qo.is/infrastructure
3
0
Fork 0
Code Issues 12 Pull requests 1 Projects 1 Activity Actions

Commit files for public release
All checks were successful
CI / build (push) Successful in 13m53s
Details

Browse source
This commit is contained in:
Fabian Hauser 2024-10-02 16:52:04 +03:00
commit fef2377502
174 changed files with 7423 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos-configurations/calanda/README.md Normal file
View file

@ -0,0 +1 @@
# calanda

21
nixos-configurations/calanda/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
{
imports = [
./networking.nix
./filesystems.nix
../../defaults/hardware/apu.nix
../../defaults/base
../../defaults/meta
];
# This value determines the NixOS release from which the default
# settings for stateful data, like fi:le locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

20
nixos-configurations/calanda/filesystems.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/16efc5db-0697-4f39-b64b-fc18ac318625";
fsType = "btrfs";
options = [
"defaults"
"subvol=nixos"
"noatime"
];
};
swapDevices = [ { device = "/dev/disk/by-uuid/b5104a7c-4a4a-4048-a9f8-44ddb0082632"; } ];
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
}

118
nixos-configurations/calanda/networking.nix Normal file
View file

@ -0,0 +1,118 @@
{ config, pkgs, ... }:
let
meta = config.qois.meta;
plessur-dmz-net = meta.network.physical.plessur-dmz;
plessur-lan-net = meta.network.physical.plessur-lan;
getCalandaIp4 = net: net.hosts.calanda.v4.ip;
in
{
imports = [ ../../defaults/backplane-net ];
networking.hostName = meta.hosts.calanda.hostName;
networking.domain = "ilanz.fh2.ch";
networking.enableIPv6 = false; # TODO
networking.useDHCP = false;
networking.interfaces.enp4s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [
80
443
];
networking.interfaces.enp3s0 = {
ipv4.addresses = [
{
inherit (plessur-dmz-net.v4) prefixLength;
address = getCalandaIp4 plessur-dmz-net;
}
];
};
# TODO: Metaize ips
services.qois.router = {
enable = true;
wanInterface = "enp4s0";
wirelessInterfaces = [ "wlp5s0" ];
lanInterfaces = [ "enp2s0" ];
internalRouterIP = getCalandaIp4 plessur-lan-net;
dhcp = {
enable = true;
localDomain = "ilanz.fh2.ch"; # TODO: Legacy hostname
dhcpRange = "10.1.1.2,10.1.1.249";
};
recursiveDns = {
enable = true;
networkIdIp = plessur-lan-net.v4.id;
};
wireless = {
enable = true;
wleInterface24Ghz = "wlp5s0";
ssid = "hauser";
};
};
# DMZ
services.unbound.settings.server = {
interface = [ plessur-dmz-net.hosts.calanda.v4.ip ];
access-control = [
''"${plessur-dmz-net.v4.id}/${toString plessur-dmz-net.v4.prefixLength}" allow''
];
};
networking.firewall.interfaces.enp3s0.allowedUDPPorts = [ 53 ];
networking.nat.internalInterfaces = [ "enp3s0" ];
# DMZ Portforwarding
networking.nat.forwardPorts =
let
fulbergPort = (
proto: port: {
destination = "10.1.2.2:${toString port}";
proto = proto;
sourcePort = port;
loopbackIPs = [ "85.195.200.253" ];
}
);
cyprianspitzPort = (
proto: port: {
destination = "10.1.1.11:${toString port}";
proto = proto;
sourcePort = port;
loopbackIPs = [ "85.195.200.253" ];
}
);
in
[
{
destination = "10.1.2.2:22";
proto = "tcp";
sourcePort = 8022;
}
{
destination = "10.1.2.2:2222";
proto = "tcp";
sourcePort = 8222;
}
{
destination = "10.1.1.11:2222";
proto = "tcp";
sourcePort = 8223;
}
]
++ map (fulbergPort "udp") [
51820
51821
]
++ map (cyprianspitzPort "tcp") [
80
443
]
++ map (cyprianspitzPort "udp") [
51824
1666
41641
3478
3479
];
}

32
nixos-configurations/cyprianspitz/README.md Normal file
View file

@ -0,0 +1,32 @@
# Host: Cyprianspitz
## Operations {#_operations}
Reboot requires passphrase.
``` bash
# Get HDD Password:
sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml
ssh -p 8223 -J root@calanda.plessur-ext.net.qo.is
```
## Hardware
TODO
- [Mainboard Manual](docs/z790m-itx-wifi.pdf)
### Top Overview
![](docs/top-view.jpg)
### PCIE Side
![](docs/pcie-side.jpg)
### HDD Bay
Note that slot 5 (the leftmost) SATA bay is not connected due to the mainboard only having 4 SATA plugs.

