start work on hetzner-arm for real now

2023-09-20 18:44:24 +01:00 · 2023-09-20 18:44:24 +01:00 · d91817b0d3
parent 6980726541
commit d91817b0d3
20 changed files with 406 additions and 126 deletions
--- a/data/serverIPs.nix
+++ b/data/serverIPs.nix
@ -3,6 +3,10 @@ rec {
    ipv4 = "65.21.182.73";
    ipv6 = "2a01:4f9:c010:8beb::1";
  };
+  "hetzner-arm" = {
+    ipv4 = "65.21.145.62";
+    ipv6 = "2a01:4f9:c012:9dbf::1";
+  };
  "vault" = {
    ipv4 = "65.21.0.145";
    ipv6 = "2a01:4f9:c012:9b6b::1";
--- a/data/wireguard/chaosInternalWireGuard.nix
+++ b/data/wireguard/chaosInternalWireGuard.nix
@ -25,5 +25,11 @@ in rec {
      public = pubkeys."raspberry";
      endpoint = "raspberry.servers.genderfucked.monster:51820";
    };
+    # TODO: make this .1 again after migration like hetzner-vm
+    "hetzner-arm" = {
+      ip = "10.69.42.6";
+      public = pubkeys."hetzner-arm";
+      endpoint = "hetzner-arm.servers.genderfucked.monster:51820";
+    };
  };
 }
--- a/data/wireguard/chaosInternalWireGuardPubKeys.json
+++ b/data/wireguard/chaosInternalWireGuardPubKeys.json
@ -3,5 +3,6 @@
  "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=",
  "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=",
  "lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=",
-  "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko="
+  "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko=",
+  "hetzner-arm": "2SS9jT6Sba61lB2ayhp+2fz+GN706Jr1Ydr6/RveqUQ="
 }
--- a/hosts/hetzner-arm/hardware.nix
+++ b/hosts/hetzner-arm/hardware.nix
@ -0,0 +1,6 @@
+{...}: {
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -0,0 +1,46 @@
+{
+  tree,
+  lib,
+  ...
+}: let
+  inherit (lib.lists) forEach;
+in {
+  imports = with tree;
+    [
+      presets.nixos.serverBase
+      presets.nixos.serverHetzner
+      presets.nixos.serverEncryptedDrive
+
+      #profiles.nginx
+      #profiles.firewallAllow.httpCommon
+
+      #profiles.chaosInternalWireGuard
+
+      ./hardware.nix
+      ./secrets.nix
+    ]
+    ++ (forEach [
+      #"social"
+      #"storage"
+      #"music"
+      #"quassel"
+      #"piped-fi"
+      #"mail"
+    ] (name: ./containers + "/${name}"))
+    ++ (with hosts.hetzner-vm.profiles; [
+      #vaultUI
+      #gitlabStaticSites
+    ]);
+
+  # For Containers
+  networking.nat = {
+    enable = true;
+    internalInterfaces = ["ve-+"];
+    externalInterface = "enp1s0";
+  };
+
+  networking.hostName = "hetzner-arm";
+
+  home-manager.users.root.home.stateVersion = "23.05";
+  system.stateVersion = "23.05";
+}
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -0,0 +1,171 @@
+{pkgs, ...}: {
+  services.secrets = {
+    enable = true;
+
+    vaultLogin = {
+      enable = true;
+      loginUsername = "hetzner-arm";
+    };
+
+    autoSecrets = {
+      enable = true;
+      affectedSystemdServices = [
+        "wg-quick-wg0"
+        "container@music"
+        "container@social"
+        "container@quassel"
+        "container@piped-fi"
+      ];
+    };
+
+    packages = with pkgs; [
+      # for music & mail passwd files
+      apacheHttpd
+    ];
+
+    requiredVaultPaths = [
+      "api-keys/data/mpd"
+      "api-keys/data/music-stream"
+
+      "api-keys/data/gitlab/gitlab_pages_serve"
+
+      "api-keys/data/storage/restic/Mail"
+      "api-keys/data/storage/restic/Social"
+      "api-keys/data/storage/restic/Quassel"
+
+      "api-keys/data/chaos_mail/system"
+      "api-keys/data/chaos_mail/gotosocial"
+
+      "passwords/data/soulseek"
+      "passwords/data/slskd"
+      "passwords/data/mail"
+
+      "private-public-keys/data/restic/Mail"
+      "private-public-keys/data/restic/Social"
+      "private-public-keys/data/restic/Quassel"
+
+      "infra/data/private-mail-aliases"
+    ];
+
+    secrets = {
+      vault_password = {
+        manual = true;
+      };
+
+      # Used directly by server
+      # for fetching gitlab static sites
+      gitlab_env = {
+        user = "gitlab_artifacts_sync";
+        group = "gitlab_artifacts_sync";
+        fetchScript = ''
+          token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token)
+          echo "GITLAB_TOKEN=$token" > "$secretFile"
+        '';
+      };
+
+      # Container: music
+      mpd_control_password = {
+        user = "mpd";
+        group = "mpd";
+        fetchScript = ''
+          simple_get "/api-keys/mpd" .password > "$secretFile"
+        '';
+      };
+      music_stream_passwd = {
+        user = "nginx";
+        group = "nginx";
+        fetchScript = ''
+          username=$(simple_get "/api-keys/music-stream" .username)
+          password=$(simple_get "/api-keys/music-stream" .password)
+          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
+        '';
+      };
+      slskd_env = {
+        fetchScript = ''
+          soulseek_password=$(simple_get "/passwords/soulseek" .password)
+          slskd_password=$(simple_get "/passwords/slskd" .password)
+          echo > "$secretFile"
+          echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile"
+          echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile"
+        '';
+      };
+
+      # Container: mail
+      mail_restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Mail" .password > "$secretFile"
+        '';
+      };
+      mail_restic_env = {
+        fetchScript = ''
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password)
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile"
+        '';
+      };
+      private_mail_aliases = {
+        fetchScript = ''
+          kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile"
+        '';
+      };
+      chaos_mail_passwd = {
+        user = "dovecot2";
+        group = "dovecot2";
+        fetchScript = ''
+          password=$(simple_get "/passwords/mail" .password)
+          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
+        '';
+      };
+      system_mail_passwd = {
+        user = "dovecot2";
+        group = "dovecot2";
+        fetchScript = ''
+          password=$(simple_get "/api-keys/chaos_mail/system" .password)
+          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
+        '';
+      };
+      gotosocial_mail_passwd = {
+        user = "dovecot2";
+        group = "dovecot2";
+        fetchScript = ''
+          password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile"
+        '';
+      };
+
+      # Container: social
+      social_restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Social" .password > "$secretFile"
+        '';
+      };
+      social_restic_env = {
+        fetchScript = ''
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password)
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile"
+        '';
+      };
+      social_env_secrets = {
+        fetchScript = ''
+          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
+        '';
+      };
+
+      # Container: quassel
+      quassel_restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile"
+        '';
+      };
+      quassel_restic_env = {
+        fetchScript = ''
+          RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username)
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password)
+          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile"
+        '';
+      };
+    };
+  };
+}
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -96,7 +96,11 @@ in {

