys."hetzner-arm"; - endpoint = "hetzner-arm.servers.genderfucked.monster:51820"; - }; }; } diff --git a/data/wireguard/chaosInternalWireGuardPubKeys.json b/data/wireguard/chaosInternalWireGuardPubKeys.json index 29a892c..f917721 100644 --- a/data/wireguard/chaosInternalWireGuardPubKeys.json +++ b/data/wireguard/chaosInternalWireGuardPubKeys.json @@ -1,5 +1,4 @@ { - "hetzner-vm": "xgOQQcZQXftPC25+A7Iyf/XK6/iSo3Osyx6kTrZKdzw=", "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=", "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=", "lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=", diff --git a/flake.lock b/flake.lock index 342e2e2..4802453 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ ] }, "locked": { - "lastModified": 1694643239, - "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=", + "lastModified": 1695224363, + "narHash": "sha256-+hfjJLUMck5G92RVFDZA7LWkR3kOxs5zQ7RPW9t3eM8=", "owner": "nix-community", "repo": "home-manager", - "rev": "d9b88b43524db1591fb3d9410a21428198d75d49", + "rev": "408ba13188ff9ce309fa2bdd2f81287d79773b00", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694669921, - "narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=", + "lastModified": 1694959747, + "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c", + "rev": "970a59bd19eff3752ce552935687100c46e820a5", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nur": { "locked": { - "lastModified": 1694778311, - "narHash": "sha256-Hu5U9pXwMqUjWF7uh4SKqdKy1QMy9RVGxmst11srSgA=", + "lastModified": 1695239195, + "narHash": "sha256-0wA8qj7pssnjYAHyt57Js+i96qycM6b0cYXy/nzpBCc=", "owner": "nix-community", "repo": "NUR", - "rev": "7a673ac1f35648a908730206a2793b0e3818bc25", + "rev": "e088ab8be212d3c2c5eeb36bac25d384b4dda779", "type": "github" }, "original": { @@ -176,11 +176,11 @@ ] }, "locked": { - "lastModified": 1695142252, - "narHash": "sha256-rcYxKVb6Mpna3xNSwRHMw/Yzw3tky0+JuMLM5qoBiUw=", + "lastModified": 1695255877, + "narHash": "sha256-QKRrwgVS0hHP34IqxjdTC0Lpp7mBVeqFNX22Lbqgmh8=", "owner": "ChaotiCryptidz", "repo": "piped-flake", - "rev": "994a8e983eef9071d73c9b2daad9bd42aac0b1aa", + "rev": "76f688b1e63ce9ef2b2435cd64e30d10d98fa9cd", "type": "gitlab" }, "original": { diff --git a/home/base/ssh.nix b/home/base/ssh.nix index 788d0a7..b6c6fdc 100644 --- a/home/base/ssh.nix +++ b/home/base/ssh.nix @@ -7,22 +7,22 @@ inherit (lib.lists) forEach; inherit (builtins) attrNames; - containerAddresses = import "${self}/hosts/hetzner-vm/data/containerAddresses.nix"; + containerAddresses = import "${self}/hosts/hetzner-arm/data/containerAddresses.nix"; in { programs.ssh.enable = true; programs.ssh.matchBlocks = mkMerge - ((forEach ["hetzner-vm" "vault" "raspberry" "vault-decrypt"] (hostname: { + ((forEach ["hetzner-arm" "hetzner-arm-decrypt" "vault" "vault-decrypt" "raspberry"] (hostname: { "${hostname}" = { user = "root"; hostname = "${hostname}.servers.genderfucked.monster"; }; })) ++ (forEach (attrNames containerAddresses.containers) (name: { - "hetzner-vm-container-${name}" = { + "hetzner-arm-container-${name}" = { user = "root"; hostname = "${containerAddresses.containers.${name}}"; - proxyJump = "hetzner-vm"; + proxyJump = "hetzner-arm"; }; })) ++ [ diff --git a/hosts/hetzner-vm/containers/mail/default.nix b/hosts/hetzner-arm/containers/mail/default.nix similarity index 52% rename from hosts/hetzner-vm/containers/mail/default.nix rename to hosts/hetzner-arm/containers/mail/default.nix index 729fdd0..389b0a2 100644 --- a/hosts/hetzner-vm/containers/mail/default.nix +++ b/hosts/hetzner-arm/containers/mail/default.nix @@ -8,8 +8,7 @@ hostPath, ... }: let - inherit (lib.modules) mkMerge; - inherit (lib.lists) forEach; + inherit (lib.modules) mkMerge mkForce; ports = [ # SMTP @@ -26,20 +25,6 @@ 4190 ]; - containerLib = import "${self}/lib/containerLib.nix" { - inherit lib; - }; - - # Using secrets from Host - secrets = config.services.secrets.secrets; - secretsList = [ - "mail_restic_password" - "mail_restic_env" - "private_mail_aliases" - "chaos_mail_passwd" - "system_mail_passwd" - "gotosocial_mail_passwd" - ]; sharedFiles = [ "/var/lib/acme/mail.owo.monster/fullchain.pem" "/var/lib/acme/mail.owo.monster/key.pem" @@ -48,74 +33,51 @@ in { containers.mail = { autoStart = true; - bindMounts = mkMerge [ - (containerLib.genBindHostsForSecrets secrets secretsList) - - (mkMerge (forEach sharedFiles (file: { + bindMounts = mkMerge (map (file: { "${file}" = { hostPath = "${file}"; }; - }))) - ]; + }) + sharedFiles); specialArgs = { inherit inputs; inherit tree; inherit self; inherit hostPath; - hostSecrets = secrets; }; - config = {config, ...}: { + config = {...}: { nixpkgs.pkgs = pkgs; imports = with tree; [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager + presets.nixos.containerBase profiles.nginx - modules.nixos.secrets - users.root + ./secrets.nix ] - ++ (with hosts.hetzner-vm.containers.mail; [ + ++ (with hosts.hetzner-arm.containers.mail; [ modules.mailserver profiles.mailserver profiles.restic ]); - # For Shared Secrets systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" "d /var/lib/acme - root root" "d /var/lib/acme/mail.owo.monster - root root" ]; networking.firewall = { - enable = false; + enable = mkForce false; }; - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - - home.stateVersion = "23.05"; - }; - - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; }; - # users for secrets - users.users."dovecot2" = { - uid = config.ids.uids.dovecot2; - group = "dovecot2"; - }; - users.groups."dovecot2".gid = config.ids.gids.dovecot2; - # ssl for mail services.nginx = { enable = true; diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/default.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/default.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/dovecot.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/firewall.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/firewall.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/firewall.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/opendkim.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/opendkim.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/opendkim.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-ham.sh b/hosts/hetzner-arm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-ham.sh similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-ham.sh rename to hosts/hetzner-arm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-ham.sh diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-spam.sh b/hosts/hetzner-arm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-spam.sh similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-spam.sh rename to hosts/hetzner-arm/containers/mail/modules/mailserver/pipe_bin/rspam-learn-spam.sh diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/postfix.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/postfix.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/postfix.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/rspamd.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/rspamd.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/rspamd.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/spam_sieve/report-ham.sieve b/hosts/hetzner-arm/containers/mail/modules/mailserver/spam_sieve/report-ham.sieve similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/spam_sieve/report-ham.sieve rename to hosts/hetzner-arm/containers/mail/modules/mailserver/spam_sieve/report-ham.sieve diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/spam_sieve/report-spam.sieve b/hosts/hetzner-arm/containers/mail/modules/mailserver/spam_sieve/report-spam.sieve similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/spam_sieve/report-spam.sieve rename to hosts/hetzner-arm/containers/mail/modules/mailserver/spam_sieve/report-spam.sieve diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/ssl.