From ff600220feb7b53a11c2d62b086406f0dcacc1d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Tue, 13 Dec 2022 21:20:34 +0100 Subject: [PATCH 1/4] Add basic config for instance-20221213-1915 --- .github/workflows/build.yml | 1 + .github/workflows/pr.yml | 8 +-- .sops.yaml | 7 +++ config/instance-20221213-1915.nix | 86 +++++++++++++++++++++++++++++ config/nixos-8gb-fsn1-1.nix | 7 +++ flake.nix | 4 ++ secrets/instance-20221213-1915.yaml | 46 +++++++++++++++ 7 files changed, 155 insertions(+), 4 deletions(-) create mode 100644 config/instance-20221213-1915.nix create mode 100644 secrets/instance-20221213-1915.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a7228d00..5f2d8ea5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ jobs: - thinkrac.x86_64-linux - aarch64-kexec.aarch64-linux - aarch64-kexec-tarball + - instance-20221213-1915.aarch64-linux runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 6db492cf..cb93c7c4 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -29,15 +29,15 @@ jobs: AWS_CREDENTIALS: ${{secrets.AWS_CREDENTIALS}} - run: | - for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do - nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job.x86_64-linux" > old-$job.json + for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux installer.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux; do + nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json done echo "Difference between this PR and main:" > review echo "" >> review - for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do - nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > new-$job.json + for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux installer.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux; do + nix show-derivation -r ".#hydraJobs.$job" > new-$job.json echo "## Changes for $job:" >> review echo '```' >> review diff --git a/.sops.yaml b/.sops.yaml index e7eab9b3..b4d33598 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &nutty-noon age1wfftrnyngg7nxcwvt7m590fwx3w7p4kkrjn9uprjq0u3k3ym4s3qqzkmzm - &thinkrac age15c2dquc22epmmndpmd8pa3077fdl8nyr5qehr7y0c9uvavrledsq326ak9 - &nas age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc + - &instance-20221213-1915 age1s7xxqxk6t6rw3zvfylgpwp5362v5guqsf8vjcvjjdj7wcnnxncvqc62frn creation_rules: - path_regex: secrets/nixos-8gb-fsn1-1\.yaml$ key_groups: @@ -40,3 +41,9 @@ creation_rules: - *thinkrac pgp: - *lotte + - path_regex: secrets/instance-20221213-1915\.yaml$ + key_groups: + - age: + - *instance-20221213-1915 + pgp: + - *lotte diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix new file mode 100644 index 00000000..90b4c412 --- /dev/null +++ b/config/instance-20221213-1915.nix @@ -0,0 +1,86 @@ +{ + config, + pkgs, + lib, + modulesPath, + ... +} @ args: { + networking.hostName = "instance-20221213-1915"; + networking.hostId = "746d4523"; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ./systemd-boot.nix + ./server.nix + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "tank/local/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6557-C4A0"; + fsType = "vfat"; + }; + + fileSystems."