12
nixos-configurations/cyprianspitz/applications/backup.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, config, ... }:
{
qois.backup-server = {
enable = true;
backupStorageRoot =
let
dataDrive = config.disko.devices.lvm_vg.vg_data.lvs.lv_data.content.mountpoint;
in
dataDrive + "/backup";
};
}

10
nixos-configurations/cyprianspitz/applications/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
imports = [
./backup.nix
./vpn.nix
];
qois.loadbalancer.enable = true;
}

4
nixos-configurations/cyprianspitz/applications/vpn.nix Normal file
View file

@ -0,0 +1,4 @@
{ config, pkgs, ... }:
{
qois.vpn-server.enable = true;
}

28
nixos-configurations/cyprianspitz/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, ... }:
{
imports = [
./applications
./disko-config.nix
./filesystems.nix
./networking.nix
./secrets.nix
./virtualisation.nix
../../defaults/hardware/asrock-z790m.nix
../../defaults/base
../../defaults/meta
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

132
nixos-configurations/cyprianspitz/disko-config.nix Normal file
View file

@ -0,0 +1,132 @@
{ pkgs, ... }:
{
disko.devices = {
disk = rec {
data-1 = {
type = "disk";
device = "/dev/disk/by-id/ata-ST16000NM000J-2TW103_ZRS110XA";
content = {
type = "gpt";
partitions = {
raid_data = {
size = "100%";
content = {
type = "mdraid";
name = "raid_data";
};
};
};
};
};
#data-2 = { # TODO
# type = "disk";
# device = "/dev/disk/by-id/ata-TODO";
# content = data-1.content;
#};
system-1 = {
type = "disk";
device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_1TB_NL8052R000144P2202";
content = {
type = "gpt";
partitions = {
boot = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot-primary";
};
};
raid_system = {
start = "5G";
size = "100%";
content = {
type = "mdraid";
name = "raid_system";
};
};
};
};
};
system-2 = {
type = "disk";
device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_1TB_NL8052R002402P2202";
content = pkgs.lib.recursiveUpdate system-1.content {
partitions.boot.content.mountpoint = "/boot-secondary";
};
};
};
mdadm = {
"raid_system" = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted_system";
passwordFile = "/run/secrets/system/hdd.key";
settings = {
allowDiscards = true;
bypassWorkqueues = true;
};
content = {
type = "lvm_pv";
vg = "vg_system";
};
};
};
"raid_data" = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted_data";
passwordFile = "/run/secrets/system/hdd.key";
settings.allowDiscards = true;
content = {
type = "lvm_pv";
vg = "vg_data";
};
};
};
};
lvm_vg = {
vg_data = {
type = "lvm_vg";
lvs = {
lv_data = {
size = "14TB";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/mnt/data";
mountOptions = [
"defaults"
"noatime"
];
};
};
};
};
vg_system = {
type = "lvm_vg";
lvs = {
hv_cyprianspitz = {
size = "100GiB";
content = {
type = "btrfs";
mountOptions = [
"defaults"
"noatime"
];
subvolumes = {
"/root".mountpoint = "/";
};
};
};
};
};
};
};
}

BIN
nixos-configurations/cyprianspitz/docs/pcie-side.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
nixos-configurations/cyprianspitz/docs/top-view.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 203 KiB

BIN
nixos-configurations/cyprianspitz/docs/z790m-itx-wifi.pdf Normal file
View file

Binary file not shown.

36
nixos-configurations/cyprianspitz/filesystems.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
# Configurations are set in disko-config.nix!
# mdadm.conf generated by `mdadm --detail --scan`
# TODO
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
MAILADDR root
'';
# TODO: RAID Monitoring
# TODO: Set spin-down time of physical disks
services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
# Use the systemd-boot EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot-primary";
efiBootloaderId = "NixOS primary";
}
{
devices = [ "nodev" ];
path = "/boot-secondary";
efiBootloaderId = "NixOS secondary";
}
];
};
}

97
nixos-configurations/cyprianspitz/networking.nix Normal file
View file

@ -0,0 +1,97 @@
{ config, pkgs, ... }:
let
meta = config.qois.meta;
in
{
networking.hostName = meta.hosts.cyprianspitz.hostName;
imports = [ ../../defaults/backplane-net ];
networking.useDHCP = false;
networking.interfaces.enp0s31f6.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = true;
# Virtualization
networking.interfaces.vms-nat.useDHCP = false;
networking.interfaces.vms-nat.ipv4.addresses = [
(
let
netConfig = meta.network.virtual.cyprianspitz-vms-nat;
in
{
address = netConfig.hosts.cyprianspitz.v4.ip;
prefixLength = netConfig.v4.prefixLength;
}
)
];
networking.bridges.vms-nat.interfaces = [ ];
networking.nat = {
enable = true;
internalInterfaces = [ "vms-nat" ];
internalIPs = with meta.network.virtual.cyprianspitz-vms-nat.v4; [
"${id}/${builtins.toString prefixLength}"
];
externalInterface = "enp0s31f6";
};
services.dnsmasq =
let
netConfig = meta.network.virtual.cyprianspitz-vms-nat;
in
{
enable = true;
resolveLocalQueries = false;
settings = {
interface = "vms-nat";
bind-interfaces = true;
domain-needed = true;
domain = netConfig.domain;
dhcp-range = [ "10.248.0.2,10.248.0.253" ];
dhcp-option = [
"option:router,${netConfig.hosts.cyprianspitz.v4.ip}"
"option:domain-search,${netConfig.domain}"
];
dhcp-authoritative = true;
};
};
systemd.services.dnsmasq.bindsTo = [ "network-addresses-vms-nat.service" ];
networking.firewall.interfaces.vms-nat = {
allowedUDPPorts = [
53
67
];
allowedTCPPorts = [ 53 ];
};
# Boot
boot.initrd.network.udhcpc.enable = true;
services.qois.luks-ssh = {
enable = true;
interface = "eth0";
sshPort = 2222;
sshHostKey = "/secrets/system/initrd-ssh-key";
# TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path;
};
# Configure this node to be used as an vpn exit node
qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.sops.secrets."tailscale/key".path;
extraUpFlags = [
"--login-server=https://vpn.qo.is"
"--advertise-exit-node"
(
with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
)
"--advertise-tags=tag:srv"
];
};
}