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/ssl.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/ssl.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/vmail.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/vmail.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/vmail.nix diff --git a/hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix b/hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix similarity index 100% rename from hosts/hetzner-vm/containers/mail/modules/mailserver/webmail.nix rename to hosts/hetzner-arm/containers/mail/modules/mailserver/webmail.nix diff --git a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix b/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix similarity index 97% rename from hosts/hetzner-vm/containers/mail/profiles/mailserver.nix rename to hosts/hetzner-arm/containers/mail/profiles/mailserver.nix index 8f0caeb..d806ce5 100644 --- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/mailserver.nix @@ -1,9 +1,9 @@ { pkgs, - hostSecrets, + config, ... }: let - secrets = hostSecrets; + secrets = config.services.secrets.secrets; in { services.mailserver = { enable = true; diff --git a/hosts/hetzner-vm/containers/mail/profiles/restic.nix b/hosts/hetzner-arm/containers/mail/profiles/restic.nix similarity index 81% rename from hosts/hetzner-vm/containers/mail/profiles/restic.nix rename to hosts/hetzner-arm/containers/mail/profiles/restic.nix index 77e5632..b5512d1 100644 --- a/hosts/hetzner-vm/containers/mail/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/restic.nix @@ -1,11 +1,12 @@ { pkgs, config, - hostSecrets, ... }: let - secrets = hostSecrets; + secrets = config.services.secrets.secrets; + mailConfig = config.services.mailserver; + backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start postgresqlBackup-roundcube --wait @@ -16,8 +17,8 @@ in { restic (pkgs.writeShellScriptBin "restic-mail" '' env \ - RESTIC_PASSWORD_FILE=${secrets.mail_restic_password.path} \ - $(cat ${secrets.mail_restic_env.path}) \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ ${pkgs.restic}/bin/restic $@ '') ]; @@ -36,8 +37,8 @@ in { # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/Mail"; - passwordFile = "${secrets.mail_restic_password.path}"; - environmentFile = "${secrets.mail_restic_env.path}"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; pruneOpts = [ "--keep-last 5" diff --git a/hosts/hetzner-arm/containers/mail/secrets.nix b/hosts/hetzner-arm/containers/mail/secrets.nix new file mode 100644 index 0000000..145b8cb --- /dev/null +++ b/hosts/hetzner-arm/containers/mail/secrets.nix @@ -0,0 +1,75 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-mail"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/storage/restic/Mail" + "api-keys/data/chaos_mail/system" + "api-keys/data/chaos_mail/gotosocial" + "passwords/data/mail" + "private-public-keys/data/restic/Mail" + "infra/data/private-mail-aliases" + ]; + + packages = with pkgs; [ + apacheHttpd + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Mail" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile" + ''; + }; + private_mail_aliases = { + fetchScript = '' + kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile" + ''; + }; + chaos_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/passwords/mail" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + system_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/api-keys/chaos_mail/system" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + gotosocial_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/music/data/ports.nix b/hosts/hetzner-arm/containers/music/data/ports.nix similarity index 100% rename from hosts/hetzner-vm/containers/music/data/ports.nix rename to hosts/hetzner-arm/containers/music/data/ports.nix diff --git a/hosts/hetzner-vm/containers/music/default.nix b/hosts/hetzner-arm/containers/music/default.nix similarity index 74% rename from hosts/hetzner-vm/containers/music/default.nix rename to hosts/hetzner-arm/containers/music/default.nix index 9168698..fa15178 100644 --- a/hosts/hetzner-vm/containers/music/default.nix +++ b/hosts/hetzner-arm/containers/music/default.nix @@ -4,50 +4,40 @@ tree, lib, inputs, - config, pkgs, + config, ... }: let inherit (lib.modules) mkMerge; inherit (lib.lists) forEach; + containerName = "music"; + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; hostIP = containerAddresses.host; containerIP = containerAddresses.containers.${containerName}; - containerName = "music"; - containerConfig = config.containers.${containerName}.config; - - containerLib = import "${self}/lib/containerLib.nix" { - inherit lib; - }; - - # Using secrets from Host - secrets = config.services.secrets.secrets; - secretsList = [ - "mpd_control_password" - "slskd_env" - ]; - ports = import ./data/ports.nix; + + # these secrets should probs be in host but im lazy + containerSecrets = config.containers.${containerName}.config.services.secrets.secrets; + pathInContainer = path: "/var/lib/nixos-containers/${containerName}" + path; in { containers.music = { autoStart = true; privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; - bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; specialArgs = { inherit inputs; inherit tree; inherit self; inherit hostPath; - hostSecrets = secrets; }; - config = {config, ...}: { + config = {...}: { nixpkgs.pkgs = pkgs; imports = with tree; @@ -58,8 +48,10 @@ in { profiles.nginx profiles.firewallAllow.httpCommon + + ./secrets.nix ] - ++ (with hosts.hetzner-vm.containers.music; [ + ++ (with hosts.hetzner-arm.containers.music; [ profiles.mpd profiles.musicSync profiles.soulseek @@ -75,11 +67,6 @@ in { slskd-web ]; - # For Shared Secrets - systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" - ]; - home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; @@ -97,7 +84,7 @@ in { services.nginx.virtualHosts."stream.owo.monster" = let extraConfig = '' auth_basic "Music Password"; - auth_basic_user_file ${secrets.music_stream_passwd.path}; + auth_basic_user_file ${pathInContainer containerSecrets.music_stream_passwd.path}; ''; in { forceSSL = true; @@ -118,15 +105,6 @@ in { }))); }; - # For permissions of secrets - users.users."mpd" = { - uid = containerConfig.ids.uids.mpd; - group = "mpd"; - }; - users.groups."mpd" = { - gid = containerConfig.ids.gids.mpd; - }; - networking = { nat.forwardPorts = [ { diff --git a/hosts/hetzner-vm/containers/music/profiles/mpd.nix b/hosts/hetzner-arm/containers/music/profiles/mpd.nix similarity index 96% rename from hosts/hetzner-vm/containers/music/profiles/mpd.nix rename to hosts/hetzner-arm/containers/music/profiles/mpd.nix index ea60f26..d8d949c 100644 --- a/hosts/hetzner-vm/containers/music/profiles/mpd.nix +++ b/hosts/hetzner-arm/containers/music/profiles/mpd.nix @@ -1,14 +1,14 @@ { lib, pkgs, - hostSecrets, + config, ... }: let inherit (lib.strings) concatStringsSep; inherit (lib.lists) forEach; ports = import ../data/ports.nix; - secrets = hostSecrets; + secrets = config.services.secrets.secrets; in { environment.systemPackages = with pkgs; [ mpc_cli diff --git a/hosts/hetzner-vm/containers/music/profiles/musicSync.nix b/hosts/hetzner-arm/containers/music/profiles/musicSync.nix similarity index 100% rename from hosts/hetzner-vm/containers/music/profiles/musicSync.nix rename to hosts/hetzner-arm/containers/music/profiles/musicSync.nix diff --git a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix b/hosts/hetzner-arm/containers/music/profiles/soulseek.nix similarity index 94% rename from hosts/hetzner-vm/containers/music/profiles/soulseek.nix rename to hosts/hetzner-arm/containers/music/profiles/soulseek.nix index 9994e66..4f66336 100644 --- a/hosts/hetzner-vm/containers/music/profiles/soulseek.nix +++ b/hosts/hetzner-arm/containers/music/profiles/soulseek.nix @@ -1,10 +1,10 @@ { lib, - hostSecrets, + config, ... }: let ports = import ../data/ports.nix; - secrets = hostSecrets; + secrets = config.services.secrets.secrets; inherit (lib.modules) mkForce; in { diff --git a/hosts/hetzner-arm/containers/music/secrets.nix b/hosts/hetzner-arm/containers/music/secrets.nix new file mode 100644 index 0000000..1bdf745 --- /dev/null +++ b/hosts/hetzner-arm/containers/music/secrets.nix @@ -0,0 +1,57 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-music"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/mpd" + "api-keys/data/music-stream" + "passwords/data/soulseek" + "passwords/data/slskd" + ]; + + packages = with pkgs; [ + apacheHttpd + ]; + + secrets = { + vault_password = { + manual = true; + }; + + mpd_control_password = { + user = "mpd"; + group = "mpd"; + fetchScript = '' + simple_get "/api-keys/mpd" .password > "$secretFile" + ''; + }; + music_stream_passwd = { + user = "nginx"; + group = "nginx"; + fetchScript = '' + username=$(simple_get "/api-keys/music-stream" .username) + password=$(simple_get "/api-keys/music-stream" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; + slskd_env = { + fetchScript = '' + soulseek_password=$(simple_get "/passwords/soulseek" .password) + slskd_password=$(simple_get "/passwords/slskd" .password) + echo > "$secretFile" + echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile" + echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/piped-fi/default.nix b/hosts/hetzner-arm/containers/piped-fi/default.nix similarity index 76% rename from hosts/hetzner-vm/containers/piped-fi/default.nix rename to hosts/hetzner-arm/containers/piped-fi/default.nix index 3bda899..5012311 100644 --- a/hosts/hetzner-vm/containers/piped-fi/default.nix +++ b/hosts/hetzner-arm/containers/piped-fi/default.nix @@ -5,10 +5,12 @@ inputs, config, pkgs, + lib, ... }: let + inherit (lib.modules) mkForce; + containerName = "piped-fi"; - containerConfig = config.containers.${containerName}.config; pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" @@ -28,26 +30,23 @@ in { config = {...}: { nixpkgs.pkgs = pkgs; - imports = with tree; - [ - presets.nixos.containerBase + imports = with tree; [ + presets.nixos.containerBase - profiles.nginx - profiles.firewallAllow.httpCommon + profiles.nginx + profiles.firewallAllow.httpCommon - profiles.pipedCluster + profiles.pipedCluster - ./secrets.nix - ] - ++ (with hosts.hetzner-vm.containers.piped-fi.profiles; [ - restic - ]); + ./secrets.nix + ]; - # For Shared Secrets systemd.tmpfiles.rules = [ "d /var/lib/cockroachdb-certs - root root" ]; + networking.firewall.enable = mkForce false; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; diff --git a/hosts/hetzner-vm/containers/piped-fi/secrets.nix b/hosts/hetzner-arm/containers/piped-fi/secrets.nix similarity index 97% rename from hosts/hetzner-vm/containers/piped-fi/secrets.nix rename to hosts/hetzner-arm/containers/piped-fi/secrets.nix index 25dd676..2f58c76 100644 --- a/hosts/hetzner-vm/containers/piped-fi/secrets.nix +++ b/hosts/hetzner-arm/containers/piped-fi/secrets.nix @@ -4,7 +4,7 @@ vaultLogin = { enable = true; - loginUsername = "hetzner-vm-container-piped-fi"; + loginUsername = "hetzner-arm-container-piped-fi"; }; autoSecrets = { diff --git a/hosts/hetzner-vm/containers/quassel/default.nix b/hosts/hetzner-arm/containers/quassel/default.nix similarity index 64% rename from hosts/hetzner-vm/containers/quassel/default.nix rename to hosts/hetzner-arm/containers/quassel/default.nix index 86e5654..5fec4da 100644 --- a/hosts/hetzner-vm/containers/quassel/default.nix +++ b/hosts/hetzner-arm/containers/quassel/default.nix @@ -2,7 +2,6 @@ self, hostPath, tree, - lib, inputs, config, pkgs, @@ -11,34 +10,21 @@ containerAddresses = import "${hostPath}/data/containerAddresses.nix"; hostIP = containerAddresses.host; containerIP = containerAddresses.containers.quassel; - - containerLib = import "${self}/lib/containerLib.nix" { - inherit lib; - }; - - # Using secrets from Host - secrets = config.services.secrets.secrets; - secretsList = [ - "quassel_restic_env" - "quassel_restic_password" - ]; in { containers.quassel = { autoStart = true; privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; - bindMounts = containerLib.genBindHostsForSecrets secrets secretsList; specialArgs = { inherit inputs; inherit tree; inherit self; inherit hostPath; - hostSecrets = secrets; }; - config = {config, ...}: { + config = {...}: { nixpkgs.pkgs = pkgs; imports = with tree; @@ -46,17 +32,14 @@ in { presets.nixos.containerBase profiles.sshd profiles.firewallAllow.ssh + + ./secrets.nix ] - ++ (with hosts.hetzner-vm.containers.quassel.profiles; [ + ++ (with hosts.hetzner-arm.containers.quassel.profiles; [ quassel restic ]); - # For Shared Secrets - systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" - ]; - networking.firewall.allowedTCPPorts = [4242]; home-manager.users.root.home.stateVersion = "23.05"; diff --git a/hosts/hetzner-vm/containers/quassel/profiles/quassel.nix b/hosts/hetzner-arm/containers/quassel/profiles/quassel.nix similarity index 100% rename from hosts/hetzner-vm/containers/quassel/profiles/quassel.nix rename to hosts/hetzner-arm/containers/quassel/profiles/quassel.nix diff --git a/hosts/hetzner-vm/containers/quassel/profiles/restic.nix b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix similarity index 78% rename from hosts/hetzner-vm/containers/quassel/profiles/restic.nix rename to hosts/hetzner-arm/containers/quassel/profiles/restic.nix index 3819175..7cb7b2e 100644 --- a/hosts/hetzner-vm/containers/quassel/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/quassel/profiles/restic.nix @@ -1,9 +1,9 @@ { pkgs, - hostSecrets, + config, ... }: let - secrets = hostSecrets; + secrets = config.services.secrets.secrets; backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' @@ -15,8 +15,8 @@ in { restic (pkgs.writeShellScriptBin "restic-quassel" '' env \ - RESTIC_PASSWORD_FILE=${secrets.quassel_restic_password.path} \ - $(cat ${secrets.quassel_restic_env.path}) \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ ${pkgs.restic}/bin/restic $@ '') ]; @@ -31,8 +31,8 @@ in { # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/Quassel"; - passwordFile = "${secrets.quassel_restic_password.path}"; - environmentFile = "${secrets.quassel_restic_env.path}"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; pruneOpts = [ "--keep-last 5" diff --git a/hosts/hetzner-arm/containers/quassel/secrets.nix b/hosts/hetzner-arm/containers/quassel/secrets.nix new file mode 100644 index 0000000..eb5c55d --- /dev/null +++ b/hosts/hetzner-arm/containers/quassel/secrets.nix @@ -0,0 +1,38 @@ +{...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-quassel"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/storage/restic/Quassel" + "private-public-keys/data/restic/Quassel" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/social/default.nix b/hosts/hetzner-arm/containers/social/default.nix new file mode 100644 index 0000000..60d472b --- /dev/null +++ b/hosts/hetzner-arm/containers/social/default.nix @@ -0,0 +1,70 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.social; +in { + containers.social = { + autoStart = true; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + profiles.sshd + profiles.firewallAllow.ssh + + ./secrets.nix + ] + ++ (with hosts.hetzner-arm.containers.social.profiles; [ + gotosocial + restic + ]); + + networking.firewall = { + enable = true; + allowedTCPPorts = [8080]; + }; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx.virtualHosts."gts-01.