/nix" = { + device = "tank/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/safe" = { + device = "tank/safe"; + fsType = "zfs"; + }; + + fileSystems."/persist" = { + device = "tank/safe/persist"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "tank/safe/home"; + fsType = "zfs"; + }; + + networking.useDHCP = lib.mkDefault true; + + # https://grahamc.com/blog/erase-your-darlings + boot.initrd.postDeviceCommands = lib.mkAfter '' + zfs rollback -r tank/local/root@blank + ''; + + services.openssh = { + hostKeys = [ + { + path = "/persist/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + + systemd.tmpfiles.rules = [ + "L /var/lib/acme - - - - /persist/var/lib/acme" + ]; + + networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"]; + home-manager.users.darkkirb = import ./home-manager/darkkirb.nix { + desktop = false; + inherit args; + }; + nix.settings.cores = 2; + nix.settings.max-jobs = 2; + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; +} diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 82afb31a..04e89a82 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -229,6 +229,13 @@ "fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/128" ]; } + # instance-20221213-1915 + { + publicKey = "GHsVg8seCVIMYOidH5+/3EnoXRmi98NXtNTVu+nFcnw="; + allowedIPs = [ + "fd0d:a262:1fa6:e621:746d:4523:5c04:1453/128" + ]; + } ]; }; boot.kernel.sysctl = { diff --git a/flake.nix b/flake.nix index 75a0263a..f580d53e 100644 --- a/flake.nix +++ b/flake.nix @@ -99,6 +99,10 @@ rec { name = "aarch64-kexec"; # kexec tarball for aarch64 system = "aarch64-linux"; } + { + name = "instance-20221213-1915"; # Oracle server + system = "aarch64-linux"; + } ]; in rec { nixosConfigurations = builtins.listToAttrs (map diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml new file mode 100644 index 00000000..e808a4e4 --- /dev/null +++ b/secrets/instance-20221213-1915.yaml @@ -0,0 +1,46 @@ +network: + wireguard: + privkey: ENC[AES256_GCM,data:ZyqrBI7hbS0KhnnocUpalbi9BRN5osqAEJdoCok6WRIZvX7aUzAL7ZjbV8Q=,iv:PBBZc3t+OmsEdzTNdRfLpmWvQYP7BRh0paskD1SZsIs=,tag:ciesS+P/lf2KqwHrdTfP/g==,type:str] +security: + restic: + password: ENC[AES256_GCM,data:hYQ++ha83xy1y8KRzo/NtKZ/5Yk=,iv:AHav3AQDyRkAPbtHGZ3+4D4dwb7zqVI2q72PPIWlUiw=,tag:H633tTIkMl6PxnjBlshCcA==,type:str] +services: + nix: + cache-key: ENC[AES256_GCM,data:W0mEttOcP4ldN5WTJzPWs6xK9bb4bcFQfRbstCoTJ0AzhjaMgnew1KhA4G+AA5GASpMU3MaikmMenm9+x5Ua/pOItVATMAtnkC84AZzDtB2A8haSoeaTk5kiD1u5DjR1wA==,iv:mR8ST9auU9kG8lMKr2E9JjfIokqK210g+t7i46kybKM=,tag:h9Xcph3s/h1tdy1N1m5Xag==,type:str] +email: + lotte@chir.rs: