Upgrade inputs to 24.11

SUMMARY.md

@@ -27,6 +27,7 @@
 
 - [calanda](nixos-configurations/calanda/README.md)
 - [cyprianspitz](nixos-configurations/cyprianspitz/README.md)
+- [fulberg](nixos-configurations/fulberg/README.md)
 - [lindberg](nixos-configurations/lindberg/README.md)
 - [stompert](nixos-configurations/stompert/README.md)
 - [tierberg](nixos-configurations/tierberg/README.md)

defaults/base-minimal/default.nix

@@ -72,7 +72,7 @@
       dates = "weekly";
       options = "--delete-older-than 90d";
     };
-    package = pkgs.nixVersions.stable;
+    package = pkgs.nixFlakes;
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -105,10 +105,7 @@
   };
 
   programs.autojump.enable = true;
-  programs.vim = {
+  programs.vim.defaultEditor = true;
-    enable = true;
-    defaultEditor = true;
-  };
 
   sops.defaultSopsFile =
     let

defaults/meta/hosts.json

@@ -1,4 +1,8 @@
 {
+  "fulberg": {
+    "hostName": "fulberg",
+    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCG9qqpUOJ2RsohIqhMuw3YZZSrnPqhf5ayh5y0Cq/I"
+  },
   "calanda": {
     "hostName": "calanda",
     "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdoOZcFFRXIqEWqUnwCk/kqP8DZw6/4omDefCT6aNN4"

defaults/meta/network-physical.nix

@@ -36,6 +36,9 @@
         calanda = {
           v4.ip = "10.1.2.1";
         };
+        fulberg = {
+          v4.ip = "10.1.2.2";
+        };
       };
     };
 

defaults/meta/network-virtual.nix

@@ -27,6 +27,15 @@
         domain = "backplane.net.qo.is";
 
         hosts = {
+          fulberg = {
+            v4.ip = "10.250.0.1";
+            endpoint = {
+              fqdn = physical-network.plessur-ext.hosts.calanda.fqdn;
+              port = 51821;
+            };
+            publicKey = "xcQOu+pp4ckNygcsLmJL1NmUzbbC+k3I7y+hJ9Ul4nk=";
+            persistentKeepalive = 25;
+          };
           lindberg = {
             v4.ip = "10.250.0.2";
             #endpoint = { # TODO: Port forwarding

defaults/meta/network.md

@@ -18,7 +18,7 @@ package "plessur.net.qo.is" {
   ]
 
   node calanda 
-  node cyprianspitz
+  node fulberg
   
   cloud plessurnet [
     <i>LAN Plessur
@@ -26,7 +26,7 @@ package "plessur.net.qo.is" {
   
   mediaconvchur - "enp4" calanda
   calanda "br0 (enp2, wlp1, wlp5)" --- plessurnet
-  plessurnet -- cyprianspitz
+  calanda "enp4" -- "eno1" fulberg
 } 
 
 package "riedbach.net.qo.is" {

flake.lock

@@ -1,9 +1,53 @@
 {
   "nodes": {
+    "attic": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1731270564,
+        "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "rev": "47752427561f1c34debb16728a210d378f0ece36",
+        "type": "github"
+      },
+      "original": {
+        "owner": "zhaofengli",
+        "repo": "attic",
+        "type": "github"
+      }
+    },
+    "crane": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722960479,
+        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "deploy-rs": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "utils": "utils"
       },
       "locked": {
@@ -56,13 +100,71 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "attic",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1729742964,
+        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1702272962,
+        "lastModified": 1726042813,
-        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
+        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
+        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
         "type": "github"
       },
       "original": {
@@ -104,6 +206,38 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1724316499,
+        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "private": {
       "inputs": {
         "nixpkgs-nixos-unstable": [
@@ -125,6 +259,7 @@
     },
     "root": {
       "inputs": {
+        "attic": "attic",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "nixpkgs-nixos-stable": "nixpkgs-nixos-stable",