10
nixos-configurations/cyprianspitz/secrets.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
sops.secrets = {
"system/hdd" = { };
"system/initrd-ssh-key" = { };
"tailscale/key" = {
restartUnits = [ "tailscaled.service" ];
};
};
}

8
nixos-configurations/cyprianspitz/virtualisation.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
virtualisation.libvirtd = {
enable = true;
onShutdown = "shutdown";
};
environment.systemPackages = [ pkgs.virtiofsd ];
}

41
nixos-configurations/default.nix Normal file
View file

@ -0,0 +1,41 @@
{
self,
pkgs,
nixpkgs-nixos-stable,
disko,
attic,
sops-nix,
...
}@inputs:
let
configs = self.lib.foldersWithNix ./.;
in
pkgs.lib.genAttrs configs (
config:
nixpkgs-nixos-stable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
self.nixosModules.default
./${config}/default.nix
(
{ ... }:
{
imports = [ "${attic}/nixos/atticd.nix" ];
services.atticd.useFlakeCompatOverlay = false;
}
)
disko.nixosModules.disko
sops-nix.nixosModules.sops
(
{ ... }:
{
system.extraSystemBuilderCmds = "ln -s ${self} $out/nixos-configuration";
imports = [ ./secrets.nix ];
}
)
];
}
)

1
nixos-configurations/fulberg/README.md Normal file
View file

@ -0,0 +1 @@
# fulberg

1
nixos-configurations/fulberg/applications/default.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: { }

35
nixos-configurations/fulberg/backup.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, pkgs, ... }:
{
qois.backup-server = {
enable = true;
backupStorageRoot = "/mnt/nas/backup";
};
services.borgbackup.repos =
let
backupRoot = "/mnt/nas/backup";
hostBackupRoot = "${backupRoot}/hosts";
dataBackupRoot = "${backupRoot}/data";
in
{
"lindberg-nextcloud" = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud"
];
path = "${hostBackupRoot}/lindberg-nextcloud";
};
"lindberg-data" = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg"
];
path = "${dataBackupRoot}/lindberg";
};
"lindberg-build-system" = {
authorizedKeys = [
"ssh-ed25519 AAAATODOTODOTODONTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build"
];
path = "${dataBackupRoot}/lindberg-build-system";
};
};
}

22
nixos-configurations/fulberg/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
imports = [
../../defaults/base
../../defaults/hardware/apu.nix
../../defaults/meta
./applications
./backup.nix
./filesystems.nix
./networking.nix
./secrets.nix
];
# This value determines the NixOS release from which the default
# settings for stateful data, like fi:le locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

31
nixos-configurations/fulberg/filesystems.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
{
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/360a6bc9-fc4e-4803-bd53-69320ac32ac5";
fsType = "btrfs";
options = [
"defaults"
"subvol=nixos"
"noatime"
];
};
"/mnt/nas" = {
device = "10.1.1.39:/qois";
fsType = "nfs";
options = [
"defaults"
"noatime"
"soft"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/73f91e99-d856-4504-b6b2-d60f855d6d95"; } ];
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
}

48
nixos-configurations/fulberg/networking.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, pkgs, ... }:
let
meta = config.qois.meta;
plessur-dmz-net = meta.network.physical.plessur-dmz;
getCalandaIp4 = net: net.hosts.calanda.v4.ip;
in
{
networking.hostName = meta.hosts.fulberg.hostName;
imports = [ ../../defaults/backplane-net ];
# WWAN is currently not available due to a broken SIM-card.
#services.qois.wwan = {
# enable = true;
# apn = "gprs.swisscom.ch";
# networkInterface = "wwp0s19u1u3i12";
#};
networking.interfaces.enp1s0 = {
useDHCP = false;
ipv4.addresses = [
{
inherit (plessur-dmz-net.v4) prefixLength;
address = plessur-dmz-net.hosts.fulberg.v4.ip;
}
];
};
networking.defaultGateway = plessur-dmz-net.v4.gateway;
networking.nameservers = plessur-dmz-net.v4.nameservers;
# Configure this node to be used as an vpn exit node
qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.sops.secrets."tailscale/key".path;
extraUpFlags = [
"--login-server=https://vpn.qo.is"
"--advertise-exit-node"
(
with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
)
"--advertise-tags=tag:srv"
];
};
}

8
nixos-configurations/fulberg/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
sops.secrets = {
"tailscale/key" = {
restartUnits = [ "tailscale.service" ];
};
};
}

39
nixos-configurations/lindberg-build/applications/README.md Normal file
View file

@ -0,0 +1,39 @@
# Nix Caches
## Nixpkgs Cache
To put less load on the upstream nixpkgs CDN and speed up builds, we run a (public) nixpkgs cache on [nixpkgs-cache.qo.is](https://nixpkgs-cache.qo.is). To use it, configure nix like follows in your `nix.conf`:
```nix
substituters = https://nixpkgs-cache.qo.is?priority=39
```
Note that the [cache.nixos.org](https://cache.nixos.org) public key must also be trusted:
```nix
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
```
See the [nix documentation](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-substituters) for details about substitutors.
## Attic
We use [attic](https://docs.attic.rs/) as a self hosted nix build cache.
See [upstream documentation](https://docs.attic.rs/reference/attic-cli.html) for details on how to use it.
### Server Administration
Add users:
```bash
# For example, to generate a token for Alice with read-write access to any cache starting with `dev-` and read-only access to `prod`, expiring in 2 years:
atticadm make-token --sub "alice" --validity "2y" --pull "dev-*" --push "dev-*" --pull "prod"
```
### Client Usage
`attic login qois https://attic.qo.is <TOKEN_HERE>`
`attic use qois:cachename`