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${containerIP}:8080"; + proxyWebsockets = true; + extraConfig = '' + # uncomment if running nginx without recommendedProxySettings + # proxy_set_header Host $host; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + client_max_body_size 128M; + ''; + }; +} diff --git a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix similarity index 93% rename from hosts/hetzner-vm/containers/social/profiles/gotosocial.nix rename to hosts/hetzner-arm/containers/social/profiles/gotosocial.nix index 853fd1a..66ed5a7 100644 --- a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix +++ b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix @@ -1,18 +1,18 @@ { hostPath, - hostSecrets, + config, ... }: let containerAddresses = import "${hostPath}/data/containerAddresses.nix"; hostIP = containerAddresses.host; containerIP = containerAddresses.containers.social; - secrets = hostSecrets; + secrets = config.services.secrets.secrets; in { services.gotosocial = { enable = true; setupPostgresqlDB = true; - environmentFile = secrets.social_env_secrets.path; + environmentFile = secrets.env_secrets.path; settings = { application-name = "chaos-gts"; diff --git a/hosts/hetzner-vm/containers/social/profiles/restic.nix b/hosts/hetzner-arm/containers/social/profiles/restic.nix similarity index 88% rename from hosts/hetzner-vm/containers/social/profiles/restic.nix rename to hosts/hetzner-arm/containers/social/profiles/restic.nix index 19ef053..9890b8e 100644 --- a/hosts/hetzner-vm/containers/social/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix @@ -2,13 +2,12 @@ pkgs, config, lib, - hostSecrets, ... }: let inherit (lib.strings) concatStringsSep; inherit (lib.lists) forEach; - secrets = hostSecrets; + secrets = config.services.secrets.secrets; # Because gotosocial-admin isn't a seporate package we need to generate a seperate config # and duplicate the wrapper for use in a systemd unit @@ -48,8 +47,8 @@ in { restic (pkgs.writeShellScriptBin "restic-social" '' env \ - RESTIC_PASSWORD_FILE=${secrets.social_restic_password.path} \ - $(cat ${secrets.social_restic_env.path}) \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ ${pkgs.restic}/bin/restic $@ '') ]; @@ -64,8 +63,8 @@ in { # repository is overrided in environmentFile to contain auth # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/Social"; - passwordFile = "${secrets.social_restic_password.path}"; - environmentFile = "${secrets.social_restic_env.path}"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; pruneOpts = [ "--keep-last 10" diff --git a/hosts/hetzner-arm/containers/social/secrets.nix b/hosts/hetzner-arm/containers/social/secrets.nix new file mode 100644 index 0000000..2a0c8e7 --- /dev/null +++ b/hosts/hetzner-arm/containers/social/secrets.nix @@ -0,0 +1,47 @@ +{...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-social"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "private-public-keys/data/restic/Social" + + "api-keys/data/storage/restic/Social" + + "api-keys/data/chaos_mail/gotosocial" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Social" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" + ''; + }; + env_secrets = { + fetchScript = '' + smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix similarity index 83% rename from hosts/hetzner-vm/containers/storage/data/ports.nix rename to hosts/hetzner-arm/containers/storage/data/ports.nix index e2c7780..11328af 100644 --- a/hosts/hetzner-vm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -8,7 +8,8 @@ rclone_serve_restic_social = 4212; rclone_serve_restic_quassel = 4213; rclone_serve_restic_piped_finland = 4214; - rclone_serve_restic_mail = 4215; + rclone_serve_restic_piped_uk = 4215; + rclone_serve_restic_mail = 4216; rclone_serve_http_music = 4220; rclone_serve_http_public = 4221; diff --git a/hosts/hetzner-vm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix similarity index 81% rename from hosts/hetzner-vm/containers/storage/default.nix rename to hosts/hetzner-arm/containers/storage/default.nix index c622939..1907591 100644 --- a/hosts/hetzner-vm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -36,20 +36,14 @@ in { imports = with tree; [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager + presets.nixos.containerBase profiles.sshd - - modules.nixos.rclone-serve - modules.nixos.rclone-sync - modules.nixos.secrets + profiles.firewallAllow.ssh ./secrets.nix - - users.root ] - ++ (with hosts.hetzner-vm.containers.storage.profiles; [ + ++ (with hosts.hetzner-arm.containers.storage.profiles; [ rcloneConfigs rcloneServe rcloneSync @@ -58,20 +52,12 @@ in { environment.systemPackages = with pkgs; [rclone]; - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.packages = with pkgs; [vault-bin]; - home.stateVersion = "23.05"; - }; - networking.firewall = { enable = true; allowedTCPPorts = attrValues ports; }; - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; }; @@ -110,6 +96,7 @@ in { "/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; "/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}"; + "/Piped-UK/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_uk}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; }; extraConfig = '' diff --git a/hosts/hetzner-vm/containers/storage/profiles/rcloneConfigs.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneConfigs.nix similarity index 100% rename from hosts/hetzner-vm/containers/storage/profiles/rcloneConfigs.nix rename to hosts/hetzner-arm/containers/storage/profiles/rcloneConfigs.nix diff --git a/hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix similarity index 92% rename from hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix rename to hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index e9901b1..2ad69c8 100644 --- a/hosts/hetzner-vm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -126,6 +126,16 @@ in { "--baseurl=/Piped-Finland/" ]; } + { + id = "restic-piped-uk"; + remote = "StorageBox:Backups/Restic/Piped-UK"; + type = "restic"; + extraArgs = [ + "--addr=0.0.0.0:${toString ports.rclone_serve_restic_piped_uk}" + "--htpasswd=${secrets.restic_piped_uk_htpasswd.path}" + "--baseurl=/Piped-UK/" + ]; + } { id = "restic-mail"; remote = "StorageBox:Backups/Restic/Mail"; diff --git a/hosts/hetzner-vm/containers/storage/profiles/rcloneSync.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix similarity index 100% rename from hosts/hetzner-vm/containers/storage/profiles/rcloneSync.nix rename to hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix diff --git a/hosts/hetzner-vm/containers/storage/profiles/users.nix b/hosts/hetzner-arm/containers/storage/profiles/users.nix similarity index 100% rename from hosts/hetzner-vm/containers/storage/profiles/users.nix rename to hosts/hetzner-arm/containers/storage/profiles/users.nix diff --git a/hosts/hetzner-vm/containers/storage/rclone_config.template b/hosts/hetzner-arm/containers/storage/rclone_config.template similarity index 100% rename from hosts/hetzner-vm/containers/storage/rclone_config.template rename to hosts/hetzner-arm/containers/storage/rclone_config.template diff --git a/hosts/hetzner-vm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix similarity index 93% rename from hosts/hetzner-vm/containers/storage/secrets.nix rename to hosts/hetzner-arm/containers/storage/secrets.nix index 26a82fa..75d4b27 100644 --- a/hosts/hetzner-vm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -1,17 +1,10 @@ -{ - config, - pkgs, - ... -}: let - cfg = config.services.secrets; -in { +{pkgs, ...