.github/workflows/build.yml

@@ -13,8 +13,7 @@ jobs:
           - nixos-8gb-fsn1-1.x86_64-linux
           - nutty-noon.x86_64-linux
           - thinkrac.x86_64-linux
-          - aarch64-kexec.aarch64-linux
-          - aarch64-kexec-tarball
+          - instance-20221213-1915.aarch64-linux
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository

.github/workflows/pr.yml

@@ -29,15 +29,15 @@ jobs:
           AWS_CREDENTIALS: ${{secrets.AWS_CREDENTIALS}}
       - run: |
 
-          for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do
-            nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job.x86_64-linux" > old-$job.json
+          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux installer.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux; do
+            nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json
           done
 
           echo "Difference between this PR and main:" > review
           echo "" >> review
 
-          for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do
-            nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > new-$job.json
+          for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux installer.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux; do
+            nix show-derivation -r ".#hydraJobs.$job" > new-$job.json
 
             echo "## Changes for $job:" >> review
             echo '```' >> review

.sops.yaml

@@ -4,6 +4,7 @@ keys:
   - &nutty-noon age1wfftrnyngg7nxcwvt7m590fwx3w7p4kkrjn9uprjq0u3k3ym4s3qqzkmzm
   - &thinkrac age15c2dquc22epmmndpmd8pa3077fdl8nyr5qehr7y0c9uvavrledsq326ak9
   - &nas age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc
+  - &instance-20221213-1915 age1s7xxqxk6t6rw3zvfylgpwp5362v5guqsf8vjcvjjdj7wcnnxncvqc62frn
 creation_rules:
   - path_regex: secrets/nixos-8gb-fsn1-1\.yaml$
     key_groups:
@@ -40,3 +41,9 @@ creation_rules:
           - *thinkrac
         pgp:
           - *lotte
+  - path_regex: secrets/instance-20221213-1915\.yaml$
+    key_groups:
+      - age:
+          - *instance-20221213-1915
+        pgp:
+          - *lotte

config/aarch64-kexec.nix

@@ -1,65 +0,0 @@
-# Adapted from https://github.com/cleverca22/nix-tests/tree/master/kexec
-{
-  pkgs,
-  config,
-  nixpkgs,
-  ...
-}: {
-  imports = [
-    "${nixpkgs}/nixos/modules/installer/netboot/netboot-minimal.nix"
-  ];
-  networking.hostName = "nixos";
-  networking.hostId = "d5b14b97";
-  boot.kernelParams = ["net.ifnames=0"];
-  system.stateVersion = "22.11";
-  system.build = rec {
-    image = pkgs.runCommand "image" {buildInputs = [pkgs.nukeReferences];} ''
-      mkdir $out
-      cp ${config.system.build.kernel}/${config.system.boot.loader.kernelFile} $out/kernel
-      cp ${config.system.build.netbootRamdisk}/initrd $out/initrd
-      echo "init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}" > $out/cmdline
-      nuke-refs $out/kernel
-    '';
-    kexec_script = pkgs.writeTextFile {
-      executable = true;
-      name = "kexec-nixos";
-      text = ''
-        #!${pkgs.stdenv.shell}
-        export PATH=${pkgs.kexectools}/bin:${pkgs.cpio}/bin:$PATH
-        set -x
-        set -e
-        cd $(mktemp -d)
-        pwd
-        mkdir initrd
-        pushd initrd
-        if [ -e /ssh_pubkey ]; then
-          cat /ssh_pubkey >> authorized_keys
-        fi
-        find -type f | cpio -o -H newc | gzip -9 > ../extra.gz
-        popd
-        cat ${image}/initrd extra.gz > final.gz
-        kexec -l ${image}/kernel --initrd=final.gz --append="init=${builtins.unsafeDiscardStringContext config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
-        sync
-        echo "executing kernel, filesystems will be improperly umounted"
-        kexec -e
-      '';
-    };
-  };
-  boot.initrd.postMountCommands = ''
-    mkdir -p /mnt-root/root/.ssh/
-    cp /authorized_keys /mnt-root/root/.ssh/
-  '';
-  system.build.kexec_tarball = pkgs.callPackage "${nixpkgs}/nixos/lib/make-system-tarball.nix" {
-    storeContents = [
-      {
-        object = config.system.build.kexec_script;
-        symlink = "/kexec_nixos";
-      }
-    ];
-    contents = [];
-  };
-  networking.wireguard.interfaces."wg0".ips = [
-    "fd0d:a262:1fa6:e621:6ec2:1e4e:ce7f:d2af/64"
-  ];
-  boot.supportedFilesystems = ["zfs"];
-}