ENC[AES256_GCM,data:vCgsNVurVhcEBquF50bontjucQ==,iv:ITfgM4f7sMEhSUXYSVIwhTZ08ZTut9rp43ef6apPQhk=,tag:qJuwTl+Qw8be7frqGsb0Dw==,type:str] + mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:ykQYOSu3+KG8mfJBF7fEJwk2i8i972ERJs/oLLdY2mnQcPCV+9+0YtWwz7HDiLLrUlUV7yDdyjgqVKzdONOnsA==,iv:1Eetui7FvsrXIUSo1vccjA1k+/Bp9OAwI3ZoVYuQVDY=,tag:R27LHK9hpzVolt5+DKLHgg==,type:str] +password: + root: ENC[AES256_GCM,data:06rdfv4dBZC+2OUcyNsOpp+7nQLqFVhy3NWekckbG2wem0lbtPn8eAYMRREhQjhX/JC+0aRMqUaK9VK2YDuqp4SHONAw+ahEEDqoOacKngA34cxq++zfnWPXOCSAMN9nIgLe+77AHYq7qw==,iv:W19HnljIvvkwap0xOF1X7lit7Evm2cQgqLK/pAjo5dI=,tag:A6wzK2pUbvFLWgHJ1X9mSQ==,type:str] + darkkirb: ENC[AES256_GCM,data:cmNsv680uqjPZJ40jU6z3JSUc6a76TbMVpF+EhBzz4wWr5rngDBTDoxjLnOYzuSOlonyJO9IXNygjCq0a7bNu4SYho8nCLeFV0Dvq6xDMCh2ZQ+CjHgP/R7dsaRqmjcujthmB0u0beJGqg==,iv:6Sz3b3S/76B3DGYdLfYQuOACx7SSJNy/pkRAbDmkBOM=,tag:bc6+sqj0+Ky5lhhgkMIXJQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1s7xxqxk6t6rw3zvfylgpwp5362v5guqsf8vjcvjjdj7wcnnxncvqc62frn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNDNpc1hrQ2xkZllYZE9Z + ZXdnS096WUpYaDlJc0ltTFJQaTZBQTEvZDBNCmVXNkxvTjVIMHZJeldtV1gxWmtB + cU83SnFzUmR1bU1ZN3hqTDh3eDUxS2cKLS0tIFJ5c1BxTmp4cnh2aDQvbFA5bzFF + QThFZnBQRjh1ZVNoNmU3WkdVbVJVKzAKmEeggdchZmc9kajfpRZfRAR2Tzov4jQK + NprycjlrOuozMCTv75+gbNHTRp4pxQq1JE5NejvyDWkzhL+s8Ikfng== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-13T20:16:10Z" + mac: ENC[AES256_GCM,data:aoJ0pKj6lB6CVxWWo/Te3nt7TJtIrgawGwpeWG/c8wNgzJo+b20ArwqgFPUbhqEQHAciMMGMwPGUq1ERZ3olbwOM9uF56QX570mBsmMcz3XcQHFGF/67whXEKEVUtdaKK42RMBplvVb/huWAbGQUTHGssvoBPV2ioptRk9p+szk=,iv:o+G+tftIgl/DbpGjzv/FuDqU/6JtxMLD1/NP5oL/XyY=,tag:dgqorELGV5nJ0KGQctjKgw==,type:str] + pgp: + - created_at: "2022-12-13T20:09:13Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAjfjUrHnb/9mXfmsCSDK6QpbqfhU1XAALlrToFSZ1mV0w + ZyNpCaIxlrGdNddMn/jfrlJl/J1WIFkk9MQ81VXz0NIey3WRcj7O/AY8JYFKhoTH + 0l4BVFtqFvR1bE7ycGrag7eC6CSflm8n7jJtJqoSe/LJUtH9mP7euGhoqCcVWlph + byK0DM+4t/6iZhLXmfX4gHZes3qv2wBZ+9e4VsO3TXaOQey298Y/TGRBm7u+wJ0+ + =aNtG + -----END PGP MESSAGE----- + fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD + unencrypted_suffix: _unencrypted + version: 3.7.3 -- 2.47.0 From 3e2918355995766f6eb72e759f78b44e61dc2692 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Tue, 13 Dec 2022 21:25:20 +0100 Subject: [PATCH 2/4] Add zone etnry for instance-20221213-1915 --- zones/int.chir.rs.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index fab87e22..cfd67b25 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -15,7 +15,7 @@ in { SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 17; + serial = 18; }; NS = [ "ns1.chir.rs." @@ -252,6 +252,7 @@ in { } ]; }; + instance-20221213-1915.AAAA = [(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"))]; grafana.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))]; minio.