}: { services.secrets = { enable = true; vaultLogin = { enable = true; - loginUsername = "hetzner-vm-container-storage"; - loginPasswordFile = cfg.secrets.vault_password.path; + loginUsername = "hetzner-arm-container-storage"; }; autoSecrets = { @@ -36,6 +29,7 @@ in { "api-keys/data/storage/restic/Social" "api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/Piped-Finland" + "api-keys/data/storage/restic/Piped-UK" "api-keys/data/storage/restic/Mail" "api-keys/data/storage/webdav/main" @@ -51,14 +45,6 @@ in { rclone ]; - uidMap = { - "storage" = config.users.users."storage".uid; - }; - - gidMap = { - "storage" = config.users.groups."storage".gid; - }; - extraFunctions = '' replace_slash_for_sed() { sed "s#/#\\\/#" @@ -142,6 +128,16 @@ in { ''; }; + restic_piped_uk_htpasswd = { + user = "storage"; + group = "storage"; + fetchScript = '' + username=$(simple_get "/api-keys/storage/restic/Piped-UK" .username) + password=$(simple_get "/api-keys/storage/restic/Piped-UK" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; + restic_mail_htpasswd = { user = "storage"; group = "storage"; diff --git a/hosts/hetzner-vm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix similarity index 85% rename from hosts/hetzner-vm/data/containerAddresses.nix rename to hosts/hetzner-arm/data/containerAddresses.nix index cda8486..3d1cbe2 100644 --- a/hosts/hetzner-vm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -5,6 +5,5 @@ social = "192.168.100.12"; music = "192.168.100.13"; quassel = "192.168.100.14"; - piped = "192.168.100.15"; }; } diff --git a/hosts/hetzner-arm/hardware.nix b/hosts/hetzner-arm/hardware.nix index f33626b..2b0447b 100644 --- a/hosts/hetzner-arm/hardware.nix +++ b/hosts/hetzner-arm/hardware.nix @@ -3,4 +3,4 @@ systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; -} \ No newline at end of file +} diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index f0b2c9a..1771883 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -11,25 +11,24 @@ in { presets.nixos.serverHetzner presets.nixos.serverEncryptedDrive - #profiles.nginx - #profiles.firewallAllow.httpCommon + profiles.nginx + profiles.firewallAllow.httpCommon - #profiles.chaosInternalWireGuard + profiles.chaosInternalWireGuard ./hardware.nix ./secrets.nix ] ++ (forEach [ - #"social" - #"storage" - #"music" - #"quassel" - #"piped-fi" - #"mail" + "social" + "storage" + "music" + "quassel" + "piped-fi" + "mail" ] (name: ./containers + "/${name}")) - ++ (with hosts.hetzner-vm.profiles; [ - #vaultUI - #gitlabStaticSites + ++ (with hosts.hetzner-arm.profiles; [ + gitlabStaticSites ]); # For Containers diff --git a/hosts/hetzner-vm/profiles/gitlabStaticSites.nix b/hosts/hetzner-arm/profiles/gitlabStaticSites.nix similarity index 100% rename from hosts/hetzner-vm/profiles/gitlabStaticSites.nix rename to hosts/hetzner-arm/profiles/gitlabStaticSites.nix diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix index bd215a6..be8d125 100644 --- a/hosts/hetzner-arm/secrets.nix +++ b/hosts/hetzner-arm/secrets.nix @@ -1,4 +1,4 @@ -{pkgs, ...}: { +{...}: { services.secrets = { enable = true; @@ -9,12 +9,13 @@ autoSecrets = { enable = true; - #affectedSystemdServices = [ - # "wg-quick-wg0" - #]; + affectedSystemdServices = [ + "wg-quick-wg0" + ]; }; requiredVaultPaths = [ + "private-public-keys/data/ssh/root@hetzner-arm" "private-public-keys/data/ssh/root@hetzner-arm-decrypt" "api-keys/data/gitlab/gitlab_pages_serve" @@ -25,11 +26,28 @@ manual = true; }; + ssh_host_ed25519_key = { + path = "/etc/ssh/ssh_host_ed25519_key"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile" + ''; + }; + ssh_host_ed25519_key_pub = { + path = "/etc/ssh/ssh_host_ed25519_key.pub"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile" + ''; + }; + # this doesn't need to be a secret and can be generated at install time # but it makes it easier to install. # it's stored in /nix store anyway - ssh_host_ed25519_key = { - path = "/ssh_host_ed25519_key"; + initrd_ssh_host_ed25519_key = { + path = "/initrd_ssh_host_ed25519_key"; permissions = "600"; fetchScript = '' simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile" diff --git a/hosts/hetzner-vm/containers/social/default.nix b/hosts/hetzner-vm/containers/social/default.nix deleted file mode 100644 index cd7d08c..0000000 --- a/hosts/hetzner-vm/containers/social/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.social; - - # Using secrets from Host - secrets = config.services.secrets.secrets; -in { - containers.social = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - bindMounts = { - "${secrets.social_restic_password.path}" = { - hostPath = "${secrets.social_restic_password.path}"; - }; - "${secrets.social_restic_env.path}" = { - hostPath = "${secrets.social_restic_env.path}"; - }; - "${secrets.social_env_secrets.path}" = { - hostPath = "${secrets.social_env_secrets.path}"; - }; - }; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - hostSecrets = secrets; - }; - - config = {config, ...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - profiles.base - inputs.home-manager-unstable.nixosModules.home-manager - - profiles.sshd - - modules.nixos.secrets - - users.root - ] - ++ (with hosts.hetzner-vm.containers.social; [ - profiles.gotosocial - profiles.restic - ]); - - environment.systemPackages = with pkgs; [ - rclone - restic - ]; - - # For Shared Secrets - systemd.tmpfiles.rules = [ - "d ${config.services.secrets.secretsDir} - root root" - ]; - - networking.firewall = { - enable = true; - allowedTCPPorts = [22 8080]; - }; - - home-manager.users.root = { - imports = with tree; [home.base home.dev.small]; - home.stateVersion = "23.05"; - }; - - # Manually configure nameserver. Using resolved inside the container seems to fail - # currently - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; - system.stateVersion = "23.05"; - }; - }; - - services.nginx.virtualHosts."gts-01.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${containerIP}:8080"; - proxyWebsockets = true; - extraConfig = '' - # uncomment if running nginx without recommendedProxySettings - # proxy_set_header Host $host; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - extraConfig = '' - client_max_body_size 128M; - ''; - }; -} diff --git a/hosts/hetzner-vm/hardware.nix b/hosts/hetzner-vm/hardware.nix deleted file mode 100644 index 24b42fb..0000000 --- a/hosts/hetzner-vm/hardware.nix +++ /dev/null @@ -1,15 +0,0 @@ -{...}: { - boot.loader = { - grub = { - enable = true; - device = "/dev/sda"; - }; - }; - - boot.initrd.kernelModules = ["nvme"]; - - fileSystems."/" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; -} diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix deleted file mode 100644 index d8c7f35..0000000 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - tree, - lib, - ... -}: let - inherit (lib.lists) forEach; -in { - imports = with tree; - [ - presets.nixos.serverBase - presets.nixos.serverHetzner - - profiles.nginx - profiles.firewallAllow.httpCommon - - profiles.cross.arm64 - profiles.chaosInternalWireGuard - - ./hardware.nix - ./secrets.nix - ] - ++ (forEach [ - "social" - "storage" - "music" - "quassel" - "piped-fi" - "mail" - ] (name: ./containers + "/${name}")) - ++ (with hosts.hetzner-vm.profiles; [ - vaultUI - gitlabStaticSites - ]); - - # For Containers - networking.nat = { - enable = true; - internalInterfaces = ["ve-+"]; - externalInterface = "enp1s0"; - }; - - networking.hostName = "hetzner-vm"; - - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; -} diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix deleted file mode 100644 index 7f14ecb..0000000 --- a/hosts/hetzner-vm/secrets.nix +++ /dev/null @@ -1,171 +0,0 @@ -{pkgs, ...