ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add basic config for Phoenix
ci / test (push) Failing after 31s Details
ci / deploy (push) Has been skipped Details

This commit is contained in:
Ciapa 2024-02-04 01:11:26 +01:00
parent 1ee82e6ce1
commit e0d0251793
11 changed files with 291 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml
View File

@ -6,6 +6,7 @@ keys:
# Hosts # Hosts
- &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh - &host_kinda_sus_lol age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
- &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya - &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
- &host_phoenix_lewd_wtf age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
creation_rules: creation_rules:
# kinda.sus.lol # kinda.sus.lol
- path_regex: hosts/kinda.sus.lol/secrets/.* - path_regex: hosts/kinda.sus.lol/secrets/.*
@ -19,3 +20,9 @@ creation_rules:
- age: - age:
- *admin_ecchi - *admin_ecchi
- *host_nyx_lewd_wtf - *host_nyx_lewd_wtf
# phoenix.lewd.wtf
- path_regex: hosts/phoenix.lewd.wtf/secrets/.*
key_groups:
- age:
- *admin_ecchi
- *host_phoenix_lewd_wtf

23
flake.nix
View File

@ -50,6 +50,16 @@
]; ];
}; };
"phoenix.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
sops-nix.nixosModules.sops
./default.nix
./hosts/phoenix.lewd.wtf/configuration.nix
];
};
"aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem { "aztul.elmosco.lewd.wtf" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs self; }; specialArgs = { inherit inputs self; };
@ -131,6 +141,19 @@
}; };
}; };
"phoenix.lewd.wtf" = {
sshOpts = [ "-p" "22" "-o" "StrictHostKeyChecking=no" ];
hostname = "lewdathome.duckdns.org";
fastConnection = true;
profiles.system = {
sshUser = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."phoenix.lewd.wtf";
user = "root";
};
};
"aztul.elmosco.lewd.wtf" = { "aztul.elmosco.lewd.wtf" = {
sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ]; sshOpts = [ "-p" "22111" "-o" "StrictHostKeyChecking=no" ];
hostname = "aztul.elmosco.lewd.wtf"; hostname = "aztul.elmosco.lewd.wtf";

31
hosts/phoenix.lewd.wtf/configuration.nix Normal file
View File

@ -0,0 +1,31 @@
{ self, config, pkgs, lib, ... }:
let
utils = import ../../util/include.nix { lib = lib; };
imports =
(utils.includeDir ./services) ++
[
./hardware-configuration.nix
./networking.nix
./secrets.nix
];
in {
inherit imports;
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
copyKernels = true;
mirroredBoots = [
{ path = "/boot-1"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0M558343V" ]; }
{ path = "/boot-2"; devices = [ "/dev/disk/by-id/ata-Samsung_SSD_860_QVO_1TB_S4CZNF0N633130M" ]; }
];
};
networking.hostName = "phoenix";
networking.domain = "lewd.wtf";
system.stateVersion = "24.05"; # Did you read the comment?
}

42
hosts/phoenix.lewd.wtf/hardware-configuration.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot-1" = {
device = "/dev/disk/by-uuid/6CA4-1FB2";
fsType = "vfat";
};
fileSystems."/boot-2" = {
device = "/dev/disk/by-uuid/6CA5-F5A2";
fsType = "vfat";
};
fileSystems."/mnt/zvault/desktop" = {
device = "zvault/desktop";
fsType = "zfs";
};
fileSystems."/mnt/zbigdata/media" = {
device = "zbigdata/media";
fsType = "zfs";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

22
hosts/phoenix.lewd.wtf/networking.nix Normal file
View File

@ -0,0 +1,22 @@
{ ... }:
{
networking.useDHCP = false;
networking.bridges = {
"br0" = {
interfaces = [
"eno2"
"enp23s0"
];
};
};
networking.interfaces.br0.ipv4.addresses = [
{
address = "192.168.0.42";
prefixLength = 22;
}
];
networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "192.168.0.1" ];
}

10
hosts/phoenix.lewd.wtf/secrets.nix Normal file
View File

@ -0,0 +1,10 @@
{ config, ... }:
{
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Vaultwarden
sops.secrets."services/msmtp/password" = {
mode = "0777";
sopsFile = ./secrets/msmtp.yaml;
};
}