config/instance-20221213-1915.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+} @ args: {
+  networking.hostName = "instance-20221213-1915";
+  networking.hostId = "746d4523";
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./systemd-boot.nix
+    ./server.nix
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "tank/local/root";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/6557-C4A0";
+    fsType = "vfat";
+  };
+
+  fileSystems."/nix" = {
+    device = "tank/local/nix";
+    fsType = "zfs";
+  };
+
+  fileSystems."/safe" = {
+    device = "tank/safe";
+    fsType = "zfs";
+  };
+
+  fileSystems."/persist" = {
+    device = "tank/safe/persist";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "tank/safe/home";
+    fsType = "zfs";
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+
+  # https://grahamc.com/blog/erase-your-darlings
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    zfs rollback -r tank/local/root@blank
+  '';
+
+  services.openssh = {
+    hostKeys = [
+      {
+        path = "/persist/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+      {
+        path = "/persist/ssh/ssh_host_rsa_key";
+        type = "rsa";
+        bits = 4096;
+      }
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "L /var/lib/acme - - - - /persist/var/lib/acme"
+  ];
+
+  networking.wireguard.interfaces."wg0".ips = ["fd0d:a262:1fa6:e621:746d:4523:5c04:1453/64"];
+  home-manager.users.darkkirb = import ./home-manager/darkkirb.nix {
+    desktop = false;
+    inherit args;
+  };
+  nix.settings.cores = 2;
+  nix.settings.max-jobs = 2;
+  nix.daemonCPUSchedPolicy = "idle";
+  nix.daemonIOSchedClass = "idle";
+}

config/nixos-8gb-fsn1-1.nix

@@ -229,6 +229,13 @@
           "fd0d:a262:1fa6:e621:bc9b:6a33:86e4:873b/128"
         ];
       }
+      # instance-20221213-1915
+      {
+        publicKey = "GHsVg8seCVIMYOidH5+/3EnoXRmi98NXtNTVu+nFcnw=";
+        allowedIPs = [
+          "fd0d:a262:1fa6:e621:746d:4523:5c04:1453/128"
+        ];
+      }
     ];
   };
   boot.kernel.sysctl = {

flake.nix

@@ -96,7 +96,7 @@ rec {
         system = "x86_64-linux";
       }
       {
-        name = "aarch64-kexec"; # kexec tarball for aarch64
+        name = "instance-20221213-1915"; # Oracle server
         system = "aarch64-linux";
       }
     ];
@@ -166,7 +166,6 @@ rec {
         systems))
       // {
         inherit devShell;
-        aarch64-kexec-tarball = nixosConfigurations.aarch64-kexec.config.system.build.kexec_tarball;
         # Uncomment the line to build an installer image
         # This is EXTREMELY LARGE and will make builds take forever
         # installer.x86_64-linux = nixosConfigurations.installer.config.system.build.isoImage;