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-vm"; - }; - - autoSecrets = { - enable = true; - affectedSystemdServices = [ - "wg-quick-wg0" - "container@music" - "container@social" - "container@quassel" - "container@piped-fi" - ]; - }; - - packages = with pkgs; [ - # for music & mail passwd files - apacheHttpd - ]; - - requiredVaultPaths = [ - "api-keys/data/mpd" - "api-keys/data/music-stream" - - "api-keys/data/gitlab/gitlab_pages_serve" - - "api-keys/data/storage/restic/Mail" - "api-keys/data/storage/restic/Social" - "api-keys/data/storage/restic/Quassel" - - "api-keys/data/chaos_mail/system" - "api-keys/data/chaos_mail/gotosocial" - - "passwords/data/soulseek" - "passwords/data/slskd" - "passwords/data/mail" - - "private-public-keys/data/restic/Mail" - "private-public-keys/data/restic/Social" - "private-public-keys/data/restic/Quassel" - - "infra/data/private-mail-aliases" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - # Used directly by server - # for fetching gitlab static sites - gitlab_env = { - user = "gitlab_artifacts_sync"; - group = "gitlab_artifacts_sync"; - fetchScript = '' - token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) - echo "GITLAB_TOKEN=$token" > "$secretFile" - ''; - }; - - # Container: music - mpd_control_password = { - user = "mpd"; - group = "mpd"; - fetchScript = '' - simple_get "/api-keys/mpd" .password > "$secretFile" - ''; - }; - music_stream_passwd = { - user = "nginx"; - group = "nginx"; - fetchScript = '' - username=$(simple_get "/api-keys/music-stream" .username) - password=$(simple_get "/api-keys/music-stream" .password) - htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null - ''; - }; - slskd_env = { - fetchScript = '' - soulseek_password=$(simple_get "/passwords/soulseek" .password) - slskd_password=$(simple_get "/passwords/slskd" .password) - echo > "$secretFile" - echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile" - echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile" - ''; - }; - - # Container: mail - mail_restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Mail" .password > "$secretFile" - ''; - }; - mail_restic_env = { - fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile" - ''; - }; - private_mail_aliases = { - fetchScript = '' - kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile" - ''; - }; - chaos_mail_passwd = { - user = "dovecot2"; - group = "dovecot2"; - fetchScript = '' - password=$(simple_get "/passwords/mail" .password) - htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" - ''; - }; - system_mail_passwd = { - user = "dovecot2"; - group = "dovecot2"; - fetchScript = '' - password=$(simple_get "/api-keys/chaos_mail/system" .password) - htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" - ''; - }; - gotosocial_mail_passwd = { - user = "dovecot2"; - group = "dovecot2"; - fetchScript = '' - password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) - htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" - ''; - }; - - # Container: social - social_restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Social" .password > "$secretFile" - ''; - }; - social_restic_env = { - fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" - ''; - }; - social_env_secrets = { - fetchScript = '' - smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) - echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" - ''; - }; - - # Container: quassel - quassel_restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile" - ''; - }; - quassel_restic_env = { - fetchScript = '' - RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username) - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password) - echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 3cdfdf4..8319806 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -9,7 +9,7 @@ presets.nixos.encryptedUSB profiles.cross.arm64 - #profiles.remote-builders + profiles.remoteBuilders profiles.chaosInternalWireGuard ./secrets.nix diff --git a/hosts/lappy-t495/secrets.nix b/hosts/lappy-t495/secrets.nix index a5d3ec6..aa72589 100644 --- a/hosts/lappy-t495/secrets.nix +++ b/hosts/lappy-t495/secrets.nix @@ -7,7 +7,7 @@ }; music_stream_password = { - user = 1000; + user = "chaos"; group = "users"; fetchScript = '' simple_get "/api-keys/music-stream" .password > "$secretFile" @@ -17,8 +17,6 @@ # Required for home.apps.manualBackupApps gitlab_archiver_token = { user = "chaos"; - group = "users"; - fetchScript = '' simple_get "/api-keys/gitlab/gitlab_archiver" .token > "$secretFile" ''; @@ -27,8 +25,6 @@ # Required for home.apps.manualBackupApps restic_music_env = { user = "chaos"; - group = "users"; - fetchScript = '' api_username=$(simple_get "/api-keys/storage/restic/Music" .username) api_password=$(simple_get "/api-keys/storage/restic/Music" .password) diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 8949f6c..3a915c8 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -81,16 +81,6 @@ in { modules = defaultModules ++ [./hetzner-arm/hetzner-arm.nix]; }; - hetzner-vm = nixosUnstableSystem { - specialArgs = - defaultSpecialArgs - // { - hostPath = ./hetzner-vm; - }; - system = "x86_64-linux"; - modules = defaultModules ++ [./hetzner-vm/hetzner-vm.nix]; - }; - vault = nixosUnstableSystem { specialArgs = defaultSpecialArgs diff --git a/hosts/raspberry/containers/piped-uk/default.nix b/hosts/raspberry/containers/piped-uk/default.nix index 05acc3b..838fb5e 100644 --- a/hosts/raspberry/containers/piped-uk/default.nix +++ b/hosts/raspberry/containers/piped-uk/default.nix @@ -5,10 +5,12 @@ inputs, config, pkgs, + lib, ... }: let + inherit (lib.modules) mkForce; + containerName = "piped-uk"; - containerConfig = config.containers.${containerName}.config; pipedSocketForComponent = ( component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" @@ -39,11 +41,12 @@ in { ./secrets.nix ]; - # For Shared Secrets systemd.tmpfiles.rules = [ "d /var/lib/cockroachdb-certs - root root" ]; + networking.firewall.enable = mkForce false; + home-manager.users.root.home.stateVersion = "23.05"; system.stateVersion = "23.05"; }; diff --git a/hosts/raspberry/containers/piped-uk/secrets.nix b/hosts/raspberry/containers/piped-uk/secrets.nix index 13b450c..10dd61b 100644 --- a/hosts/raspberry/containers/piped-uk/secrets.nix +++ b/hosts/raspberry/containers/piped-uk/secrets.nix @@ -1,25 +1,17 @@ -{pkgs, ...}: { +{...}: { services.secrets = { enable = true; - packages = with pkgs; [rclone]; - vaultLogin = { enable = true; - loginUsername = "raspberry"; + loginUsername = "raspberry-container-piped-uk"; }; autoSecrets = { enable = true; - affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; + affectedSystemdServices = ["cockroachdb"]; }; - extraFunctions = '' - simple_get_obscure() { - rclone obscure "$(simple_get "$@")" - } - ''; - requiredVaultPaths = [ "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" ]; @@ -29,7 +21,7 @@ manual = true; }; - piped_cockroachdb_ca_certificate = { + cockroachdb_ca_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; @@ -42,7 +34,7 @@ | base64 -d > "$secretFile" ''; }; - piped_cockroachdb_node_certificate = { + cockroachdb_node_certificate = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; @@ -55,7 +47,7 @@ | base64 -d > "$secretFile" ''; }; - piped_cockroachdb_node_key = { + cockroachdb_node_key = { user = "cockroachdb"; group = "cockroachdb"; permissions = "600"; diff --git a/hosts/hetzner-vm/profiles/vaultUI.nix b/hosts/vault/profiles/vaultUI.nix similarity index 100% rename from hosts/hetzner-vm/profiles/vaultUI.nix rename to hosts/vault/profiles/vaultUI.nix diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 5958009..3b4f43b 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -15,6 +15,7 @@ }; requiredVaultPaths = [ + "/private-public-keys/data/ssh/root@vault" "/private-public-keys/data/ssh/root@vault-decrypt" "private-public-keys/data/restic/Vault" @@ -27,11 +28,28 @@ manual = true; }; + ssh_host_ed25519_key = { + path = "/etc/ssh/ssh_host_ed25519_key"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" + ''; + }; + ssh_host_ed25519_key_pub = { + path = "/etc/ssh/ssh_host_ed25519_key.pub"; + permissions = "600"; + fetchScript = '' + [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" + simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" + ''; + }; + # this doesn't need to be a secret and can be generated at install time # but it makes it easier to install. # it's stored in /nix store anyway - ssh_host_ed25519_key = { - path = "/ssh_host_ed25519_key"; + initrd_ssh_host_ed25519_key = { + path = "/initrd_ssh_host_ed25519_key"; permissions = "600"; fetchScript = '' simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile" diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 