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))]; -- 2.47.0 From 614cfb8f8ebb8e918097f8f39297727460eb87e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Wed, 14 Dec 2022 09:55:40 +0100 Subject: [PATCH 3/4] Add acme secret for instance-20221213-1915 --- secrets/instance-20221213-1915.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml index e808a4e4..d4e37190 100644 --- a/secrets/instance-20221213-1915.yaml +++ b/secrets/instance-20221213-1915.yaml @@ -2,6 +2,9 @@ network: wireguard: privkey: ENC[AES256_GCM,data:ZyqrBI7hbS0KhnnocUpalbi9BRN5osqAEJdoCok6WRIZvX7aUzAL7ZjbV8Q=,iv:PBBZc3t+OmsEdzTNdRfLpmWvQYP7BRh0paskD1SZsIs=,tag:ciesS+P/lf2KqwHrdTfP/g==,type:str] security: + acme: + dns: ENC[AES256_GCM,data:EKvYWjzradH5z3ptYPCkqg1oYFMBSUIfoDQsFIUpiGxZLzxgNj3zf4WdJCwhgV5df4hv5tRvsFEaCVDQ5Tk1uJQpVMIkFLuj8pnQOhALOy6edn4sHjSwOS1L5J8mKWTd2dCIzV+0UJ6erufBhwgvrlznTkNRM3YLltXjh+2pBFIa5NVue77QWzs0YfZMKMWezrR+64gY6pWPAJ7m8gtD+oFNSC+xgHu3LgXioMXoEDhqVOEofr518rS1gezME4xhTN9fNAYL4XahUaFD1H3d+GToj80s,iv:AL/YmppFPDr0qgdS9wzxeBcH/6mDkhvKezPhMD0qm3w=,tag:u4rFbHUNlvo/RjKuEn6UQg==,type:str] + cloudflare: ENC[AES256_GCM,data:m35EgRacUOHFcqiwMyBPIPMZOq00eCKKGXko6n5fj7dVKorxI1lYFOG+pu68C7JfsnUr32t5TDMCsXhv7xD5BuCl2r6EZkpdzbZgnRqt7ijJ7fNUyMYjQ5SkwKzFb3R7sZcxpABt1z/b/ABZKs/VwaR3TQpGB/9CUv0p6kXN19lsfKOJo0LfyMdH2gf9RScq/IuVfpTm2jlHDwNC16qIZM9+Jqkw02JR7uOtD7jIvQDGN1FLqk7cXzU=,iv:qUbEGVrgq2vzVu66iA9mDBSgp1mrqyYdzyvXbGZwPrk=,tag:v443bohPg9eQZq6mUKUDSQ==,type:str] restic: password: ENC[AES256_GCM,data:hYQ++ha83xy1y8KRzo/NtKZ/5Yk=,iv:AHav3AQDyRkAPbtHGZ3+4D4dwb7zqVI2q72PPIWlUiw=,tag:H633tTIkMl6PxnjBlshCcA==,type:str] services: @@ -28,8 +31,8 @@ sops: QThFZnBQRjh1ZVNoNmU3WkdVbVJVKzAKmEeggdchZmc9kajfpRZfRAR2Tzov4jQK NprycjlrOuozMCTv75+gbNHTRp4pxQq1JE5NejvyDWkzhL+s8Ikfng== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-13T20:16:10Z" - mac: ENC[AES256_GCM,data:aoJ0pKj6lB6CVxWWo/Te3nt7TJtIrgawGwpeWG/c8wNgzJo+b20ArwqgFPUbhqEQHAciMMGMwPGUq1ERZ3olbwOM9uF56QX570mBsmMcz3XcQHFGF/67whXEKEVUtdaKK42RMBplvVb/huWAbGQUTHGssvoBPV2ioptRk9p+szk=,iv:o+G+tftIgl/DbpGjzv/FuDqU/6JtxMLD1/NP5oL/XyY=,tag:dgqorELGV5nJ0KGQctjKgw==,type:str] + lastmodified: "2022-12-14T08:55:10Z" + mac: ENC[AES256_GCM,data:W/B21vSPg9kJX13VHn8wCqK/NxdSaMJ0y+noXypFyI1yNlA5BTMIAwgR6ZRkCMdD9U+bz34Ujp8LENw9+AaRJ2pHA2/m4Jg+rdsA0T6K7E3k6qkMKyjH5Ovctx1Onu4PXKsRfS+Z4hz2qlkmCGyxBk1AHMjo8MxSQd9VtFZKP10=,iv:4S7a/kIpOucN/fp2Wo2aIodV1Yk3CX+vBUHUWzZEM84=,tag:m2vWnkzvZ9UdPSTGR/kbVg==,type:str] pgp: - created_at: "2022-12-13T20:09:13Z" enc: | -- 2.47.0 From ded46403ec1766fbd5e126e994a58e827b99524a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Wed, 14 Dec 2022 09:59:05 +0100 Subject: [PATCH 4/4] Remove the kexec tarball --- .github/workflows/build.yml | 2 -- config/aarch64-kexec.nix | 65 ------------------------------------- flake.nix | 5 --- 3 files changed, 72 deletions(-) delete mode 100644 config/aarch64-kexec.nix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5f2d8ea5..180ac4b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,8 +13,6 @@ jobs: - nixos-8gb-fsn1-1.x86_64-linux - nutty-noon.x86_64-linux - thinkrac.x86_64-linux - - aarch64-kexec.aarch64-linux - - aarch64-kexec-tarball - instance-20221213-1915.aarch64-linux runs-on: ubuntu-latest steps: diff --git a/config/aarch64-kexec.nix b/config/aarch64-kexec.nix deleted file mode 100644 index 3ff072bc..00000000 --- a/config/aarch64-kexec.nix +++ /dev/null @@ -1,65 +0,0 @@ -# Adapted from https://github.com/cleverca22/nix-tests/tree/master/kexec -{ - pkgs, - config, - nixpkgs, - ... -}: { - imports = [ - "${nixpkgs}/nixos/modules/installer/netboot/netboot-minimal.nix" - ]; - networking.hostName = "nixos"; - networking.hostId = "d5b14b97"; - boot.kernelParams = ["net.ifnames=0"]; - system.stateVersion = "22.11"; - system.build = rec { - image = pkgs.runCommand "image" {buildInputs = [pkgs.nukeReferences];} '' - mkdir $out - cp ${config.system.build.kernel}/${config.system.boot.loader.kernelFile} $out/kernel - cp ${config.system.build.netbootRamdisk}/initrd $out/initrd - echo "init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}" > $out/cmdline - nuke-refs $out/kernel - ''; - kexec_script = pkgs.writeTextFile { - executable = true; - name = "kexec-nixos"; - text = '' - #!${pkgs.stdenv.shell} - export PATH=${pkgs.kexectools}/bin:${pkgs.cpio}/bin:$PATH - set -x - set -e - cd $(mktemp -d) - pwd - mkdir initrd - pushd initrd - if [ -e /ssh_pubkey ]; then - cat /ssh_pubkey >> authorized_keys - fi - find -type f | cpio -o -H newc | gzip -9 > ../extra.gz - popd - cat ${image}/initrd extra.gz > final.gz - kexec -l ${image}/kernel --initrd=final.gz --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}" - sync - echo "executing kernel, filesystems will be improperly umounted" - kexec -e - ''; - }; - }; - boot.initrd.postMountCommands = '' - mkdir -p /mnt-root/root/.ssh/ - cp /authorized_keys /mnt-root/root/.ssh/ - ''; - system.build.kexec_tarball = pkgs.callPackage "${nixpkgs}/nixos/lib/make-system-tarball.nix" { - storeContents = [ - { - object = config.system.build.kexec_script; - symlink = "/kexec_nixos"; - } - ]; - contents = []; - }; - networking.wireguard.interfaces."wg0".ips = [ - "fd0d:a262:1fa6:e621:6ec2:1e4e:ce7f:d2af/64" - ]; - boot.supportedFilesystems = ["zfs"]; -} diff --git a/flake.nix b/flake.nix index f580d53e..8f5ecd74 100644 --- a/flake.nix +++ b/flake.nix @@ -95,10 +95,6 @@ rec { name = "nas"; # My nas system = "x86_64-linux"; } - { - name = "aarch64-kexec"; # kexec tarball for aarch64 - system = "aarch64-linux"; - } { name = "instance-20221213-1915"; # Oracle server system = "aarch64-linux"; @@ -170,7 +166,6 @@ rec { systems)) // { inherit devShell; - aarch64-kexec-tarball = nixosConfigurations.aarch64-kexec.config.system.build.kexec_tarball; # Uncomment the line to build an installer image # This is EXTREMELY LARGE and will make builds take forever # installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage; -- 2.47.0