kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:2eec2ed9809cee5e3e8ddd4d9125398e4a79cd5e
Branches Tags
kalipso:master kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:microvm-module
Branches Tags
kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

3 Commits
2eec2ed980 ... microvm-mo

Author SHA1 Message Date
ahtlon
edddfc5e3f [nextcloud module] add wrapper example
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m45s
Details
2025-01-29 11:20:12 +01:00
ahtlon
e94410ca54 Fix #67
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m21s
Details
2025-01-28 12:19:53 +01:00
ahtlon
f7943d981b [nextcloud] add some attributes 2025-01-25 01:21:05 +01:00
20 changed files with 159 additions and 284 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -6,4 +6,3 @@ result
.direnv/ .direnv/
book/ book/
fanny-efi-vars.fd fanny-efi-vars.fd
nix-store-overlay.img

22
machines/.sops.yaml
View File

@@ -8,12 +8,10 @@ keys:
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
- &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
#this dummy key is used for testing. #this dummy key is used for testing.
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
creation_rules: creation_rules:
@@ -73,6 +71,13 @@ creation_rules:
- *admin_kalipso_dsktp - *admin_kalipso_dsktp
age: age:
- *admin_atlan - *admin_atlan
- path_regex: fanny/disk.key
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: bakunin/disk.key - path_regex: bakunin/disk.key
key_groups: key_groups:
- pgp: - pgp:
@@ -95,10 +100,3 @@ creation_rules:
- *admin_kalipso_dsktp - *admin_kalipso_dsktp
age: age:
- *admin_atlan - *admin_atlan
- path_regex: .*/secrets/.*
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

16
machines/fanny/configuration.nix
View File

@@ -20,13 +20,6 @@ in
inputs.self.nixosModules.malobeo.metrics inputs.self.nixosModules.malobeo.metrics
]; ];
virtualisation.vmVariantWithDisko = {
virtualisation = {
memorySize = 4096;
cores = 3;
};
};
malobeo.metrics = { malobeo.metrics = {
enable = true; enable = true;
enablePromtail = true; enablePromtail = true;
@@ -58,17 +51,11 @@ in
disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381"; disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
}; };
storage = { storage = {
enable = true;
disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"]; disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
mirror = true; mirror = true;
}; };
}; };
systemd.tmpfiles.rules = [
"L /var/lib/microvms/data - - - - /data/microvms"
"d /data/microvms 0755 root root" #not needed for real host?
];
malobeo.initssh = { malobeo.initssh = {
enable = true; enable = true;
authorizedKeys = sshKeys.admins; authorizedKeys = sshKeys.admins;
@@ -82,7 +69,8 @@ in
}; };
services.malobeo.microvm.enableHostBridge = true; services.malobeo.microvm.enableHostBridge = true;
services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ]; services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "durruti" ];
services.malobeo.microvm.client.nextcloud.enable = true;
networking = { networking = {
nat = { nat = {

31
machines/fanny/disk.key Normal file
View File

@@ -0,0 +1,31 @@
{
"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-01-05T19:35:48Z",
"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
"pgp": [
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-01-05T19:32:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

78
machines/fanny/secrets.yaml
View File

@@ -5,63 +5,63 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1 cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw== 2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:41:07Z" lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp: pgp:
- created_at: "2025-02-11T18:32:49Z" - created_at: "2025-01-14T12:32:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3 5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb 8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3 /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ 9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6 UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
NJMDln08MWwr J+o9dahBHvIF
=hhKC =GKm4
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-02-11T18:32:49Z" - created_at: "2025-01-14T12:32:13Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7 hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
/nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2 cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS 5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1 WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
/JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8= CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
=Sdch =9FN4
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

