From 80926102f44fb23f097ab1354edea4de68f9f7f1 Mon Sep 17 00:00:00 2001 From: derped Date: Fri, 21 Mar 2025 23:18:32 +0100 Subject: [PATCH] machines/Ophanim: migrate to new server --- .sops.yaml | 2 +- machines/Ophanim/hardware-configuration.nix | 122 ++++++++++++++++---- machines/Ophanim/options.nix | 57 ++++++--- machines/Ophanim/secrets.yaml | 35 +++--- machines/Ophanim/sops.nix | 9 +- 5 files changed, 161 insertions(+), 64 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index a235dc6..db51d2d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admins 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 - &lilim age1vwtr3vxmtde3354vswzqnglyhc23k5xhpfyjqgxf4u4d9z5qr3dsuj4v2d - &marid age1uq4x5yqf92z343ycpf4jycv7fqwk2kk8t5gapzp0ayk8hay98fns5mwmt7 - - &ophanim age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du + - &ophanim age1q49xu8zdt77s6h2gcsf4842k4tzzuhc5svr6f7saqy90muf6c9eqfa9s3e - &sheol age12uvysactuucun05nk8l3azpaclz9k04ygcurtlqqjg6dsvarvcqs0s9d2y creation_rules: - path_regex: machines/Lilim/[^/]+.yaml$ diff --git a/machines/Ophanim/hardware-configuration.nix b/machines/Ophanim/hardware-configuration.nix index 6a6a7e7..5f05b91 100644 --- a/machines/Ophanim/hardware-configuration.nix +++ b/machines/Ophanim/hardware-configuration.nix @@ -1,36 +1,114 @@ { - nixpkgs, - pkgs, + lib, + modulesPath, ... }: + { imports = [ - "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "sd_mod" - "sr_mod" - ]; - kernelPackages = pkgs.linuxPackages_latest; + loader.systemd-boot = { + enable = true; + }; + loader.efi.canTouchEfiVariables = true; + supportedFilesystems = [ "btrfs" ]; + initrd = { + availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + kernelModules = [ ]; + }; kernelModules = [ ]; extraModulePackages = [ ]; - loader.grub = { - enable = true; - device = "/dev/sda"; # or "nodev" for efi only - }; }; + fileSystems = + let + btrfsDev = "13d40c4f-baaa-4a17-9032-b25aad202384"; + in + { + "/" = { + device = "none"; + fsType = "tmpfs"; + neededForBoot = true; + options = [ + "defaults" + "size=4G" + "mode=755" + "noexec" + ]; + }; + + "/tmp" = { + device = "/dev/disk/by-uuid/${btrfsDev}"; + fsType = "btrfs"; + options = [ + "noexec" + "noatime" + "compress=zstd" + "subvol=tmp" + ]; + neededForBoot = true; + }; + + "/snapshots" = { + device = "/dev/disk/by-uuid/${btrfsDev}"; + fsType = "btrfs"; + options = [ + "noexec" + "noatime" + "compress=zstd" + "subvol=snapshots" + ]; + neededForBoot = false; + }; + + "/persist" = { + device = "/dev/disk/by-uuid/${btrfsDev}"; + fsType = "btrfs"; + options = [ + "noexec" + "noatime" + "compress=zstd" + "subvol=persist" + ]; + neededForBoot = true; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/${btrfsDev}"; + fsType = "btrfs"; + options = [ + "noatime" + "compress=zstd" + "subvol=nix" + ]; + neededForBoot = true; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/5491-80AC"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + time.timeZone = "Europe/Berlin"; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/fa0c2ff3-59f9-4c00-8153-c2c2ef0f0e84"; - fsType = "ext4"; - }; - - swapDevices = [ ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix index aa17f5d..e12fc25 100644 --- a/machines/Ophanim/options.nix +++ b/machines/Ophanim/options.nix @@ -25,6 +25,11 @@ in "baensch" ]; } + { + name = "august"; + aliases = [ + ]; + } ]; allowUnfree = true; conffiles = [ @@ -35,19 +40,39 @@ in pkgs = [ "base" "server" + "nvim" + "nvim::cmp" + "nvim::fugitive" + "nvim::harpoon" + "nvim::kanagawa-nvim" + "nvim::lsp" + "nvim::lsp::bash" + "nvim::lsp::nix-nil" + "nvim::lsp::python" + "nvim::lualine" + "nvim::nvim-highlight" + "nvim::telescope" + "nvim::tmux-navigate" + "nvim::treesitter" + "nvim::trim" + "nvim::undotree" ]; services = [ "acme" + "btrbk" + "btrfs" + "fail2ban" "forgejo" - "tandoor" - # "hydra" + "impermanence" "mailserver" "mariaDB" - "nextcloud" "nginx" "openssh" + "radicale" "tmux" - "tt-rss" + # TODO: re-add sservices + # "tandoor" + # "tt-rss" ]; vHosts = let @@ -58,11 +83,9 @@ in domain = base; service = "simple"; } - # { domain = "builder.${base}"; service = "hydra"; } - # { domain = "cache.${base}"; service = "cache"; } { - domain = "storage.${base}"; - service = "nextcloud"; + domain = "cal.${base}"; + service = "radicale"; } { domain = "mail.${base}"; @@ -72,14 +95,14 @@ in domain = "git.${base}"; service = "forgejo"; } - { - domain = "food.${base}"; - service = "tandoor"; - } - { - domain = "feed.${base}"; - service = "tt-rss"; - } + # { + # domain = "food.${base}"; + # service = "tandoor"; + # } + # { + # domain = "feed.${base}"; + # service = "tt-rss"; + # } ]; firewall = { enable = true; @@ -88,12 +111,10 @@ in 22 80 443 - 7776 ]; allowedTCPPorts = [ 80 443 - 7776 ]; }; }; diff --git a/machines/Ophanim/secrets.yaml b/machines/Ophanim/secrets.yaml index 34c3d05..d407d5d 100644 --- a/machines/Ophanim/secrets.yaml +++ b/machines/Ophanim/secrets.yaml @@ -3,6 +3,8 @@ users: password: ENC[AES256_GCM,data:LODa3S3CpToxDcILSXIAwjZKq+KBh2HwnmxM6NLjuGpHWLGG+olvYxYju4vd1bF4c0OFdKfJFzM99JENt+OLp7tR/NQhvpiu6f1IhcxSrjJTBTXHlRHSGm2JD3a7HB3E7DUH,iv:MrhBrInvFbHq086pc9cyvtXVSLBDDuuWFGm1KLnElk8=,tag:VqxDD1PXgZzeTGogtFgbrQ==,type:str] mail: ENC[AES256_GCM,data:b8/EiGUiUmCsxeOSFLE4lETrdi6Dn6wpWdYyNb22kHo/Ws0PXMLu4FJKeP/lZj0kKigdm4I94eEYyC8UmZKcJtilW/JtUpfmGzDkiGTxY7VxVFZYbamsQ1wq1r3BuWZorn+m,iv:+kyH2h+0++NnR/NPyUOPkEj1HSMI7+gciCXuebdlvkc=,tag:J6ltTqx34sJbkUAaiZJR6g==,type:str] publicKey: ENC[AES256_GCM,data:n1o+2pBdstnnC7b3Oub8Cen6JYZzR4ouaVlANsqxr2B8apPgY3ZaWoYO7b773MiKlhfPGPDpnL6H+jBGRc+adUjuaLFl2fnWwHCo8bIe/esIMf+bgyMefodg35R6j02bT0BM8dQGRyU/Qw==,iv:zCZdEvdTNvz/pAG6fAlsG5ZTCzOyfpo5OJswFa9n0ws=,tag:efQOpShXKmTJeK3odLt7cw==,type:str] + august: + mail: ENC[AES256_GCM,data:zEeONrOporN+UsMuPmwatyNGp1Iz4UQKKRAQeQB7GDbu4BK4xyr/Q62XoMMsj+UYj0Eq6yIvtWmmzttmcY3WpWiTb3wMtRmvzzpogD51P1aFwA/RJ5k5tcICFvZUOT+DkTTZ0mVlj7QmMA==,iv:4gND1l7sg1TpS9qLqbiJZhbTwR9z2eo1RnaFL7ne78E=,tag:NWFI+oNtTDT/39s1HD0+Cw==,type:str] services: forgejo: dbPass: ENC[AES256_GCM,data:TStfvP4VP9StXzxPU0GKyxZqXCj/+OLc2nE+FZWKbi95yn9BEFAyFQ==,iv:ZmM1+I1ipE5yHXMX4GYh6GqBr3B3Cycym24obHQG59M=,tag:C9kdJlEZUdGTS/N2NtuWdw==,type:str] @@ -19,29 +21,28 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1u386j7v4yrxm6psykfk4wyy5ay2ugcfcemve2msfwv0klnf3x34stz34du + - recipient: age1q49xu8zdt77s6h2gcsf4842k4tzzuhc5svr6f7saqy90muf6c9eqfa9s3e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MnhBVzREYkdEMXYrbG5F - Tkh5dUk1Z3pvbFU2b29ScHRreUg4Y0poTFdjClFOQzg2aGF5dUtLdFV1Rm5Rb0ZX - cGZDYW9YQWFOa0l6cGFKaFZxVk9PaWcKLS0tIHN2M3puV2V1YzBWd2YvdEdMYTJl - Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD - 0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbCsvRFhFOC8xdTZ1dEJk + QlNiNE9mTnhHSWpEbG1KdVJZUllFSHUwcWlnCkhhMlFFanUyRjBSNXg2ZDdOVytm + Z2t6L1hoUktXczc2SkErMHU5ZDVIYWMKLS0tIFZQMGhZV0V6bmxLdWswZGg1cE9I + ZUd6NXpIbkRhc0ZIM3BQc3ZRTHZSMFkKlHPJymevA5mrcZ66n4PIcxUtGwiQRUpS + ctRke10aLmPCPe3C+Vy90wXxU8CShNXrCrgn0eaXlr5Pc+U2gvJt4w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-21T11:05:34Z" - mac: ENC[AES256_GCM,data:50Qe5aBO/xT5VFxfyIvB1hB32MlxSsXdIrG2zwDf5lGyk8cYKr8i5LZX7TQfzaREW9CgwPt7K4bxbGqAPG6wOVCgN+GYbVqpWgORfftMRzy0oVFY+zbb+oewmy7lh/Da0z1+6+P+GECoGakduChOcWYfrjxQk7ODEz0RE4aX1Cs=,iv:+DSaPLZTrYHTY0LpUKjBn+NlhO+QKQh2wrVfNNLZoOc=,tag:d1ixNV6w1vJlHJHcjS64ow==,type:str] + lastmodified: "2025-03-01T21:06:52Z" + mac: ENC[AES256_GCM,data:UZrrHrfX5cH0LUp42BeesAzceHmwx4Hbz/Ihgko/hhXZQwhEMezyzXO0w02EPxjiHWCVi2xJpk1BzXzUJOzSJgG8uu7CURF3ku0jg6u5MPjDznJOK3LxUjJCS3aRKdbim4Xxa041o82tV8EYFmV3VqhQsyuAvVhyUlHzmb4pxKg=,iv:6vq6+hOflbHBRS7Lt+4wlWFdnRwRS+5VikwaVk0vPhU=,tag:UA/MF3UkhgM9VaEc9wGYnA==,type:str] pgp: - - created_at: "2023-09-10T17:32:58Z" - enc: | + - created_at: "2025-02-27T11:57:35Z" + enc: |- -----BEGIN PGP MESSAGE----- - hF4DVbZwA9DOvl8SAQdAJ4Qrf8O6xL6S/cFQVN03zFsAimcaj0i4k1XQt1Nu/Q8w - 08L6kBtYMw6PdEMJ0Tm+wqS/cB+kL5xQRGH6a05hbYoSDJdApO7Ur7r4RWS1r4cL - 1GgBCQIQT7t2XPbZ7g8EzhIDDffm4JXi0D7oIoeAnpbnad3ao2YUA2hTFTX025FY - dK1kIPCqA4cET+vqM9W3qq1DSKr+YoMrycWyUntwk9TSpy6pmMw4OII8yKnccoNR - LkjqppMzPP/4OQ== - =+ryG + hF4DVbZwA9DOvl8SAQdAQFSn85CwMlRwwf/UmjERCDCuAD/fZJCjZ5VQunVLHmkw + OtFuf326h6CAid2gchi4eOGt+ezJ79gWjN9JMjfeLm04PM6RtzMZzjPrBKwuTv0b + 0l4BRonGkbjvU+Ne47i6n7gmoyMOG7yCQWI2RnIip/+9A39zTUsZDpzBrF1Qp0rn + SS0WC3MxUm2fah8ow/8u9KKRh5m9daFTDSM1otowdoqUnPWtCC8TESjrhfC+wCKu + =R9C3 -----END PGP MESSAGE----- fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.4 diff --git a/machines/Ophanim/sops.nix b/machines/Ophanim/sops.nix index b6183b9..c0beee2 100644 --- a/machines/Ophanim/sops.nix +++ b/machines/Ophanim/sops.nix @@ -1,13 +1,10 @@ -{ - config, - lib, - ... -}: +_: + { sops = { defaultSopsFile = ./secrets.yaml; age = { - keyFile = "/var/lib/sops-nix/key.txt"; + keyFile = "/persist/var/lib/sops-nix/key.txt"; generateKey = true; }; };