chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

start work on hetzner-arm for real now

Browse source
This commit is contained in:
chaos 2023-09-20 18:44:24 +01:00
parent 6980726541
commit d91817b0d3
No known key found for this signature in database
20 changed files with 406 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
data/serverIPs.nix
View file

@ -3,6 +3,10 @@ rec {
ipv4 = "65.21.182.73"; ipv4 = "65.21.182.73";
ipv6 = "2a01:4f9:c010:8beb::1"; ipv6 = "2a01:4f9:c010:8beb::1";
}; };
"hetzner-arm" = {
ipv4 = "65.21.145.62";
ipv6 = "2a01:4f9:c012:9dbf::1";
};
"vault" = { "vault" = {
ipv4 = "65.21.0.145"; ipv4 = "65.21.0.145";
ipv6 = "2a01:4f9:c012:9b6b::1"; ipv6 = "2a01:4f9:c012:9b6b::1";

6
data/wireguard/chaosInternalWireGuard.nix
View file

@ -25,5 +25,11 @@ in rec {
public = pubkeys."raspberry"; public = pubkeys."raspberry";
endpoint = "raspberry.servers.genderfucked.monster:51820"; endpoint = "raspberry.servers.genderfucked.monster:51820";
}; };
# TODO: make this .1 again after migration like hetzner-vm
"hetzner-arm" = {
ip = "10.69.42.6";
public = pubkeys."hetzner-arm";
endpoint = "hetzner-arm.servers.genderfucked.monster:51820";
};
}; };
} }

3
data/wireguard/chaosInternalWireGuardPubKeys.json
View file

@ -3,5 +3,6 @@
"vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=", "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=",
"raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=", "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=",
"lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=", "lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=",
"iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko=" "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko=",
"hetzner-arm": "2SS9jT6Sba61lB2ayhp+2fz+GN706Jr1Ydr6/RveqUQ="
} }

6
hosts/hetzner-arm/hardware.nix Normal file
View file

@ -0,0 +1,6 @@
{...}: {
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
}

46
hosts/hetzner-arm/hetzner-arm.nix Normal file
View file

@ -0,0 +1,46 @@
{
tree,
lib,
...
}: let
inherit (lib.lists) forEach;
in {
imports = with tree;
[
presets.nixos.serverBase
presets.nixos.serverHetzner
presets.nixos.serverEncryptedDrive
#profiles.nginx
#profiles.firewallAllow.httpCommon
#profiles.chaosInternalWireGuard
./hardware.nix
./secrets.nix
]
++ (forEach [
#"social"
#"storage"
#"music"
#"quassel"
#"piped-fi"
#"mail"
] (name: ./containers + "/${name}"))
++ (with hosts.hetzner-vm.profiles; [
#vaultUI
#gitlabStaticSites
]);
# For Containers
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
networking.hostName = "hetzner-arm";
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
}

171
hosts/hetzner-arm/secrets.nix Normal file
View file

@ -0,0 +1,171 @@
{pkgs, ...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm";
};
autoSecrets = {
enable = true;
affectedSystemdServices = [
"wg-quick-wg0"
"container@music"
"container@social"
"container@quassel"
"container@piped-fi"
];
};
packages = with pkgs; [
# for music & mail passwd files
apacheHttpd
];
requiredVaultPaths = [
"api-keys/data/mpd"
"api-keys/data/music-stream"
"api-keys/data/gitlab/gitlab_pages_serve"
"api-keys/data/storage/restic/Mail"
"api-keys/data/storage/restic/Social"
"api-keys/data/storage/restic/Quassel"
"api-keys/data/chaos_mail/system"
"api-keys/data/chaos_mail/gotosocial"
"passwords/data/soulseek"
"passwords/data/slskd"
"passwords/data/mail"
"private-public-keys/data/restic/Mail"
"private-public-keys/data/restic/Social"
"private-public-keys/data/restic/Quassel"
"infra/data/private-mail-aliases"
];
secrets = {
vault_password = {
manual = true;
};
# Used directly by server
# for fetching gitlab static sites
gitlab_env = {
user = "gitlab_artifacts_sync";
group = "gitlab_artifacts_sync";
fetchScript = ''
token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token)
echo "GITLAB_TOKEN=$token" > "$secretFile"
'';
};
# Container: music
mpd_control_password = {
user = "mpd";
group = "mpd";
fetchScript = ''
simple_get "/api-keys/mpd" .password > "$secretFile"
'';
};
music_stream_passwd = {
user = "nginx";
group = "nginx";
fetchScript = ''
username=$(simple_get "/api-keys/music-stream" .username)
password=$(simple_get "/api-keys/music-stream" .password)
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
'';
};
slskd_env = {
fetchScript = ''
soulseek_password=$(simple_get "/passwords/soulseek" .password)
slskd_password=$(simple_get "/passwords/slskd" .password)
echo > "$secretFile"
echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile"
echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile"
'';
};
# Container: mail
mail_restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Mail" .password > "$secretFile"
'';
};
mail_restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile"
'';
};
private_mail_aliases = {
fetchScript = ''
kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile"
'';
};
chaos_mail_passwd = {
user = "dovecot2";
group = "dovecot2";
fetchScript = ''
password=$(simple_get "/passwords/mail" .password)
htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
'';
};
system_mail_passwd = {
user = "dovecot2";
group = "dovecot2";
fetchScript = ''
password=$(simple_get "/api-keys/chaos_mail/system" .password)
htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
'';
};
gotosocial_mail_passwd = {
user = "dovecot2";
group = "dovecot2";
fetchScript = ''
password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
'';
};
# Container: social
social_restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Social" .password > "$secretFile"
'';
};
social_restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile"
'';
};
social_env_secrets = {
fetchScript = ''
smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
'';
};
# Container: quassel
quassel_restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile"
'';
};
quassel_restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile"
'';
};
};
};
}

