diff --git a/data/serverIPs.nix b/data/serverIPs.nix index 880f156..767fe26 100644 --- a/data/serverIPs.nix +++ b/data/serverIPs.nix @@ -3,6 +3,10 @@ rec { ipv4 = "65.21.182.73"; ipv6 = "2a01:4f9:c010:8beb::1"; }; + "hetzner-arm" = { + ipv4 = "65.21.145.62"; + ipv6 = "2a01:4f9:c012:9dbf::1"; + }; "vault" = { ipv4 = "65.21.0.145"; ipv6 = "2a01:4f9:c012:9b6b::1"; diff --git a/data/wireguard/chaosInternalWireGuard.nix b/data/wireguard/chaosInternalWireGuard.nix index 77a04ff..41e7fa9 100644 --- a/data/wireguard/chaosInternalWireGuard.nix +++ b/data/wireguard/chaosInternalWireGuard.nix @@ -25,5 +25,11 @@ in rec { public = pubkeys."raspberry"; endpoint = "raspberry.servers.genderfucked.monster:51820"; }; + # TODO: make this .1 again after migration like hetzner-vm + "hetzner-arm" = { + ip = "10.69.42.6"; + public = pubkeys."hetzner-arm"; + endpoint = "hetzner-arm.servers.genderfucked.monster:51820"; + }; }; } diff --git a/data/wireguard/chaosInternalWireGuardPubKeys.json b/data/wireguard/chaosInternalWireGuardPubKeys.json index 1341cca..29a892c 100644 --- a/data/wireguard/chaosInternalWireGuardPubKeys.json +++ b/data/wireguard/chaosInternalWireGuardPubKeys.json @@ -3,5 +3,6 @@ "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=", "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=", "lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=", - "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko=" + "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko=", + "hetzner-arm": "2SS9jT6Sba61lB2ayhp+2fz+GN706Jr1Ydr6/RveqUQ=" } diff --git a/hosts/hetzner-arm/hardware.nix b/hosts/hetzner-arm/hardware.nix new file mode 100644 index 0000000..f33626b --- /dev/null +++ b/hosts/hetzner-arm/hardware.nix @@ -0,0 +1,6 @@ +{...}: { + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; +} \ No newline at end of file diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix new file mode 100644 index 0000000..f0b2c9a --- /dev/null +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -0,0 +1,46 @@ +{ + tree, + lib, + ... +}: let + inherit (lib.lists) forEach; +in { + imports = with tree; + [ + presets.nixos.serverBase + presets.nixos.serverHetzner + presets.nixos.serverEncryptedDrive + + #profiles.nginx + #profiles.firewallAllow.httpCommon + + #profiles.chaosInternalWireGuard + + ./hardware.nix + ./secrets.nix + ] + ++ (forEach [ + #"social" + #"storage" + #"music" + #"quassel" + #"piped-fi" + #"mail" + ] (name: ./containers + "/${name}")) + ++ (with hosts.hetzner-vm.profiles; [ + #vaultUI + #gitlabStaticSites + ]); + + # For Containers + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "enp1s0"; + }; + + networking.hostName = "hetzner-arm"; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; +} diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix new file mode 100644 index 0000000..59412a7 --- /dev/null +++ b/hosts/hetzner-arm/secrets.nix @@ -0,0 +1,171 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm"; + }; + + autoSecrets = { + enable = true; + affectedSystemdServices = [ + "wg-quick-wg0" + "container@music" + "container@social" + "container@quassel" + "container@piped-fi" + ]; + }; + + packages = with pkgs; [ + # for music & mail passwd files + apacheHttpd + ]; + + requiredVaultPaths = [ + "api-keys/data/mpd" + "api-keys/data/music-stream" + + "api-keys/data/gitlab/gitlab_pages_serve" + + "api-keys/data/storage/restic/Mail" + "api-keys/data/storage/restic/Social" + "api-keys/data/storage/restic/Quassel" + + "api-keys/data/chaos_mail/system" + "api-keys/data/chaos_mail/gotosocial" + + "passwords/data/soulseek" + "passwords/data/slskd" + "passwords/data/mail" + + "private-public-keys/data/restic/Mail" + "private-public-keys/data/restic/Social" + "private-public-keys/data/restic/Quassel" + + "infra/data/private-mail-aliases" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + # Used directly by server + # for fetching gitlab static sites + gitlab_env = { + user = "gitlab_artifacts_sync"; + group = "gitlab_artifacts_sync"; + fetchScript = '' + token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) + echo "GITLAB_TOKEN=$token" > "$secretFile" + ''; + }; + + # Container: music + mpd_control_password = { + user = "mpd"; + group = "mpd"; + fetchScript = '' + simple_get "/api-keys/mpd" .password > "$secretFile" + ''; + }; + music_stream_passwd = { + user = "nginx"; + group = "nginx"; + fetchScript = '' + username=$(simple_get "/api-keys/music-stream" .username) + password=$(simple_get "/api-keys/music-stream" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; + slskd_env = { + fetchScript = '' + soulseek_password=$(simple_get "/passwords/soulseek" .password) + slskd_password=$(simple_get "/passwords/slskd" .password) + echo > "$secretFile" + echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile" + echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile" + ''; + }; + + # Container: mail + mail_restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Mail" .password > "$secretFile" + ''; + }; + mail_restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile" + ''; + }; + private_mail_aliases = { + fetchScript = '' + kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile" + ''; + }; + chaos_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/passwords/mail" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + system_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/api-keys/chaos_mail/system" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + gotosocial_mail_passwd = { + user = "dovecot2"; + group = "dovecot2"; + fetchScript = '' + password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" + ''; + }; + + # Container: social + social_restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Social" .password > "$secretFile" + ''; + }; + social_restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" + ''; + }; + social_env_secrets = { + fetchScript = '' + smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) + echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" + ''; + }; + + # Container: quassel + quassel_restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile" + ''; + }; + quassel_restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 040740e..e8e19b5 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -96,7 +96,11 @@ in { # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage raspberry = nixosUnstableSystem { - specialArgs = defaultSpecialArgs; + specialArgs = + defaultSpecialArgs + // { + hostPath = ./vault; + }; system = "aarch64-linux"; modules = defaultModules ++ [./raspberry/raspberry.nix]; }; diff --git a/hosts/raspberry/containers/piped-uk/default.nix b/hosts/raspberry/containers/piped-uk/default.nix new file mode 100644 index 0000000..05acc3b --- /dev/null +++ b/hosts/raspberry/containers/piped-uk/default.nix @@ -0,0 +1,75 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerName = "piped-uk"; + containerConfig = config.containers.${containerName}.config; + + pipedSocketForComponent = ( + component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" + ); +in { + containers.piped-uk = { + autoStart = true; + privateNetwork = false; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; [ + presets.nixos.containerBase + + profiles.nginx + profiles.firewallAllow.httpCommon + + profiles.pipedCluster + + ./secrets.nix + ]; + + # For Shared Secrets + systemd.tmpfiles.rules = [ + "d /var/lib/cockroachdb-certs - root root" + ]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx.virtualHosts."piped-uk.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "frontend"}"; + }; + }; + + services.nginx.virtualHosts."backend.piped-uk.