32
hosts/phoenix.lewd.wtf/secrets/msmtp.yaml Normal file
View File

@ -0,0 +1,32 @@
services:
msmtp:
password: ENC[AES256_GCM,data:k4pMmcPrv0jQkr2Odd4elg==,iv:/gNqUPgd480v/C8+BOuFUNdjkEXWNjMqzwQ4HxftnC4=,tag:8/HVE/aHCbyHRMlNB2mT8A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYamhaWEhNNVZBUXMvU1dx
cVppQVpNcjFXRzgvTmRXYTk0SFZkbWFWWFNvCndnZnkxd1F0Y3VjVW1FZGhJWGR3
N29zM0ltT2wyUjg0UU9VdU1mY3htMmcKLS0tIDhpclNJT09pUGI2TnpaSEpwZGNk
WWxHUEYxZTkxcktnSXl0YXl6elJ6eTQKit0pzEYgg3hc08swMg1mh17DLbVAXBu9
TaDZYCsH+nYzIVYG8Sp2IZVxENUbr6P5spDJs1dVSvWsRPLj0SXC/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0U4Ujk5dUhOL3ZFRFA0
Ny9UMG9ISmNRbDdCQThKNWtlTjVCLy9aNms4CmtxeXNhU2FmQkJzaDdBY1J4UWsv
MFF1dEdURFJXaDdiRkVaeFNVUXFJSm8KLS0tIFl6bnd3aGk4ZDlIMEdaaGRJUHA3
bFh4ZHF0S1Y4N2srS3dTUUxPRDRyZVkKlJJHMJ7nBcZqZXC893YIh3CDeWwew24n
lm2h3RzTQ993wnD6434FJF6MEKbOAfeunKf2K1GrKjfDO58n7I0edg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T00:02:21Z"
mac: ENC[AES256_GCM,data:ULRJMKr3fvp9wDKuj1P62POxY43ZgtA60uhd2MLhTbPtYKM2r1bJbiLpwYi8pXKIC7I6Fl/og/fL2fyEx5ZRA7jME8PRQvmWlTytZnsOa8RCDYot5JxhwGwJ3keIZFAAnUxX3Vc0+Ch4u3qr1+EbffEh6m1Vt9fJiujI9aWdrt8=,iv:qjnWcu9wvnQ4H1Q6zu8edHYHjniJqz80Bx4XOkZ3+l8=,tag:eQk73teW1pBVszamlDdaFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

21
hosts/phoenix.lewd.wtf/services/msmtp.nix Normal file
View File

@ -0,0 +1,21 @@
{
programs.msmtp = {
enable = true;
setSendmail = true;
defaults = {
aliases = builtins.toFile "aliases" ''
default: ciapa@lewd.wtf
'';
};
accounts.default = {
auth = "plain";
host = "mail.your-server.de";
port = "587";
from = "phoenix@lewd.wtf";
user = "phoenix@lewd.wtf";
passwordeval = "cat /run/secrets/services/msmtp/password";
};
};
}

16
hosts/phoenix.lewd.wtf/services/nfs.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, lib, ... }:
{
fileSystems."/export/desktop" = {
device = "/mnt/zvault/desktop";
options = [ "bind" ];
};
services.nfs.server.enable = true;
services.nfs.server.exports = ''
/export 192.168.0.20(rw,fsid=0,no_subtree_check)
/export/desktop 192.168.0.20(rw,nohide,insecure,no_subtree_check)
'';
networking.firewall.allowedTCPPorts = [ 2049 ];
}

6
hosts/phoenix.lewd.wtf/services/smartd.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.smartd.enable = true;
services.smartd.notifications.mail.enable = true;
services.smartd.notifications.mail.sender = "phoenix@lewd.wtf";
services.smartd.notifications.mail.recipient = "ciapa@lewd.wtf";
}

81
hosts/phoenix.lewd.wtf/services/zfs.nix Normal file
View File

@ -0,0 +1,81 @@
let
sendEmailEvent = { event }: ''
printf "Subject: phoenix ${event} ''$(${pkgs.coreutils}/bin/date --iso-8601=seconds)\n\nzpool status:\n\n''$(${pkgs.zfs}/bin/zpool status)" | ${pkgs.msmtp}/bin/msmtp -a default ${emailTo}
'';
in
{
# ZFS remote unlocking
boot.initrd.availableKernelModules = [ "igb" ];
boot.kernelParams = [
"ip=192.168.0.42::192.168.0.1:255.255.252.0:phoenix-initrd:eno2:off:192.168.0.1"
];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
/boot-1/initrd-ssh-key
/boot-2/initrd-ssh-key
];
authorizedKeys = [ config.users.users.root.openssh.authorizedKeys.keys ];
};
postCommands = ''
cat <<EOF > /root/.profile
if pgrep -x "zfs" > /dev/null
then
zfs load-key zroot
zpool import -f zbigdata
zfs load-key zbigdata
zpool import -f zvault
zfs load-key zvault
killall zfs
else
echo "zfs not running -- maybe the pool is taking some time to load for some unforseen reason."
fi
EOF
'';
};
# ZFS options from https://nixos.wiki/wiki/NixOS_on_ZFS
networking.hostId = "42069420";
boot.supportedFilesystems = [ "zfs" ];
# ZFS notifications
services.zfs.zed.enableMail = true;
services.zfs.zed.settings = {
ZED_EMAIL_ADDR = [ "ciapa@lewd.wtf" ];
ZED_EMAIL_OPTS = "-a 'FROM:phoenix@lewd.wtf' -s '@SUBJECT@' @ADDRESS@";
ZED_NOTIFY_VERBOSE = true;
};
# Timed status mails (Boot, Shutdown, Weekly)
systemd.services."boot-mail-alert" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = sendEmailEvent { event = "just booted"; };
};
systemd.services."shutdown-mail-alert" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = "true";
preStop = sendEmailEvent { event = "is shutting down"; };
};
systemd.services."weekly-mail-alert" = {
serviceConfig.Type = "oneshot";
script = sendEmailEvent { event = "is still alive"; };
};
systemd.timers."weekly-mail-alert" = {
wantedBy = [ "timers.target" ];
partOf = [ "weekly-mail-alert.service" ];
timerConfig.OnCalendar = "weekly";
};
}