77
nixos-configurations/lindberg-build/applications/attic.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
let
atticPort = 8080;
atticHostname = "attic.qo.is";
in
{
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
# generate secret with
# nix run system#openssl rand 64 | base64 -w0
# ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
credentialsFile = config.sops.secrets."attic/server_token".path;
settings = {
listen = "127.0.0.1:${builtins.toString atticPort}";
allowed-hosts = [ "attic.qo.is" ];
api-endpoint = "https://attic.qo.is/";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
database.url = "postgresql:///atticd?host=/run/postgresql";
};
};
imports = [ ../../../defaults/webserver ];
qois.postgresql.enable = true;
# Note: Attic cache availability is "best effort", so no artifacts are backed up.
services.postgresql = {
ensureDatabases = [ "atticd" ];
ensureUsers = [
{
name = "atticd";
ensureDBOwnership = true;
}
];
};
services.nginx = {
enable = true;
clientMaxBodySize = "1g";
virtualHosts.${atticHostname} = {
kTLS = true;
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}";
};
};
}

11
nixos-configurations/lindberg-build/applications/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
imports = [
./gitlab-runner.nix
./attic.nix
./nixpkgs-cache.nix
];
qois.git-ci-runner.enable = true;
}

27
nixos-configurations/lindberg-build/applications/gitlab-runner.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
services.gitlab-runner = {
enable = true;
gracefulTimeout = "20min";
clear-docker-cache = {
enable = true;
dates = "monthly";
};
services = {
default = {
runUntagged = true;
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = config.sops.secrets."gitlab-runner/default-registration".path;
dockerImage = "debian:stable";
limit = 42; # The magic value
maximumTimeout = 7200; # 2h oughta be enough for everyone
};
};
};
}

8
nixos-configurations/lindberg-build/applications/nixpkgs-cache.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
qois.nixpkgs-cache = {
enable = true;
hostname = "nixpkgs-cache.qo.is";
dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ];
};
}

43
nixos-configurations/lindberg-build/backup.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, pkgs, ... }:
let
vnet = config.qois.meta.network.virtual.backplane.hosts;
systemTargets = [
"fulberg"
"tierberg"
];
systemJobs = builtins.listToAttrs (
map (backupHost: {
name = "system-${backupHost}";
value = {
repo = "borg@${vnet.${backupHost}.v4.ip}:.";
environment.BORG_RSH = "ssh -i /secrets/backup/system/ssh-key";
paths = [
"/etc"
"/home"
"/var"
"/secrets"
];
exclude = [
"/var/tmp"
"/var/cache"
"/var/lib/atticd"
"/var/cache/nginx/nixpkgs-cache"
];
doInit = false;
encryption = {
mode = "repokey";
passCommand = "cat /secrets/backup/system/password";
};
startAt = "07:06";
persistentTimer = true;
};
}) systemTargets
);
in
{
services.borgbackup.jobs = systemJobs;
}

26
nixos-configurations/lindberg-build/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, pkgs, ... }:
{
imports = [
../../defaults/base-vm
../../defaults/meta
../../defaults/backplane-net
./applications
./backup.nix
./disko-config.nix
./networking.nix
./secrets.nix
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

64
nixos-configurations/lindberg-build/disko-config.nix Normal file
View file

@ -0,0 +1,64 @@
{ ... }:
{
disko.devices.disk = {
system = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
boot = {
# for grub MBR
size = "1M";
type = "EF02";
};
system = {
size = "100%";
content = {
type = "btrfs";
subvolumes = {
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/root" = {
mountpoint = "/";
mountOptions = [ "noatime" ];
};
};
};
};
};
};
};
nixpkgs_cache = {
type = "disk";
device = "/dev/vdb";
content = {
type = "gpt";
partitions.nixpkgs_cache = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/var/cache/nginx/nixpkgs-cache";
};
};
};
};
swap = {
type = "disk";
device = "/dev/vdc";
content = {
type = "gpt";
partitions.swap = {
size = "100%";
content.type = "swap";
};
};
};
};
}

13
nixos-configurations/lindberg-build/networking.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
networking.hostName = config.qois.meta.hosts.lindberg-build.hostName;
networking.useDHCP = false;
networking.interfaces.enp11s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [
80
443
];
}

11
nixos-configurations/lindberg-build/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
sops.secrets = {
"attic/server_token" = {
restartUnits = [ "atticd.service" ];
};
"gitlab-runner/default-registration" = {
restartUnits = [ "gitlab-runner.service" ];
};
};
}

21
nixos-configurations/lindberg-nextcloud/applications/cloud.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
let
host = "cloud.qo.is";
in
{
imports = [ ../../../defaults/nextcloud ];
qois.postgresql.enable = true;
services.nextcloud = {
hostName = host;
package = pkgs.nextcloud29;
settings.default_phone_region = "CH";
};
services.nginx.virtualHosts."${host}" = {
forceSSL = true;
enableACME = true;
kTLS = true;
};
}