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "backend"}"; + }; + }; + + services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; + }; + }; +} diff --git a/hosts/raspberry/containers/piped-uk/secrets.nix b/hosts/raspberry/containers/piped-uk/secrets.nix new file mode 100644 index 0000000..13b450c --- /dev/null +++ b/hosts/raspberry/containers/piped-uk/secrets.nix @@ -0,0 +1,73 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + packages = with pkgs; [rclone]; + + vaultLogin = { + enable = true; + loginUsername = "raspberry"; + }; + + autoSecrets = { + enable = true; + affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; + }; + + extraFunctions = '' + simple_get_obscure() { + rclone obscure "$(simple_get "$@")" + } + ''; + + requiredVaultPaths = [ + "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + piped_cockroachdb_ca_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/ca.crt"; + fetchScript = '' + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.crt"; + fetchScript = '' + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_key = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.key"; + fetchScript = '' + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \ + | base64 -d > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/raspberry/profiles/cockroachDB.nix b/hosts/raspberry/profiles/cockroachDB.nix deleted file mode 100644 index 175ef20..0000000 --- a/hosts/raspberry/profiles/cockroachDB.nix +++ /dev/null @@ -1,23 +0,0 @@ -{self, ...}: let - internalWireGuard = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; -in { - systemd.tmpfiles.rules = [ - "d /var/lib/cockroachdb-certs - root root" - ]; - - services.cockroachdb-bin = { - enable = true; - certsDir = "/var/lib/cockroachdb-certs"; - join = "localhost:26257,${internalWireGuard.hosts.hetzner-vm.ip}:26257"; - # ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry - extraArgs = ["--advertise-addr=${internalWireGuard.hosts.raspberry.ip}:26257"]; - listen = { - port = 26257; - address = "0.0.0.0"; - }; - http = { - address = "0.0.0.0"; - port = 8080; - }; - }; -} diff --git a/hosts/raspberry/profiles/externalDrive.nix b/hosts/raspberry/profiles/externalDrive.nix index bb1fb42..e861371 100644 --- a/hosts/raspberry/profiles/externalDrive.nix +++ b/hosts/raspberry/profiles/externalDrive.nix @@ -3,7 +3,7 @@ pkgs, ... }: let - externalDriveData = import "${self}/drives/data/raspberryExternalDrive.nix"; + externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix"; mountExternalDrive = let jq = "${pkgs.jq}/bin/jq"; diff --git a/hosts/raspberry/profiles/piped.nix b/hosts/raspberry/profiles/piped.nix deleted file mode 100644 index 260bbb5..0000000 --- a/hosts/raspberry/profiles/piped.nix +++ /dev/null @@ -1,34 +0,0 @@ -{pkgs, ...}: { - services.piped = { - enable = true; - - # Takes too much time to compile otherwise, idm extra bandwidth - proxyPackage = - (pkgs.piped-proxy.override { - withAVIF = false; - withWebP = false; - }) - .overrideAttrs { - pname = "piped-proxy-debug"; - doCheck = false; - buildType = "debug"; - }; - - postgresDBName = "piped"; - postgresDBUsername = "piped"; - postgresDBPassword = "piped"; - postgresDBHost = "127.0.0.1"; - postgresDBPort = 26257; - databaseDialect = "org.hibernate.dialect.CockroachDialect"; - disablePostgresDB = true; - - frontendDomain = "piped-uk.owo.monster"; - backendDomain = "backend.piped-uk.owo.monster"; - proxyDomain = "proxy.piped-uk.owo.monster"; - }; - - systemd.services.piped-backend = { - after = ["cockroachdb.service"]; - wants = ["cockroachdb.service"]; - }; -} diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry/raspberry.nix index b64364d..a7c4e6c 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry/raspberry.nix @@ -8,13 +8,13 @@ profiles.chaosInternalWireGuard + ./containers/piped-uk/default.nix + ./secrets.nix ./boot.nix ] ++ (with hosts.raspberry.profiles; [ externalDrive - cockroachDB - piped autoStorageBackups rclone ]); diff --git a/hosts/raspberry/secrets.nix b/hosts/raspberry/secrets.nix index cc13fb0..1ea5d3c 100644 --- a/hosts/raspberry/secrets.nix +++ b/hosts/raspberry/secrets.nix @@ -1,9 +1,7 @@ -{pkgs, ...}: { +{...