secrets/instance-20221213-1915.yaml

@@ -0,0 +1,49 @@
+network:
+    wireguard:
+        privkey: ENC[AES256_GCM,data:ZyqrBI7hbS0KhnnocUpalbi9BRN5osqAEJdoCok6WRIZvX7aUzAL7ZjbV8Q=,iv:PBBZc3t+OmsEdzTNdRfLpmWvQYP7BRh0paskD1SZsIs=,tag:ciesS+P/lf2KqwHrdTfP/g==,type:str]
+security:
+    acme:
+        dns: ENC[AES256_GCM,data:EKvYWjzradH5z3ptYPCkqg1oYFMBSUIfoDQsFIUpiGxZLzxgNj3zf4WdJCwhgV5df4hv5tRvsFEaCVDQ5Tk1uJQpVMIkFLuj8pnQOhALOy6edn4sHjSwOS1L5J8mKWTd2dCIzV+0UJ6erufBhwgvrlznTkNRM3YLltXjh+2pBFIa5NVue77QWzs0YfZMKMWezrR+64gY6pWPAJ7m8gtD+oFNSC+xgHu3LgXioMXoEDhqVOEofr518rS1gezME4xhTN9fNAYL4XahUaFD1H3d+GToj80s,iv:AL/YmppFPDr0qgdS9wzxeBcH/6mDkhvKezPhMD0qm3w=,tag:u4rFbHUNlvo/RjKuEn6UQg==,type:str]
+        cloudflare: ENC[AES256_GCM,data:m35EgRacUOHFcqiwMyBPIPMZOq00eCKKGXko6n5fj7dVKorxI1lYFOG+pu68C7JfsnUr32t5TDMCsXhv7xD5BuCl2r6EZkpdzbZgnRqt7ijJ7fNUyMYjQ5SkwKzFb3R7sZcxpABt1z/b/ABZKs/VwaR3TQpGB/9CUv0p6kXN19lsfKOJo0LfyMdH2gf9RScq/IuVfpTm2jlHDwNC16qIZM9+Jqkw02JR7uOtD7jIvQDGN1FLqk7cXzU=,iv:qUbEGVrgq2vzVu66iA9mDBSgp1mrqyYdzyvXbGZwPrk=,tag:v443bohPg9eQZq6mUKUDSQ==,type:str]
+    restic:
+        password: ENC[AES256_GCM,data:hYQ++ha83xy1y8KRzo/NtKZ/5Yk=,iv:AHav3AQDyRkAPbtHGZ3+4D4dwb7zqVI2q72PPIWlUiw=,tag:H633tTIkMl6PxnjBlshCcA==,type:str]
+services:
+    nix:
+        cache-key: ENC[AES256_GCM,data:W0mEttOcP4ldN5WTJzPWs6xK9bb4bcFQfRbstCoTJ0AzhjaMgnew1KhA4G+AA5GASpMU3MaikmMenm9+x5Ua/pOItVATMAtnkC84AZzDtB2A8haSoeaTk5kiD1u5DjR1wA==,iv:mR8ST9auU9kG8lMKr2E9JjfIokqK210g+t7i46kybKM=,tag:h9Xcph3s/h1tdy1N1m5Xag==,type:str]
+email:
+    lotte@chir.rs: ENC[AES256_GCM,data:vCgsNVurVhcEBquF50bontjucQ==,iv:ITfgM4f7sMEhSUXYSVIwhTZ08ZTut9rp43ef6apPQhk=,tag:qJuwTl+Qw8be7frqGsb0Dw==,type:str]
+    mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:ykQYOSu3+KG8mfJBF7fEJwk2i8i972ERJs/oLLdY2mnQcPCV+9+0YtWwz7HDiLLrUlUV7yDdyjgqVKzdONOnsA==,iv:1Eetui7FvsrXIUSo1vccjA1k+/Bp9OAwI3ZoVYuQVDY=,tag:R27LHK9hpzVolt5+DKLHgg==,type:str]
+password:
+    root: ENC[AES256_GCM,data:06rdfv4dBZC+2OUcyNsOpp+7nQLqFVhy3NWekckbG2wem0lbtPn8eAYMRREhQjhX/JC+0aRMqUaK9VK2YDuqp4SHONAw+ahEEDqoOacKngA34cxq++zfnWPXOCSAMN9nIgLe+77AHYq7qw==,iv:W19HnljIvvkwap0xOF1X7lit7Evm2cQgqLK/pAjo5dI=,tag:A6wzK2pUbvFLWgHJ1X9mSQ==,type:str]