flake.nix

@@ -5,6 +5,7 @@
     extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
   };
   inputs = {
+    attic.url = "github:zhaofengli/attic";
     deploy-rs.url = "github:serokell/deploy-rs";
     disko = {
       url = "github:nix-community/disko";
@@ -16,6 +17,7 @@
       url = "github:Mic92/sops-nix";
       inputs = {
         nixpkgs.follows = "nixpkgs-nixos-unstable";
+        nixpkgs-stable.follows = "nixpkgs-nixos-stable";
       };
     };
     private.url = "git+file:./private";

nixos-configurations/calanda/networking.nix

@@ -66,6 +66,14 @@ in
   # DMZ Portforwarding
   networking.nat.forwardPorts =
     let
+      fulbergPort = (
+        proto: port: {
+          destination = "10.1.2.2:${toString port}";
+          proto = proto;
+          sourcePort = port;
+          loopbackIPs = [ "85.195.200.253" ];
+        }
+      );
       cyprianspitzPort = (
         proto: port: {
           destination = "10.1.1.11:${toString port}";
@@ -76,12 +84,26 @@ in
       );
     in
     [
+      {
+        destination = "10.1.2.2:22";
+        proto = "tcp";
+        sourcePort = 8022;
+      }
+      {
+        destination = "10.1.2.2:2222";
+        proto = "tcp";
+        sourcePort = 8222;
+      }
       {
         destination = "10.1.1.11:2222";
         proto = "tcp";
         sourcePort = 8223;
       }
     ]
+    ++ map (fulbergPort "udp") [
+      51820
+      51821
+    ]
     ++ map (cyprianspitzPort "tcp") [
       80
       443

nixos-configurations/default.nix

@@ -3,6 +3,7 @@
   pkgs,
   nixpkgs-nixos-stable,
   disko,
+  attic,
   sops-nix,
   ...
 }@inputs:
@@ -19,6 +20,13 @@ pkgs.lib.genAttrs configs (
     modules = [
       self.nixosModules.default
       ./${config}/default.nix
+      (
+        { ... }:
+        {
+          imports = [ "${attic}/nixos/atticd.nix" ];
+          services.atticd.useFlakeCompatOverlay = false;
+        }
+      )
       disko.nixosModules.disko
       sops-nix.nixosModules.sops
       (

nixos-configurations/fulberg/README.md

@@ -0,0 +1 @@
+# fulberg

nixos-configurations/fulberg/applications/default.nix

@@ -0,0 +1 @@
+{ ... }: { }

nixos-configurations/fulberg/backup.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+{
+
+  qois.backup-server = {
+    enable = true;
+    backupStorageRoot = "/mnt/nas/backup";
+  };
+
+  services.borgbackup.repos =
+    let
+      backupRoot = "/mnt/nas/backup";
+      hostBackupRoot = "${backupRoot}/hosts";
+      dataBackupRoot = "${backupRoot}/data";
+    in
+    {
+      "lindberg-nextcloud" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud"
+        ];
+        path = "${hostBackupRoot}/lindberg-nextcloud";
+      };
+      "lindberg-data" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg"
+        ];
+        path = "${dataBackupRoot}/lindberg";
+      };
+      "lindberg-build-system" = {
+        authorizedKeys = [
+          "ssh-ed25519 AAAATODOTODOTODONTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build"
+        ];
+        path = "${dataBackupRoot}/lindberg-build-system";
+      };
+    };
+}

nixos-configurations/fulberg/default.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [
+    ../../defaults/base
+    ../../defaults/hardware/apu.nix
+    ../../defaults/meta
+    ./applications
+    ./backup.nix
+    ./filesystems.nix
+    ./networking.nix
+    ./secrets.nix
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like fi:le locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+}

nixos-configurations/fulberg/filesystems.nix

@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+{
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/360a6bc9-fc4e-4803-bd53-69320ac32ac5";
+      fsType = "btrfs";
+      options = [
+        "defaults"
+        "subvol=nixos"
+        "noatime"
+      ];
+    };
+    "/mnt/nas" = {
+      device = "10.1.1.39:/qois";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "soft"
+      ];
+    };
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/73f91e99-d856-4504-b6b2-d60f855d6d95"; } ];
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+}