2c4c412..84b4b95 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -14,6 +14,7 @@ ] ++ (with hosts.vault.profiles; [ vault + vaultUI restic ]); diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix index 92db7b7..832346b 100644 --- a/modules/nixos/secrets.nix +++ b/modules/nixos/secrets.nix @@ -8,7 +8,7 @@ inherit (lib.options) mkOption mkEnableOption; inherit (lib.lists) filter; inherit (lib) types; - inherit (builtins) isString listToAttrs; + inherit (builtins) isString listToAttrs attrNames; cfg = config.services.secrets; @@ -115,25 +115,79 @@ in { extraFunctions = mkOption { type = types.lines; default = ""; - description = "extra bash functions to add to top of script"; + description = "extra bash functions to add to top of script for init"; + }; + + extraCheckFunctions = mkOption { + type = types.lines; + default = ""; + description = "extra bash functions to add to top of script for check"; }; uidMap = mkOption { type = types.attrsOf types.int; - default = {}; - description = "optional mapping of users to user IDs; required for SYSROOT when user isn't available on host"; + default = listToAttrs (map ( + secretName: let + secretUserName = cfg.secrets.${secretName}.user; + in { + name = "${secretUserName}"; + value = config.users.users.${secretUserName}.uid; + } + ) (filter + (secretName: let + secret = cfg.secrets.${secretName}; + in + isString secret.user + && ( + if config.users.users ? "${secret.user}" + then true + else builtins.trace "warning: secrets module could not find a uid mapping for user ${secret.user}" false + )) + (attrNames cfg.secrets))); + description = '' + optional mapping of users to user IDs + required for SYSROOT when user isn't available on host + defaults to getting values from users.users..uid for all secrets with user set as string + ''; }; gidMap = mkOption { type = types.attrsOf types.int; - default = {}; - description = "optional mapping of groups to group IDs; required for SYSROOT when group isn't available on host"; + default = listToAttrs (map ( + secretName: let + secretGroupName = cfg.secrets.${secretName}.group; + in { + name = "${secretGroupName}"; + value = config.users.groups.${secretGroupName}.gid; + } + ) (filter + (secretName: let + secret = cfg.secrets.${secretName}; + in + isString secret.group + && ( + if config.users.groups ? "${secret.group}" + then true + else builtins.trace "warning: secrets module could not find a gid mapping for group ${secret.group}" false + )) + (attrNames cfg.secrets))); + description = '' + optional mapping of groups to group IDs + required for SYSROOT when group isn't available on host + defaults to getting values from users.groups..gid for all secrets with group set as string + ''; }; packages = mkOption { type = types.listOf types.package; default = []; - description = "packages for script"; + description = "packages for init script"; + }; + + checkPackages = mkOption { + type = types.listOf types.package; + default = []; + description = "packages for checkscript"; }; secrets = mkOption { @@ -241,7 +295,7 @@ in { // { auto-secrets.partOf = map (unitConfig: unitConfig.name + ".service") - (lib.filter + (filter (unitConfig: unitConfig.withPartOf) affectedSystemdServices); }; diff --git a/modules/nixos/secretsLib/lib.nix b/modules/nixos/secretsLib/lib.nix index a3e6980..b1027e7 100644 --- a/modules/nixos/secretsLib/lib.nix +++ b/modules/nixos/secretsLib/lib.nix @@ -195,6 +195,11 @@ stat --format "%a" "$1" 2>/dev/null } + emojiTick="✅" + emojiCross="❌" + + ${cfg.extraCheckFunctions} + GLOBAL_FAIL=false '' + (concatStringsSep "\n" (mapAttrsToList (_name: secret: let @@ -226,40 +231,40 @@ secretFile="$SYSROOT${secretPath}" if [[ -f "$SYSROOT${secretPath}" ]]; then - echo "✅ File Exists" + echo "$emojiTick File Exists" else - echo "❌ File Does Not Exist" + echo "$emojiCross File Does Not Exist" LOCAL_FAIL=true fi if getUserID "$SYSROOT${secretPath}" >/dev/null && ${userCheck}; then - echo "✅ File Is Owned By Correct User" + echo "$emojiTick File Is Owned By Correct User" else - echo "❌ File Is Not Owned By Correct User (${toString secretUser})" + echo "$emojiCross File Is Not Owned By Correct User (${toString secretUser})" LOCAL_FAIL=true fi if getGroupID "$SYSROOT${secretPath}" >/dev/null && ${groupCheck}; then - echo "✅ File Is Owned By Correct Group" + echo "$emojiTick File Is Owned By Correct Group" else - echo "❌ File Is Not Owned By Correct Group (${toString secretGroup})" + echo "$emojiCross File Is Not Owned By Correct Group (${toString secretGroup})" LOCAL_FAIL=true fi if getPermissions "$SYSROOT${secretPath}" >/dev/null && [[ "$(getPermissions "$SYSROOT${secretPath}")" -eq "${secretPermissions}" ]]; then - echo "✅ File Has Correct Permissions" + echo "$emojiTick File Has Correct Permissions" else - echo "❌ File Does Not Have Correct Permissions (${secretPermissions})" + echo "$emojiCross File Does Not Have Correct Permissions (${secretPermissions})" LOCAL_FAIL=true fi ${optionalString (secret.checkScript != null) secret.checkScript} if [[ "$LOCAL_FAIL" == "true" ]]; then - echo "❌ File Did Not Pass The Vibe Check" + echo "$emojiCross File Did Not Pass The Vibe Check" GLOBAL_FAIL=true else - echo "✅ File Passed The Vibe Check" + echo "$emojiTick File Passed The Vibe Check" fi echo @@ -267,10 +272,10 @@ cfg.secrets)) + '' if [[ "$GLOBAL_FAIL" == "true" ]]; then - echo "❌ One Or More Secrets Did Not Pass The Vibe Check" + echo "$emojiCross One Or More Secrets Did Not Pass The Vibe Check" exit 1 else - echo "✅ All Secrets Passed The Vibe Check" + echo "$emojiTick All Secrets Passed The Vibe Check" fi ''; }; @@ -319,7 +324,7 @@ in rec { scripts = genScripts cfg; in (writeShellApplication { name = scriptName; - runtimeInputs = defaultPackages ++ cfg.packages; + runtimeInputs = defaultPackages ++ cfg.checkPackages; text = scripts.checkScript; }) ); diff --git a/outputs.nix b/outputs.nix index 82bb496..d08e89e 100644 --- a/outputs.nix +++ b/outputs.nix @@ -18,6 +18,22 @@ in overlays = [ (import ./overlay) inputs.piped-flake.overlays.default + (_prev: final: { + piped-backend-deps = + final.piped-backend-deps.overrideAttrs + { + # Won't build due to this; added a native-arm64 to all builders on arm64 + # https://github.com/NixOS/nixpkgs/issues/255780 + requiredSystemFeatures = ["native-arm64"]; + }; + piped-backend = + final.piped-backend.overrideAttrs + { + # Won't build due to this; added a native-arm64 to all builders on arm64 + # https://github.com/NixOS/nixpkgs/issues/255780 + requiredSystemFeatures = ["native-arm64"]; + }; + }) ]; }; in @@ -124,18 +140,15 @@ in # All machines/containers with secrets.nix machines = rec { - "hetzner-vm" = { - containers = ["storage" "piped-fi"]; - sshAddress = "hetzner-vm.servers.genderfucked.monster"; - }; "hetzner-arm" = { - containers = ["storage" "piped-fi"]; - sshAddress = "hetzner-vm.servers.genderfucked.monster"; + containers = ["storage" "music" "quassel" "social" "mail" "piped-fi"]; + sshAddress = "hetzner-arm.servers.genderfucked.monster"; }; "vault" = { sshAddress = "vault.servers.genderfucked.monster"; }; "raspberry" = { + containers = ["piped-uk"]; sshAddress = "raspberry.servers.genderfucked.monster"; }; "lappy-t495" = {}; diff --git a/presets/nixos/serverEncryptedDrive.nix b/presets/nixos/serverEncryptedDrive.nix index 17287be..682490a 100644 --- a/presets/nixos/serverEncryptedDrive.nix +++ b/presets/nixos/serverEncryptedDrive.nix @@ -7,7 +7,7 @@ ... }: let inherit (lib.modules) mkForce; - inherit (lib.lists) optional; + inherit (lib.lists) optionals; system = pkgs.system; @@ -33,10 +33,10 @@ in { "dm_mod" "cryptd" ] - ++ (lib.optionals (system == "x86_64_linux") ["aesni_intel"]); + ++ (optionals (system == "x86_64_linux") ["aesni_intel"]); secrets = { - "/ssh_host_ed25519_key" = "/ssh_host_ed25519_key"; + "/ssh_host_ed25519_key" = mkForce "/initrd_ssh_host_ed25519_key"; }; luks = { diff --git