6
hosts/nixos.nix
View file

@ -96,7 +96,11 @@ in {
# nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
raspberry = nixosUnstableSystem { raspberry = nixosUnstableSystem {
specialArgs = defaultSpecialArgs; specialArgs =
defaultSpecialArgs
// {
hostPath = ./vault;
};
system = "aarch64-linux"; system = "aarch64-linux";
modules = defaultModules ++ [./raspberry/raspberry.nix]; modules = defaultModules ++ [./raspberry/raspberry.nix];
}; };

75
hosts/raspberry/containers/piped-uk/default.nix Normal file
View file

@ -0,0 +1,75 @@
{
self,
hostPath,
tree,
inputs,
config,
pkgs,
...
}: let
containerName = "piped-uk";
containerConfig = config.containers.${containerName}.config;
pipedSocketForComponent = (
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
);
in {
containers.piped-uk = {
autoStart = true;
privateNetwork = false;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree; [
presets.nixos.containerBase
profiles.nginx
profiles.firewallAllow.httpCommon
profiles.pipedCluster
./secrets.nix
];
# For Shared Secrets
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
];
home-manager.users.root.home.stateVersion = "23.05";
system.stateVersion = "23.05";
};
};
services.nginx.virtualHosts."piped-uk.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
};
};
services.nginx.virtualHosts."backend.piped-uk.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
};
};
services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
};
};
}

73
hosts/raspberry/containers/piped-uk/secrets.nix Normal file
View file

@ -0,0 +1,73 @@
{pkgs, ...}: {
services.secrets = {
enable = true;
packages = with pkgs; [rclone];
vaultLogin = {
enable = true;
loginUsername = "raspberry";
};
autoSecrets = {
enable = true;
affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"];
};
extraFunctions = ''
simple_get_obscure() {
rclone obscure "$(simple_get "$@")"
}
'';
requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
];
secrets = {
vault_password = {
manual = true;
};
piped_cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
| base64 -d > "$secretFile"
'';
};
};
};
}

23
hosts/raspberry/profiles/cockroachDB.nix
View file

@ -1,23 +0,0 @@
{self, ...}: let
internalWireGuard = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
in {
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
];
services.cockroachdb-bin = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:26257,${internalWireGuard.hosts.hetzner-vm.ip}:26257";
# ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
extraArgs = ["--advertise-addr=${internalWireGuard.hosts.raspberry.ip}:26257"];
listen = {
port = 26257;
address = "0.0.0.0";
};
http = {
address = "0.0.0.0";
port = 8080;
};
};
}

2
hosts/raspberry/profiles/externalDrive.nix
View file

@ -3,7 +3,7 @@
pkgs, pkgs,
... ...
}: let }: let
externalDriveData = import "${self}/drives/data/raspberryExternalDrive.nix"; externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";
mountExternalDrive = let mountExternalDrive = let
jq = "${pkgs.jq}/bin/jq"; jq = "${pkgs.jq}/bin/jq";

34
hosts/raspberry/profiles/piped.nix
View file

@ -1,34 +0,0 @@
{pkgs, ...}: {
services.piped = {
enable = true;
# Takes too much time to compile otherwise, idm extra bandwidth
proxyPackage =
(pkgs.piped-proxy.override {
withAVIF = false;
withWebP = false;
})
.overrideAttrs {
pname = "piped-proxy-debug";
doCheck = false;
buildType = "debug";
};
postgresDBName = "piped";
postgresDBUsername = "piped";
postgresDBPassword = "piped";
postgresDBHost = "127.0.0.1";
postgresDBPort = 26257;
databaseDialect = "org.hibernate.dialect.CockroachDialect";
disablePostgresDB = true;
frontendDomain = "piped-uk.owo.monster";
backendDomain = "backend.piped-uk.owo.monster";
proxyDomain = "proxy.piped-uk.owo.monster";
};
systemd.services.piped-backend = {
after = ["cockroachdb.service"];
wants = ["cockroachdb.service"];
};
}