nixos-configurations/fulberg/networking.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+let
+  meta = config.qois.meta;
+  plessur-dmz-net = meta.network.physical.plessur-dmz;
+  getCalandaIp4 = net: net.hosts.calanda.v4.ip;
+in
+{
+  networking.hostName = meta.hosts.fulberg.hostName;
+
+  imports = [ ../../defaults/backplane-net ];
+
+  # WWAN is currently not available due to a broken SIM-card.
+  #services.qois.wwan = {
+  #  enable = true;
+  #  apn = "gprs.swisscom.ch";
+  #  networkInterface = "wwp0s19u1u3i12";
+  #};
+
+  networking.interfaces.enp1s0 = {
+    useDHCP = false;
+    ipv4.addresses = [
+      {
+        inherit (plessur-dmz-net.v4) prefixLength;
+        address = plessur-dmz-net.hosts.fulberg.v4.ip;
+      }
+    ];
+  };
+
+  networking.defaultGateway = plessur-dmz-net.v4.gateway;
+  networking.nameservers = plessur-dmz-net.v4.nameservers;
+
+  # Configure this node to be used as an vpn exit node
+  qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "server";
+    authKeyFile = config.sops.secrets."tailscale/key".path;
+    extraUpFlags = [
+      "--login-server=https://vpn.qo.is"
+      "--advertise-exit-node"
+      (
+        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
+      )
+      "--advertise-tags=tag:srv"
+    ];
+  };
+}

nixos-configurations/fulberg/secrets.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  sops.secrets = {
+    "tailscale/key" = {
+      restartUnits = [ "tailscale.service" ];
+    };
+  };
+}

nixos-configurations/lindberg-build/applications/attic.nix

@@ -14,7 +14,7 @@ in
     # generate secret with
     # nix run system#openssl rand 64 | base64 -w0
     # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
-    environmentFile = config.sops.secrets."attic/server_token".path;
+    credentialsFile = config.sops.secrets."attic/server_token".path;
 
     settings = {
       listen = "127.0.0.1:${builtins.toString atticPort}";
@@ -44,8 +44,6 @@ in
         max-size = 256 * 1024; # 256 KiB
       };
 
-      garbage-collection.default-retention-period = "6 months";
-
       database.url = "postgresql:///atticd?host=/run/postgresql";
     };
   };
@@ -53,7 +51,6 @@ in
   imports = [ ../../../defaults/webserver ];
 
   qois.postgresql.enable = true;
-
   # Note: Attic cache availability is "best effort", so no artifacts are backed up.
 
   services.postgresql = {

nixos-configurations/lindberg-build/backup.nix

@@ -3,6 +3,7 @@
 let
   vnet = config.qois.meta.network.virtual.backplane.hosts;
   systemTargets = [
+    "fulberg"
     "tierberg"
   ];
   systemJobs = builtins.listToAttrs (

nixos-configurations/lindberg-nextcloud/secrets.nix

@@ -2,7 +2,7 @@
 let
   backupConfiguration = {
     restartUnits = [
-      "borgbackup-job-system-cyprianspitz.service"
+      "borgbackup-job-system-fulberg.service"
       "borgbackup-job-system-tierberg.service"
     ];
   };

nixos-configurations/lindberg/secrets.nix

@@ -2,7 +2,7 @@
 let
   backupConfiguration = {
     restartUnits = [
-      "borgbackup-job-data-cyprianspitz.service"
+      "borgbackup-job-data-fulberg.service"
       "borgbackup-job-data-tierberg.service"
     ];
   };

nixos-configurations/stompert/default.nix

@@ -59,5 +59,5 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "22.11"; # Did you read the comment?
 }

nixos-modules/postgresql/default.nix

@@ -12,10 +12,6 @@ with lib;
 {
   options.qois.postgresql = {
     enable = mkEnableOption ''Enable postgresql services with defaults'';
-    package = mkPackageOption pkgs "postgresql" {
-      example = "postgresql_15";
-      default = null;
-    };
   };
 
   config = mkIf cfg.enable {

updates.md

@@ -28,7 +28,7 @@ deploy-qois .#lindberg-nextcloud .#lindberg-build
 deploy-qois .#lindberg
 
 # Deploy slow physical hosts (maybe do individually)
-deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#tierberg .#stompert .#stompert
+deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#fulberg .#tierberg .#stompert .#stompert
 
 ```