}: { services.secrets = { enable = true; - packages = with pkgs; [rclone]; - vaultLogin = { enable = true; loginUsername = "raspberry"; @@ -11,19 +9,13 @@ autoSecrets = { enable = true; - affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; + affectedSystemdServices = ["wg-quick-wg0"]; }; - extraFunctions = '' - simple_get_obscure() { - rclone obscure "$(simple_get "$@")" - } - ''; - + # some are also added from wireguard internal config requiredVaultPaths = [ - "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically - "passwords/data/wifi/parentals-home" + "api-keys/data/hetzner/storagebox" # also used dynamically ]; @@ -31,46 +23,6 @@ vault_password = { manual = true; }; - - piped_cockroachdb_ca_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/ca.crt"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \ - | base64 -d > "$secretFile" - ''; - }; - piped_cockroachdb_node_certificate = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.crt"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \ - | base64 -d > "$secretFile" - ''; - }; - piped_cockroachdb_node_key = { - user = "cockroachdb"; - group = "cockroachdb"; - permissions = "600"; - path = "/var/lib/cockroachdb-certs/node.key"; - fetchScript = '' - if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then - mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" - fi - simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \ - | base64 -d > "$secretFile" - ''; - }; }; }; } diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix index a19553d..2b0447b 100644 --- a/hosts/vault/hardware.nix +++ b/hosts/vault/hardware.nix @@ -3,11 +3,4 @@ systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; - - #loader.grub = { - # enable = true; - # efiSupport = false; - # enableCryptodisk = true; - # device = "/dev/sda"; - #}; } diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 2c3d531..5958009 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -27,7 +27,9 @@ manual = true; }; -r + # this doesn't need to be a secret and can be generated at install time + # but it makes it easier to install. + # it's stored in /nix store anyway ssh_host_ed25519_key = { path = "/ssh_host_ed25519_key"; permissions = "600"; diff --git a/outputs.nix b/outputs.nix index 002fae2..82bb496 100644 --- a/outputs.nix +++ b/outputs.nix @@ -123,11 +123,15 @@ in secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}"; # All machines/containers with secrets.nix - machines = { + machines = rec { "hetzner-vm" = { containers = ["storage" "piped-fi"]; sshAddress = "hetzner-vm.servers.genderfucked.monster"; }; + "hetzner-arm" = { + containers = ["storage" "piped-fi"]; + sshAddress = "hetzner-vm.servers.genderfucked.monster"; + }; "vault" = { sshAddress = "vault.servers.genderfucked.monster"; }; diff --git a/profiles/pipedCluster/cockroachDB.nix b/profiles/pipedCluster/cockroachDB.nix index 38a4d06..29bab4b 100644 --- a/profiles/pipedCluster/cockroachDB.nix +++ b/profiles/pipedCluster/cockroachDB.nix @@ -7,7 +7,7 @@ inherit (lib.lists) filter; inherit (builtins) attrNames; - clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; inherit (clusterConfig) hosts ports; currentHostName = config.networking.hostName; diff --git a/profiles/pipedCluster/haproxy.nix b/profiles/pipedCluster/haproxy.nix index 8e613a5..4ec55d6 100644 --- a/profiles/pipedCluster/haproxy.nix +++ b/profiles/pipedCluster/haproxy.nix @@ -1,7 +1,7 @@ {self, ...}: let inherit (builtins) concatStringsSep attrNames; - clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; inherit (clusterConfig) hosts ports; in { systemd.services.haproxy.wantedBy = ["piped-backend.service"]; diff --git a/profiles/pipedCluster/piped.nix b/profiles/pipedCluster/piped.nix index 0177584..aded9e8 100644 --- a/profiles/pipedCluster/piped.nix +++ b/profiles/pipedCluster/piped.nix @@ -3,7 +3,7 @@ config, ... }: let - clusterConfig = import "${self}/data/pipedClusterConfig.nix"; + clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix"; inherit (clusterConfig) hosts ports; currentHostName = config.networking.hostName;