5
nixos-configurations/lindberg-nextcloud/applications/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
imports = [ ./cloud.nix ];
}

8
nixos-configurations/lindberg-nextcloud/backup.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
qois.backup-client.excludePaths = [
"/var/lib/nextcloud/data" # Data is backed up on lindberg
];
}

50
nixos-configurations/lindberg-nextcloud/default.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, pkgs, ... }:
{
imports = [
../../defaults/backplane-net
../../defaults/base-vm
../../defaults/meta
../../defaults/webserver
./applications
./backup.nix
./secrets.nix
];
boot.loader.grub.device = "/dev/vda";
fileSystems."/" = {
device = "/dev/disk/by-uuid/5b6823ec-921f-400a-a7c0-3fe34d56ae12";
fsType = "btrfs";
options = [ "subvol=root" ];
};
systemd.mounts = [
{
what = "data/nextcloud";
where = "/var/lib/nextcloud";
type = "virtiofs";
wantedBy = [ "multi-user.target" ];
enable = true;
}
];
networking.hostName = config.qois.meta.hosts.lindberg-nextcloud.hostName;
networking.useDHCP = false;
networking.interfaces.enp2s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [
80
443
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

17
nixos-configurations/lindberg-nextcloud/secrets.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
let
backupConfiguration = {
restartUnits = [
"borgbackup-job-system-fulberg.service"
"borgbackup-job-system-tierberg.service"
];
};
in
{
sops.secrets = {
"backup/system/password" = backupConfiguration;
"backup/system/ssh-key" = backupConfiguration;
"nextcloud/admin" = { };
};
}

3
nixos-configurations/lindberg-webapps/applications/README.md Normal file
View file

@ -0,0 +1,3 @@
# Web Apps
## fabianhauser.ch

9
nixos-configurations/lindberg-webapps/applications/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
imports = [ ];
qois.vault.enable = true;
qois.git.enable = true;
qois.static-page.enable = true;
}

25
nixos-configurations/lindberg-webapps/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, pkgs, ... }:
{
imports = [
../../defaults/base-vm
../../defaults/meta
../../defaults/backplane-net
./applications
./disko-config.nix
./networking.nix
./secrets.nix
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

38
nixos-configurations/lindberg-webapps/disko-config.nix Normal file
View file

@ -0,0 +1,38 @@
{ ... }:
{
disko.devices.disk = {
system = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
boot = {
# for grub MBR
size = "1M";
type = "EF02";
};
system = {
size = "100%";
content = {
type = "btrfs";
subvolumes = {
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/root" = {
mountpoint = "/";
mountOptions = [ "noatime" ];
};
};
};
};
};
};
};
};
}

13
nixos-configurations/lindberg-webapps/networking.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
networking.hostName = config.qois.meta.hosts.lindberg-webapps.hostName;
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
networking.firewall.allowedTCPPorts = [
80
443
];
}

4
nixos-configurations/lindberg-webapps/secrets.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }:
{
sops.secrets = { };
}

61
nixos-configurations/lindberg/README.md Normal file
View file

@ -0,0 +1,61 @@
# Host: Lindberg
## Operations {#_operations}
Reboot requires passphrase (see pass `host/lindberg/hdd_luks`)
``` bash
ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
```
## Hardware
- [Mainboard Manual](docs/X570Pro4-mainboard-manual.pdf)
### Front / Back
#### Front Overview
![](docs/front_full.jpg)
#### Front PCIE
![](docs/front_pcie_overview.jpg)
![](docs/front_pcie_ssd.jpg)
#### Front Cables
![](docs/front_cables.jpg)
#### Back
![](docs/back_overview.jpg)
### HDDs
![](docs/back_hdds.jpg)
#### HDD (0)
![](docs/hdd_0.jpg)
#### HDD (1)
![](docs/hdd_1.jpg)
#### HDD (3)
![](docs/hdd_3.jpg)
#### zvtaa02h
![](docs/hdd_zvtaa02h.jpg)
#### zvtaeypl
![](docs/hdd_zvtaeypl.jpg)
### SSD left
![](docs/ssd_1_left.jpg)

5
nixos-configurations/lindberg/applications/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
imports = [ ./loadbalancer.nix ];
}

10
nixos-configurations/lindberg/applications/loadbalancer.nix Normal file
View file

@ -0,0 +1,10 @@
{
config,
pkgs,
lib,
...
}:
{
qois.loadbalancer.enable = true;
}

24
nixos-configurations/lindberg/backup.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, pkgs, ... }:
{
qois.backup-client.includePaths = [ "/mnt/data" ];
services.borgbackup.jobs = {
data-local = {
repo = "/mnt/backup/disks/data";
doInit = true;
paths = [ "/mnt/data/" ];
prune.keep = {
within = "14d";
weekly = 4;
monthly = 6;
yearly = -1;
};
encryption = {
mode = "authenticated";
passphrase = "";
};
startAt = "07:15";
};
};
}

29
nixos-configurations/lindberg/default.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
{
imports = [
./applications
./backup.nix
./disko-config.nix
./filesystems.nix
./networking.nix
./secrets.nix
./virtualisation.nix
../../defaults/hardware/asrock.nix
../../defaults/base
../../defaults/meta
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
}