  # nix --no-sandbox build .#nixosConfigurations.raspberry.config.system.build.sdImage
  raspberry = nixosUnstableSystem {
-    specialArgs = defaultSpecialArgs;
+    specialArgs =
+      defaultSpecialArgs
+      // {
+        hostPath = ./vault;
+      };
    system = "aarch64-linux";
    modules = defaultModules ++ [./raspberry/raspberry.nix];
  };
--- a/hosts/raspberry/containers/piped-uk/default.nix
+++ b/hosts/raspberry/containers/piped-uk/default.nix
@ -0,0 +1,75 @@
+{
+  self,
+  hostPath,
+  tree,
+  inputs,
+  config,
+  pkgs,
+  ...
+}: let
+  containerName = "piped-uk";
+  containerConfig = config.containers.${containerName}.config;
+
+  pipedSocketForComponent = (
+    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
+  );
+in {
+  containers.piped-uk = {
+    autoStart = true;
+    privateNetwork = false;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+      inherit hostPath;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree; [
+        presets.nixos.containerBase
+
+        profiles.nginx
+        profiles.firewallAllow.httpCommon
+
+        profiles.pipedCluster
+
+        ./secrets.nix
+      ];
+
+      # For Shared Secrets
+      systemd.tmpfiles.rules = [
+        "d /var/lib/cockroachdb-certs - root root"
+      ];
+
+      home-manager.users.root.home.stateVersion = "23.05";
+      system.stateVersion = "23.05";
+    };
+  };
+
+  services.nginx.virtualHosts."piped-uk.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
+    };
+  };
+
+  services.nginx.virtualHosts."backend.piped-uk.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
+    };
+  };
+
+  services.nginx.virtualHosts."proxy.piped-uk.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
+    };
+  };
+}
--- a/hosts/raspberry/containers/piped-uk/secrets.nix
+++ b/hosts/raspberry/containers/piped-uk/secrets.nix
@ -0,0 +1,73 @@
+{pkgs, ...}: {
+  services.secrets = {
+    enable = true;
+
+    packages = with pkgs; [rclone];
+
+    vaultLogin = {
+      enable = true;
+      loginUsername = "raspberry";
+    };
+
+    autoSecrets = {
+      enable = true;
+      affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"];
+    };
+
+    extraFunctions = ''
+      simple_get_obscure() {
+        rclone obscure "$(simple_get "$@")"
+      }
+    '';
+
+    requiredVaultPaths = [
+      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
+    ];
+
+    secrets = {
+      vault_password = {
+        manual = true;
+      };
+
+      piped_cockroachdb_ca_certificate = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/ca.crt";
+        fetchScript = ''
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_certificate = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/node.crt";
+        fetchScript = ''
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_key = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/node.key";
+        fetchScript = ''
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
+            | base64 -d > "$secretFile"
+        '';
+      };
+    };
+  };
+}
--- a/hosts/raspberry/profiles/cockroachDB.nix
+++ b/hosts/raspberry/profiles/cockroachDB.nix
@ -1,23 +0,0 @@
-{self, ...}: let
-  internalWireGuard = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
-in {
-  systemd.tmpfiles.rules = [
-    "d /var/lib/cockroachdb-certs - root root"
-  ];
-
-  services.cockroachdb-bin = {
-    enable = true;
-    certsDir = "/var/lib/cockroachdb-certs";
-    join = "localhost:26257,${internalWireGuard.hosts.hetzner-vm.ip}:26257";
-    #  ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
-    extraArgs = ["--advertise-addr=${internalWireGuard.hosts.raspberry.ip}:26257"];
-    listen = {
-      port = 26257;
-      address = "0.0.0.0";
-    };
-    http = {
-      address = "0.0.0.0";
-      port = 8080;
-    };
-  };
-}
--- a/hosts/raspberry/profiles/externalDrive.nix
+++ b/hosts/raspberry/profiles/externalDrive.nix
@ -3,7 +3,7 @@
  pkgs,
  ...
 }: let
-  externalDriveData = import "${self}/drives/data/raspberryExternalDrive.nix";
+  externalDriveData = import "${self}/data/drives/raspberryExternalDrive.nix";