a/profiles/base/nix.nix b/profiles/base/nix.nix index c46699c..cd756e5 100644 --- a/profiles/base/nix.nix +++ b/profiles/base/nix.nix @@ -1,10 +1,12 @@ { inputs, config, + pkgs, lib, ... }: let inherit (lib.strings) optionalString versionAtLeast; + inherit (lib.optional); in { nix = { nixPath = ["nixpkgs=${inputs.nixpkgs}"]; @@ -13,6 +15,7 @@ in { (versionAtLeast config.nix.package.version "2.4") '' experimental-features = nix-command flakes ''; + settings.system-features = lib.optional (pkgs.system == "aarch64-linux") "native-arm64"; settings.trusted-users = ["root" "@wheel"]; }; nixpkgs = { @@ -30,6 +33,23 @@ in { inputs.gitlab_artifacts_sync.overlays.default inputs.gitlab_archiver.overlays.default inputs.piped-flake.overlays.default + + (_prev: final: { + piped-backend-deps = + final.piped-backend-deps.overrideAttrs + { + # Won't build due to this; added a native-arm64 to all builders on arm64 + # https://github.com/NixOS/nixpkgs/issues/255780 + requiredSystemFeatures = ["native-arm64"]; + }; + piped-backend = + final.piped-backend.overrideAttrs + { + # Won't build due to this; added a native-arm64 to all builders on arm64 + # https://github.com/NixOS/nixpkgs/issues/255780 + requiredSystemFeatures = ["native-arm64"]; + }; + }) ]; }; environment.etc."nixpkgs-commit".text = inputs.nixpkgs-unstable.rev; diff --git a/profiles/pipedCluster/cockroachDB.nix b/profiles/pipedCluster/cockroachDB.nix index 29bab4b..0c518bb 100644 --- a/profiles/pipedCluster/cockroachDB.nix +++ b/profiles/pipedCluster/cockroachDB.nix @@ -12,14 +12,11 @@ currentHostName = config.networking.hostName; - joinString = lib.concatStringsSep "," ([ - "localhost:${toString ports.cockroachDB}" - ] - ++ ( - map - (hostName: hosts.${hostName}.joinString) - (filter (hostName: hostName != currentHostName) (attrNames hosts)) - )); + joinString = lib.concatStringsSep "," ( + map + (hostName: hosts.${hostName}.joinString) + (filter (hostName: hostName != currentHostName) (attrNames hosts)) + ); in { systemd.services.haproxy.wantedBy = ["piped-backend.service"]; diff --git a/hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix b/profiles/pipedCluster/restic.nix similarity index 62% rename from hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix rename to profiles/pipedCluster/restic.nix index b656711..60e409c 100644 --- a/hosts/hetzner-vm/containers/piped-fi/profiles/restic.nix +++ b/profiles/pipedCluster/restic.nix @@ -1,13 +1,19 @@ { + self, pkgs, config, ... }: let secrets = config.services.secrets.secrets; + + clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; + + currentHostConfig = clusterConfig.hosts.${config.networking.hostName}; + inherit (currentHostConfig) resticName resticBucket; in { environment.systemPackages = with pkgs; [ restic - (pkgs.writeShellScriptBin "restic-piped-finland" '' + (pkgs.writeShellScriptBin "restic-${resticName}" '' env \ RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ $(cat ${secrets.restic_env.path}) \ @@ -15,14 +21,14 @@ in { '') ]; - services.restic.backups.piped-finland = { + services.restic.backups.${resticName} = { user = "root"; paths = [ "/var/lib/cockroachdb" "/var/lib/cockroachdb-certs" ]; - repository = "rest:https://storage-restic.owo.monster/Piped-Finland"; + repository = "rest:https://storage-restic.owo.monster/${resticBucket}"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; diff --git a/profiles/remoteBuilders.nix b/profiles/remoteBuilders.nix index 1d20299..f98a553 100644 --- a/profiles/remoteBuilders.nix +++ b/profiles/remoteBuilders.nix @@ -3,7 +3,7 @@ config, ... }: let - inherit (lib.modules) mkIf; + inherit (lib.modules) mkIf mkMerge; currentHostname = config.networking.hostName; @@ -26,22 +26,28 @@ }; in { nix.buildMachines = [ - (mkIf (currentHostname != "hetzner-vm") (builderDefaults - // { - hostName = "hetzner-vm.servers.genderfucked.monster"; - systems = ["x86_64-linux" "aarch64-linux"]; - publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU1JdDJBQnF3SGhNano5cjZhdHY0WHVYNTh4RVdlU3RrbVhVd3ZNVkd2NHcgcm9vdEBuaXhvcwo="; - maxJobs = 3; - speedFactor = 2; - })) - (mkIf (currentHostname != "vault") (builderDefaults - // { + (mkIf (currentHostname != "hetzner-arm") (mkMerge [ + builderDefaults + { + hostName = "hetzner-arm.servers.genderfucked.monster"; + systems = ["aarch64-linux"]; + supportedFeatures = ["native-arm64"]; + publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUk5cGM0REU1UlV4UUp2T1pwenFOQWVac0JlRW1kcmp4OFlnV3orVXBMckcgcm9vdEBoZXR6bmVyLWFybQo="; + maxJobs = 4; + speedFactor = 3; + } + ])) + (mkIf (currentHostname != "vault") (mkMerge [ + builderDefaults + { hostName = "vault.servers.genderfucked.monster"; - systems = ["x86_64-linux"]; - publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU16L1dyaG81MTFGdzhXN3FsU0NUY1V4cWh4TGlBQkJXbFNNNFRNNzJ5RWQgcm9vdEBuaXhvcwo="; - maxJobs = 2; + systems = ["aarch64-linux"]; + supportedFeatures = ["native-arm64"]; + publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSURGTlFjUTdkbUlRS1lqMUVVTFBlcTI4d2hzMTg2YVZ0WitWU05rd3I2aEkgcm9vdEB2YXVsdAo="; + maxJobs = 1; speedFactor = 1; - })) + } + ])) ]; nix.distributedBuilds = true; nix.extraOptions = "builders-use-substitutes = true"; diff --git a/result-man b/result-man new file mode 120000 index 0000000..304314d --- /dev/null +++ b/result-man @@ -0,0 +1 @@ +/nix/store/026j6nzg6hyllkkvzjnqnarxwrc32nsa-bash-5.2-p15-man \ No newline at end of file diff --git a/scripts/deploy/hetzner-arm.sh b/scripts/deploy/hetzner-arm.sh new file mode 100755 index 0000000..20234c7 --- /dev/null +++ b/scripts/deploy/hetzner-arm.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR +cd $(git rev-parse --show-toplevel) + +DEFAULT_HOST="root@hetzner-arm.servers.genderfucked.monster" +TARGET_HOST=${HOST:-${DEFAULT_HOST}} +nixos-rebuild switch --flake .#hetzner-arm --target-host "$TARGET_HOST" --use-substitutes -s "$@" \ No newline at end of file diff --git a/scripts/deploy/hetzner-vm.sh b/scripts/deploy/hetzner-vm.sh deleted file mode 100755 index 1474509..0000000 --- a/scripts/deploy/hetzner-vm.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -cd $SCRIPT_DIR -cd $(git rev-parse --show-toplevel) - -nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s "$@" \ No newline at end of file diff --git a/scripts/deploy/raspberry.sh b/scripts/deploy/raspberry.sh index 8fe0d45..c0e1608 100755 --- a/scripts/deploy/raspberry.sh +++ b/scripts/deploy/raspberry.sh @@ -4,5 +4,6 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -[ -n "$NO_BUILD_PIPED_BACKEND" ] && ./scripts/buildPipedBackendAArch64.nix -nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@" +DEFAULT_HOST="root@raspberry.servers.genderfucked.monster" +TARGET_HOST=${HOST:-${DEFAULT_HOST}} +nixos-rebuild switch --flake .#raspberry --target-host "$TARGET_HOST" --use-substitutes -s "$@" diff --git a/scripts/deploy/vault.sh b/scripts/deploy/vault.sh index b4739d5..3a42abe 100755 --- a/scripts/deploy/vault.sh +++ b/scripts/deploy/vault.sh @@ -4,4 +4,6 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -nixos-rebuild switch --flake .#vault --target-host vault -s "$@" \ No newline at end of file +DEFAULT_HOST="root@vault.servers.genderfucked.monster" +TARGET_HOST=${HOST:-${DEFAULT_HOST}} +nixos-rebuild switch --flake .#vault --target-host "$TARGET_HOST" --use-substitutes -s "$@" \ No newline at end of file diff --git a/scripts/deployAll.sh b/scripts/deployAll.sh index c807729..a90ebc7 100755 --- a/scripts/deployAll.sh +++ b/scripts/deployAll.sh @@ -9,6 +9,6 @@ cd $(git rev-parse --show-toplevel) HOSTNAME=$(hostname) [ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@" -[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh "$@" +[ "${HOSTNAME}" != "hetzner-arm" ] && ./scripts/deploy/hetzner-arm.sh "$@" [ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@" [ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@" \ No newline at end of file