192
nixos-configurations/lindberg/disko-config.nix Normal file
View file

@ -0,0 +1,192 @@
{ pkgs, ... }:
{
disko.devices = {
disk = rec {
data-1 = {
type = "disk";
device = "/dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTAA02H";
content = {
type = "gpt";
partitions = {
raid_data = {
size = "100%";
content = {
type = "mdraid";
name = "raid_data";
};
};
};
};
};
data-2 = {
type = "disk";
device = "/dev/disk/by-id/ata-ST18000NM003D-3DL103_ZVTAEYPL";
content = data-1.content;
};
backup = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68N32N0_WD-WCC7K5ZUA0VR";
content = {
type = "gpt";
partitions = {
backup = {
size = "100%";
content = {
type = "luks";
name = "crypted_backup";
settings.allowDiscards = true;
askPassword = true;
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/mnt/backup";
mountOptions = [
"defaults"
"noatime"
];
};
};
};
};
};
};
system-1 = {
type = "disk";
device = "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NE0NC01017";
content = {
type = "gpt";
partitions = {
boot = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot-primary";
};
};
raid_system = {
start = "5G";
size = "100%";
content = {
type = "mdraid";
name = "raid_system";
};
};
};
};
};
system-2 = {
type = "disk";
device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_2TB_NLK644R000627P2202";
content = pkgs.lib.recursiveUpdate system-1.content {
partitions.boot.content.mountpoint = "/boot-secondary";
};
};
cache = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S12PNEAD274438F";
content = {
type = "gpt";
partitions = {
crypted_cache = {
size = "100%";
content = {
type = "luks";
name = "crypted_cache";
settings.allowDiscards = true;
askPassword = true;
content = {
type = "lvm_pv";
vg = "vg_cache";
};
};
};
};
};
};
};
mdadm = {
"raid_system" = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted_system";
settings = {
allowDiscards = true;
bypassWorkqueues = true;
};
askPassword = true;
content = {
type = "lvm_pv";
vg = "vg_system";
};
};
};
"raid_data" = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "crypted_data";
settings.allowDiscards = true;
askPassword = true;
content = {
type = "lvm_pv";
vg = "vg_data";
};
};
};
};
lvm_vg = {
vg_data = {
type = "lvm_vg";
lvs = {
lv_data = {
size = "12TB";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/mnt/data";
mountOptions = [
"defaults"
"noatime"
];
};
};
};
};
vg_system = {
type = "lvm_vg";
lvs = {
hv_lindberg = {
size = "100GiB";
content = {
type = "btrfs";
mountOptions = [
"defaults"
"noatime"
];
subvolumes = {
"/root".mountpoint = "/";
};
};
};
};
};
vg_cache = {
type = "lvm_vg";
lvs = {
lv_swap_lindberg = {
size = "10GiB";
content = {
type = "swap";
};
};
};
};
};
};
}

BIN
nixos-configurations/lindberg/docs/X570Pro4-mainboard-manual.pdf Normal file
View file

Binary file not shown.

BIN
nixos-configurations/lindberg/docs/back_hdds.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.5 MiB

BIN
nixos-configurations/lindberg/docs/back_overview.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 292 KiB

BIN
nixos-configurations/lindberg/docs/front_cables.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 403 KiB

BIN
nixos-configurations/lindberg/docs/front_full.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.1 MiB

BIN
nixos-configurations/lindberg/docs/front_pcie_overview.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 401 KiB

BIN
nixos-configurations/lindberg/docs/front_pcie_ssd.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 828 KiB

BIN
nixos-configurations/lindberg/docs/hdd_0.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
nixos-configurations/lindberg/docs/hdd_1.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 255 KiB

BIN
nixos-configurations/lindberg/docs/hdd_3.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 299 KiB

BIN
nixos-configurations/lindberg/docs/hdd_zvtaa02h.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 343 KiB

BIN
nixos-configurations/lindberg/docs/hdd_zvtaeypl.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 359 KiB

BIN
nixos-configurations/lindberg/docs/ssd_1_left.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 312 KiB

38
nixos-configurations/lindberg/filesystems.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, pkgs, ... }:
{
# Configurations are set in disko-config.nix!
# mdadm.conf generated by `mdadm --detail --scan`
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
MAILADDR root
ARRAY /dev/md/raid_system metadata=1.2 name=any:raid_system UUID=1becc692:aeb83b67:1c65da45:b8bd4b93
ARRAY /dev/md/raid_data metadata=1.2 name=any:raid_data UUID=576eabb1:0722bc27:84d9314f:d0145000
INACTIVE-ARRAY /dev/md125 metadata=1.2 name=nixos:md_data UUID=b9c36b6d:a2e0fa86:f6dbfe57:857cd0d2
'';
# TODO: RAID Monitoring
# TODO: Set spin-down time of physical disks
services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
# Use the systemd-boot EFI boot loader.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
efiSupport = true;
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot-primary";
efiBootloaderId = "NixOS primary";
}
#{
# devices = [ "nodev" ];
# path = "/boot-secondary";
# efiBootloaderId = "NixOS secondary";
#}
];
};
}