+    darkkirb: ENC[AES256_GCM,data:cmNsv680uqjPZJ40jU6z3JSUc6a76TbMVpF+EhBzz4wWr5rngDBTDoxjLnOYzuSOlonyJO9IXNygjCq0a7bNu4SYho8nCLeFV0Dvq6xDMCh2ZQ+CjHgP/R7dsaRqmjcujthmB0u0beJGqg==,iv:6Sz3b3S/76B3DGYdLfYQuOACx7SSJNy/pkRAbDmkBOM=,tag:bc6+sqj0+Ky5lhhgkMIXJQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1s7xxqxk6t6rw3zvfylgpwp5362v5guqsf8vjcvjjdj7wcnnxncvqc62frn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjNDNpc1hrQ2xkZllYZE9Z
+            ZXdnS096WUpYaDlJc0ltTFJQaTZBQTEvZDBNCmVXNkxvTjVIMHZJeldtV1gxWmtB
+            cU83SnFzUmR1bU1ZN3hqTDh3eDUxS2cKLS0tIFJ5c1BxTmp4cnh2aDQvbFA5bzFF
+            QThFZnBQRjh1ZVNoNmU3WkdVbVJVKzAKmEeggdchZmc9kajfpRZfRAR2Tzov4jQK
+            NprycjlrOuozMCTv75+gbNHTRp4pxQq1JE5NejvyDWkzhL+s8Ikfng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-14T08:55:10Z"
+    mac: ENC[AES256_GCM,data:W/B21vSPg9kJX13VHn8wCqK/NxdSaMJ0y+noXypFyI1yNlA5BTMIAwgR6ZRkCMdD9U+bz34Ujp8LENw9+AaRJ2pHA2/m4Jg+rdsA0T6K7E3k6qkMKyjH5Ovctx1Onu4PXKsRfS+Z4hz2qlkmCGyxBk1AHMjo8MxSQd9VtFZKP10=,iv:4S7a/kIpOucN/fp2Wo2aIodV1Yk3CX+vBUHUWzZEM84=,tag:m2vWnkzvZ9UdPSTGR/kbVg==,type:str]
+    pgp:
+        - created_at: "2022-12-13T20:09:13Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DAAAAAAAAAAASAQdAjfjUrHnb/9mXfmsCSDK6QpbqfhU1XAALlrToFSZ1mV0w
+            ZyNpCaIxlrGdNddMn/jfrlJl/J1WIFkk9MQ81VXz0NIey3WRcj7O/AY8JYFKhoTH
+            0l4BVFtqFvR1bE7ycGrag7eC6CSflm8n7jJtJqoSe/LJUtH9mP7euGhoqCcVWlph
+            byK0DM+4t/6iZhLXmfX4gHZes3qv2wBZ+9e4VsO3TXaOQey298Y/TGRBm7u+wJ0+
+            =aNtG
+            -----END PGP MESSAGE-----
+          fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

zones/int.chir.rs.nix

@@ -15,7 +15,7 @@ in {
   SOA = {
     nameServer = "ns1.chir.rs.";
     adminEmail = "lotte@chir.rs";
-    serial = 17;
+    serial = 18;
   };
   NS = [
     "ns1.chir.rs."
@@ -252,6 +252,7 @@ in {
         }
       ];
     };
+    instance-20221213-1915.AAAA = [(ttl zoneTTL (aaaa "fd0d:a262:1fa6:e621:746d:4523:5c04:1453"))];
 
     grafana.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))];
     minio.CNAME = [(ttl zoneTTL (cname "nixos-8gb-fsn1-1"))];