4
hosts/raspberry/raspberry.nix
View file

@ -8,13 +8,13 @@
profiles.chaosInternalWireGuard profiles.chaosInternalWireGuard
./containers/piped-uk/default.nix
./secrets.nix ./secrets.nix
./boot.nix ./boot.nix
] ]
++ (with hosts.raspberry.profiles; [ ++ (with hosts.raspberry.profiles; [
externalDrive externalDrive
cockroachDB
piped
autoStorageBackups autoStorageBackups
rclone rclone
]); ]);

56
hosts/raspberry/secrets.nix
View file

@ -1,9 +1,7 @@
{pkgs, ...}: { {...}: {
services.secrets = { services.secrets = {
enable = true; enable = true;
packages = with pkgs; [rclone];
vaultLogin = { vaultLogin = {
enable = true; enable = true;
loginUsername = "raspberry"; loginUsername = "raspberry";
@ -11,19 +9,13 @@
autoSecrets = { autoSecrets = {
enable = true; enable = true;
affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"]; affectedSystemdServices = ["wg-quick-wg0"];
}; };
extraFunctions = '' # some are also added from wireguard internal config
simple_get_obscure() {
rclone obscure "$(simple_get "$@")"
}
'';
requiredVaultPaths = [ requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"passwords/data/wifi/parentals-home"
"api-keys/data/hetzner/storagebox" # also used dynamically "api-keys/data/hetzner/storagebox" # also used dynamically
]; ];
@ -31,46 +23,6 @@
vault_password = { vault_password = {
manual = true; manual = true;
}; };
piped_cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
| base64 -d > "$secretFile"
'';
};
}; };
}; };
} }

7
hosts/vault/hardware.nix
View file

@ -3,11 +3,4 @@
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
#loader.grub = {
# enable = true;
# efiSupport = false;
# enableCryptodisk = true;
# device = "/dev/sda";
#};
} }

4
hosts/vault/secrets.nix
View file

@ -27,7 +27,9 @@
manual = true; manual = true;
}; };
r # this doesn't need to be a secret and can be generated at install time
# but it makes it easier to install.
# it's stored in /nix store anyway
ssh_host_ed25519_key = { ssh_host_ed25519_key = {
path = "/ssh_host_ed25519_key"; path = "/ssh_host_ed25519_key";
permissions = "600"; permissions = "600";

6
outputs.nix
View file

@ -123,11 +123,15 @@ in
secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}"; secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
# All machines/containers with secrets.nix # All machines/containers with secrets.nix
machines = { machines = rec {
"hetzner-vm" = { "hetzner-vm" = {
containers = ["storage" "piped-fi"]; containers = ["storage" "piped-fi"];
sshAddress = "hetzner-vm.servers.genderfucked.monster"; sshAddress = "hetzner-vm.servers.genderfucked.monster";
}; };
"hetzner-arm" = {
containers = ["storage" "piped-fi"];
sshAddress = "hetzner-vm.servers.genderfucked.monster";
};
"vault" = { "vault" = {
sshAddress = "vault.servers.genderfucked.monster"; sshAddress = "vault.servers.genderfucked.monster";
}; };

2
profiles/pipedCluster/cockroachDB.nix
View file

@ -7,7 +7,7 @@
inherit (lib.lists) filter; inherit (lib.lists) filter;
inherit (builtins) attrNames; inherit (builtins) attrNames;
clusterConfig = import "${self}/data/pipedClusterConfig.nix"; clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports; inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName; currentHostName = config.networking.hostName;

2
profiles/pipedCluster/haproxy.nix
View file

@ -1,7 +1,7 @@
{self, ...}: let {self, ...}: let
inherit (builtins) concatStringsSep attrNames; inherit (builtins) concatStringsSep attrNames;
clusterConfig = import "${self}/data/pipedClusterConfig.nix"; clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports; inherit (clusterConfig) hosts ports;
in { in {
systemd.services.haproxy.wantedBy = ["piped-backend.service"]; systemd.services.haproxy.wantedBy = ["piped-backend.service"];

2
profiles/pipedCluster/piped.nix
View file

@ -3,7 +3,7 @@
config, config,
... ...
}: let }: let
clusterConfig = import "${self}/data/pipedClusterConfig.nix"; clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
inherit (clusterConfig) hosts ports; inherit (clusterConfig) hosts ports;
currentHostName = config.networking.hostName; currentHostName = config.networking.hostName;