93
nixos-configurations/lindberg/networking.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, pkgs, ... }:
let
meta = config.qois.meta;
in
{
networking.hostName = meta.hosts.lindberg.hostName;
imports = [ ../../defaults/backplane-net ];
networking.useDHCP = false;
networking.interfaces.enp5s0.useDHCP = true;
# Virtualization
networking.interfaces.vms-nat.useDHCP = false;
networking.interfaces.vms-nat.ipv4.addresses = [
(
let
netConfig = meta.network.virtual.lindberg-vms-nat;
in
{
address = netConfig.hosts.lindberg.v4.ip;
prefixLength = netConfig.v4.prefixLength;
}
)
];
networking.bridges.vms-nat.interfaces = [ ];
networking.nat = {
enable = true;
internalInterfaces = [ "vms-nat" ];
internalIPs = with meta.network.virtual.lindberg-vms-nat.v4; [
"${id}/${builtins.toString prefixLength}"
];
externalInterface = "enp5s0";
};
services.dnsmasq =
let
netConfig = meta.network.virtual.lindberg-vms-nat;
in
{
enable = true;
resolveLocalQueries = false;
settings = {
interface = "vms-nat";
bind-interfaces = true;
domain-needed = true;
domain = netConfig.domain;
dhcp-range = [ "10.247.0.2,10.247.0.253" ];
dhcp-option = [
"option:router,${netConfig.hosts.lindberg.v4.ip}"
"option:domain-search,${netConfig.domain}"
];
dhcp-authoritative = true;
};
};
systemd.services.dnsmasq.bindsTo = [ "network-addresses-vms-nat.service" ];
networking.firewall.interfaces.vms-nat = {
allowedUDPPorts = [
53
67
];
allowedTCPPorts = [ 53 ];
};
# Boot
boot.initrd.network.udhcpc.enable = true;
services.qois.luks-ssh = {
enable = true;
interface = "eth0";
sshPort = 2222;
};
# Use this node as vpn exit node
qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.sops.secrets."tailscale/key".path;
extraUpFlags = [
"--login-server=https://vpn.qo.is"
"--advertise-exit-node"
(
with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
)
"--advertise-tags=tag:srv"
];
};
}

19
nixos-configurations/lindberg/secrets.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
let
backupConfiguration = {
restartUnits = [
"borgbackup-job-data-fulberg.service"
"borgbackup-job-data-tierberg.service"
];
};
in
{
sops.secrets = {
"tailscale/key" = {
restartUnits = [ "tailscale.service" ];
};
"backup/data/password" = backupConfiguration;
"backup/data/ssh-key" = backupConfiguration;
};
}

8
nixos-configurations/lindberg/virtualisation.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
virtualisation.libvirtd = {
enable = true;
onShutdown = "shutdown";
};
environment.systemPackages = [ pkgs.virtiofsd ];
}

11
nixos-configurations/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ inputs, ... }:
{
sops.secrets =
let
allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml";
in
{
"msmtp/password".sopsFile = allHostsSecretsFile;
"wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile;
};
}

70
nixos-configurations/setup.md Normal file
View file

@ -0,0 +1,70 @@
# Setup of new hosts
## Prepare Remote Machine
1. Boot nixos installer image
2. Set a root password: `sudo passwd root`
3. Get host ip to connect to ssh with `ip a`
## Verify configuration
1. Verify the network device name in the configuration (e.g. `enp2s0`)
## Installation
```bash
nix develop
# Set according to what we want
REMOTE_IP=<ip>
REMOTE_HOSTNAME=<hostname>
# Verify SSH works, accept newly generated host keys and create directory for system secrets
ssh root@$REMOTE_IP mkdir -p /run/secrets/system/
# Configure Secrets management
HOSTS_FILE="defaults/meta/hosts.json"
REMOTE_SSHKEY="`ssh-keyscan -q -t ed25519 $REMOTE_IP | cut --delimiter ' ' --fields 2-`"
git show ":$HOSTS_FILE" | jq ".${REMOTE_HOSTNAME}.sshKey=\"${REMOTE_SSHKEY}\"" > $HOSTS_FILE
sops-rekey
# Check that:
# - you updated the age key
# - default interface name is correctly configured
# - you are 100% on the right REMOTE_IP (host will be wiped by disko)
# - if you use LUKS secrets, you created a secret "system.hdd" with the disk password:
# `sops set private/nixos-configurations/$REMOTE_HOSTNAME/secrets.sops.yaml '["system"]["test"]' "\"`pwgen -1 --ambiguous 20 1`\""
# - if you use initrd ssh server (for remote luks unlock), create a "system.initrd-ssh-private" ssh key ();
# ```bash
# export SSH_KEYFILE=/tmp/${REMOTE_HOSTNAME}-initrd-ssh-key
# mkfifo -m 600 $SSH_KEYFILE
# ssh-keygen -q -t ed25519 -C "boot@${REMOTE_HOSTNAME}" -N "" -f $SSH_KEYFILE <<< "y\ny\n" &
# sops set private/nixos-configurations/$REMOTE_HOSTNAME/secrets.sops.yaml '["system"]["initrd-ssh-key"]' "\"`cat $SSH_KEYFILE`\""
# rm $SSH_KEYFILE
# ```
# Install OS. ⚠️ This clears all local hdds with disko!
nixos-anywhere --copy-host-keys --flake ".#$REMOTE_HOSTNAME" root@$REMOTE_IP
# To use a jumphost, use `--ssh-option "ProxyJump=user@jumphost"`
# TODO:
## qois-setup-host $REMOTE_HOSTNAME $REMOTE_IP --[no]-luks [--generate-system-secrets] [--proxy user@jumphost]
## read: Did you update the AGE keys to the setup tools setup keys? [Enter]
## read: Did you check the interfaces names to be correct? [Enter]
## read: Are you 100% sure the command promt is corect? [Enter]
# With LUKS key:
sops exec-file --no-fifo --filename secret.key private/nixos-configurations/$REMOTE_HOSTNAME/secrets.sops.yaml "
nixos-anywhere --copy-host-keys --flake .#$REMOTE_HOSTNAME root@$REMOTE_IP \
--disk-encryption-keys /run/secrets/system/hdd.key <(yq --raw-output '.system.hdd' {}) \
--disk-encryption-keys /run/secrets/system/initrd-ssh-key <(yq --raw-output '.system.\"initrd-ssh-key\"' {})
"
```
## Post-Setup
* Add backplane-vpn pubkey to `network-virtual.nix` configuration with
```bash
wg pubkey < /secrets/wireguard/private/backplane
```