  mountExternalDrive = let
    jq = "${pkgs.jq}/bin/jq";
--- a/hosts/raspberry/profiles/piped.nix
+++ b/hosts/raspberry/profiles/piped.nix
@ -1,34 +0,0 @@
-{pkgs, ...}: {
-  services.piped = {
-    enable = true;
-
-    # Takes too much time to compile otherwise, idm extra bandwidth
-    proxyPackage =
-      (pkgs.piped-proxy.override {
-        withAVIF = false;
-        withWebP = false;
-      })
-      .overrideAttrs {
-        pname = "piped-proxy-debug";
-        doCheck = false;
-        buildType = "debug";
-      };
-
-    postgresDBName = "piped";
-    postgresDBUsername = "piped";
-    postgresDBPassword = "piped";
-    postgresDBHost = "127.0.0.1";
-    postgresDBPort = 26257;
-    databaseDialect = "org.hibernate.dialect.CockroachDialect";
-    disablePostgresDB = true;
-
-    frontendDomain = "piped-uk.owo.monster";
-    backendDomain = "backend.piped-uk.owo.monster";
-    proxyDomain = "proxy.piped-uk.owo.monster";
-  };
-
-  systemd.services.piped-backend = {
-    after = ["cockroachdb.service"];
-    wants = ["cockroachdb.service"];
-  };
-}
--- a/hosts/raspberry/raspberry.nix
+++ b/hosts/raspberry/raspberry.nix
@ -8,13 +8,13 @@

      profiles.chaosInternalWireGuard

+      ./containers/piped-uk/default.nix
+
      ./secrets.nix
      ./boot.nix
    ]
    ++ (with hosts.raspberry.profiles; [
      externalDrive
-      cockroachDB
-      piped
      autoStorageBackups
      rclone
    ]);
--- a/hosts/raspberry/secrets.nix
+++ b/hosts/raspberry/secrets.nix
@ -1,9 +1,7 @@
-{pkgs, ...}: {
+{...}: {
  services.secrets = {
    enable = true;