7
nixos-configurations/stompert/README.md Normal file
View file

@ -0,0 +1,7 @@
# Operations {#_operations}
Reboot requires passphrase (see pass `host/stompert/hdd_luks`)
``` bash
ssh -p 2222 root@stompert.eem-ext.net.qo.is
```

63
nixos-configurations/stompert/default.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
../../defaults/backplane-net
../../defaults/hardware/apu.nix
../../defaults/base
../../defaults/meta
];
boot.initrd.luks.devices."systems".device = "/dev/disk/by-uuid/5718bd19-cb7a-4728-9ec4-6b2be48215fc";
fileSystems."/" = {
device = "/dev/mapper/vg_systems-hv_stompert";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/bbe12368-1f81-4924-a12c-2edec886f7c8";
fsType = "ext4";
};
swapDevices = [ { device = "/dev/disk/by-uuid/851e1d05-569f-41ca-8ed9-d7ffba489ffe"; } ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
services.qois.luks-ssh = {
enable = true;
interface = "eth1";
sshPort = 2222;
};
networking.hostName = "stompert"; # Define your hostname.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = true;
networking.interfaces.enp3s0.useDHCP = true;
networking.tempAddresses = "disabled";
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "22.11"; # Did you read the comment?
}

9
nixos-configurations/tierberg/README.md Normal file
View file

@ -0,0 +1,9 @@
Access via `tierberg.coredump-ext.net.qo.is` `:51022` (SSH) and `:51023` (SSH-LUKS)
## Operations
Reboot requires passphrase (see pass `host/tierberg/hdd_luks)
```bash
ssh -p 51023 root@tierberg.coredump-ext.net.qo.is
```

35
nixos-configurations/tierberg/backup.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, pkgs, ... }:
{
qois.backup-server = {
enable = true;
backupStorageRoot = "/mnt/nas-backup-qois";
};
services.borgbackup.repos =
let
backupRoot = "/mnt/nas-backup-qois";
hostBackupRoot = "${backupRoot}/hosts";
dataBackupRoot = "${backupRoot}/data";
in
{
"lindberg-nextcloud" = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud"
];
path = "${hostBackupRoot}/lindberg-nextcloud";
};
"lindberg-data" = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg"
];
path = "${dataBackupRoot}/lindberg-data";
};
"lindberg-build-system" = {
authorizedKeys = [
"ssh-ed25519 AAAATODOTODOTODOTODOAAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build"
];
path = "${dataBackupRoot}/lindberg-build-system";
};
};
}

24
nixos-configurations/tierberg/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, pkgs, ... }:
{
imports = [
./networking.nix
./filesystems.nix
./backup.nix
../../defaults/hardware/apu1.nix
# wle600: Not used currently
../../defaults/base
../../defaults/meta
];
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "23.05"; # Did you read the comment?
}

52
nixos-configurations/tierberg/filesystems.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, pkgs, ... }:
{
boot.initrd.luks.devices = {
"system".device = "/dev/disk/by-uuid/ac7f7ef2-280d-4b9f-8150-a6f11ecec1df";
"swap".device = "/dev/disk/by-uuid/6ce21585-6813-46d0-9a98-ebcfa507bdb0";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c775e380-b15f-499b-94f2-8caa27e6e0ff";
fsType = "btrfs";
options = [
"defaults"
"subvol=nixos"
"noatime"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/0b22a6bc-0721-49d6-9e66-1f8d9258f47b";
fsType = "ext4";
};
"/mnt/nas-backup-qois" = {
device = "192.168.254.1:/raid0/data/_NAS_NFS_Exports_/backup-qois";
fsType = "nfs";
options = [
"defaults"
"noatime"
"soft"
"vers=3"
];
};
"/mnt/nas-backup-coredump" = {
device = "192.168.254.1:/raid0/data/_NAS_NFS_Exports_/backup-qois";
fsType = "nfs";
options = [
"defaults"
"noatime"
"soft"
"vers=3"
];
};
};
swapDevices = [ { device = "/dev/disk/by-uuid/e91f9aba-1e59-4d41-a772-f11d4314dc19"; } ];
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
}

29
nixos-configurations/tierberg/networking.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
let
meta = config.qois.meta;
lattenbach-nas-net = meta.network.physical.lattenbach-nas;
in
{
networking.hostName = meta.hosts.tierberg.hostName;
imports = [ ../../defaults/backplane-net ];
networking.enableIPv6 = false; # TODO
networking.useDHCP = false;
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.enp2s0.ipv4.addresses = [
{
inherit (lattenbach-nas-net.v4) prefixLength;
address = lattenbach-nas-net.hosts.tierberg.v4.ip;
}
];
networking.interfaces.enp3s0.useDHCP = true;
services.qois.luks-ssh = {
enable = true;
interface = "eth0";
sshPort = 2222;
};
}