-    packages = with pkgs; [rclone];
-
    vaultLogin = {
      enable = true;
      loginUsername = "raspberry";
@ -11,19 +9,13 @@

    autoSecrets = {
      enable = true;
-      affectedSystemdServices = ["wg-quick-wg0" "cockroachdb"];
+      affectedSystemdServices = ["wg-quick-wg0"];
    };

-    extraFunctions = ''
-      simple_get_obscure() {
-        rclone obscure "$(simple_get "$@")"
-      }
-    '';
-
+    # some are also added from wireguard internal config
    requiredVaultPaths = [
-      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
-      "passwords/data/wifi/parentals-home"
+
      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

@ -31,46 +23,6 @@
      vault_password = {
        manual = true;
      };
-
-      piped_cockroachdb_ca_certificate = {
-        user = "cockroachdb";
-        group = "cockroachdb";
-        permissions = "600";
-        path = "/var/lib/cockroachdb-certs/ca.crt";
-        fetchScript = ''
-          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
-            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
-          fi
-          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
-            | base64 -d > "$secretFile"
-        '';
-      };
-      piped_cockroachdb_node_certificate = {
-        user = "cockroachdb";
-        group = "cockroachdb";
-        permissions = "600";
-        path = "/var/lib/cockroachdb-certs/node.crt";
-        fetchScript = ''
-          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
-            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
-          fi
-          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
-            | base64 -d > "$secretFile"
-        '';
-      };
-      piped_cockroachdb_node_key = {
-        user = "cockroachdb";
-        group = "cockroachdb";
-        permissions = "600";
-        path = "/var/lib/cockroachdb-certs/node.key";
-        fetchScript = ''
-          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
-            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
-          fi
-          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
-            | base64 -d > "$secretFile"
-        '';
-      };
    };
  };
 }
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -3,11 +3,4 @@
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
-
-  #loader.grub = {
-  #  enable = true;
-  #  efiSupport = false;
-  #  enableCryptodisk = true;
-  #  device = "/dev/sda";
-  #};
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -27,7 +27,9 @@
        manual = true;
      };

-r
+      # this doesn't need to be a secret and can be generated at install time
+      # but it makes it easier to install.
+      # it's stored in /nix store anyway
      ssh_host_ed25519_key = {
        path = "/ssh_host_ed25519_key";
        permissions = "600";
--- a/outputs.nix
+++ b/outputs.nix
@ -123,11 +123,15 @@ in
            secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";

          # All machines/containers with secrets.nix
-          machines = {
+          machines = rec {
            "hetzner-vm" = {
              containers = ["storage" "piped-fi"];
              sshAddress = "hetzner-vm.servers.genderfucked.monster";
            };
+            "hetzner-arm" = {
+              containers = ["storage" "piped-fi"];
+              sshAddress = "hetzner-vm.servers.genderfucked.monster";
+            };
            "vault" = {
              sshAddress = "vault.servers.genderfucked.monster";
            };
--- a/profiles/pipedCluster/cockroachDB.nix
+++ b/profiles/pipedCluster/cockroachDB.nix
@ -7,7 +7,7 @@
  inherit (lib.lists) filter;
  inherit (builtins) attrNames;

-  clusterConfig = import "${self}/data/pipedClusterConfig.nix";
+  clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
  inherit (clusterConfig) hosts ports;

  currentHostName = config.networking.hostName;
--- a/profiles/pipedCluster/haproxy.nix
+++ b/profiles/pipedCluster/haproxy.nix
@ -1,7 +1,7 @@
 {self, ...}: let
  inherit (builtins) concatStringsSep attrNames;

-  clusterConfig = import "${self}/data/pipedClusterConfig.nix";
+  clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
  inherit (clusterConfig) hosts ports;
 in {
  systemd.services.haproxy.wantedBy = ["piped-backend.service"];
--- a/profiles/pipedCluster/piped.nix
+++ b/profiles/pipedCluster/piped.nix
@ -3,7 +3,7 @@
  config,
  ...
 }: let
-  clusterConfig = import "${self}/data/pipedClusterConfig.nix";
+  clusterConfig = import "${self}/data/piped/pipedClusterConfig.nix";
  inherit (clusterConfig) hosts ports;

  currentHostName = config.networking.hostName;