6
machines/modules/disko/default.nix
View File

@@ -102,7 +102,7 @@ in
mountOptions = [ "umask=0077" ]; mountOptions = [ "umask=0077" ];
}; };
}; };
encryptedSwap = lib.mkIf cfg.encryption { encryptedSwap = {
size = cfg.root.swap; size = cfg.root.swap;
content = { content = {
type = "swap"; type = "swap";
@@ -252,10 +252,6 @@ in
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/data"; mountpoint = "/data";
}; };
"encrypted/data/microvms" = {
type = "zfs_fs";
mountpoint = "/data/microvms";
};
reserved = { reserved = {
# for cow delete if pool is full # for cow delete if pool is full
options = { options = {

7
machines/modules/host_builder.nix
View File

@@ -70,13 +70,6 @@ rec {
proto = "virtiofs"; proto = "virtiofs";
socket = "var.socket"; socket = "var.socket";
} }
{
source = "/var/lib/microvms/data/${hostName}";
mountPoint = "/data";
tag = "data";
proto = "virtiofs";
socket = "microdata.socket";
}
]; ];
interfaces = [ interfaces = [

28
machines/modules/malobeo/microvm_client.nix Normal file
View File

@@ -0,0 +1,28 @@
{config, lib, pkgs, ...}:
let
cfg = config.services.malobeo.microvm.client;
in
{
options.services.malobeo.microvm.client = {
nextcloud = {
enable = lib.mkEnableOption "enable the nextcloud microvm wrapper";
datadir = lib.mkOption {
type = lib.types.string;
default = "/data/services/nextcloud/";
description = "set a custom datadir";
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.nextcloud.enable { #add check for run-vm?
services.malobeo.microvm.deployHosts = ["nextcloud"];
microvm.vms.nextcloud.config.microvm.shares = lib.mkAfter [{
source = cfg.datadir;
mountPoint = "/datadir";
tag = "nc-datadir";
proto = "virtiofs";
}];
})
];
}

7
machines/modules/malobeo/peers.nix
View File

@@ -30,13 +30,6 @@
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
}; };
"hetzner" = {
role = "client";
address = [ "10.100.0.6/24" ];
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
};
"fanny" = { "fanny" = {
role = "client"; role = "client";
address = [ "10.100.0.101/24" ]; address = [ "10.100.0.101/24" ];

2
machines/nextcloud/configuration.nix
View File

@@ -37,7 +37,7 @@ with lib;
hostName = "cloud.malobeo.org"; hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
#https = true; #disable for testing #https = true; #disable for testing
datadir = "/data/services/nextcloud/"; datadir = "/datadir";
database.createLocally = true; database.createLocally = true;
config.dbtype = "pgsql"; config.dbtype = "pgsql";
configureRedis = true; configureRedis = true;

78
machines/nextcloud/secrets.yaml
View File

@@ -8,60 +8,60 @@ sops:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp
VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh
Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5 SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1
ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8 aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW
4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q== WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6
cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt
VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5 aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO
WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8 WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC
lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q== 9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-26T20:00:50Z" lastmodified: "2024-11-26T20:00:50Z"
mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
pgp: pgp:
- created_at: "2025-02-06T12:36:59Z" - created_at: "2025-01-21T21:04:08Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695 hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W
JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8 GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl
CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw 8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs
qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV
bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb
eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb
Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj
F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO
c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4 TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2
bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV 46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m
xRvlnfPW9voB bUOvx3Ho80EC
=xqAk =oQd6
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-02-06T12:36:59Z" - created_at: "2025-01-21T21:04:08Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY
bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn
N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW 59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM
R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat
I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL
pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0
l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6
189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I 7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc
S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3 oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX
bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3
4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS
WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj
lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns= 8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k=
=Uvc2 =s9pl
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

31
machines/secrets/keys/itag/fanny/disk.key
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:xmMPJyp3y9XI2QsWJniRM+Nds4Y5zoqb5QSJqZo=,iv:KRLS4JYN2OVmbbLe8DCD0xW8VVnbmYN/MfZNp7eOS2M=,tag:FV1Qm8Wr5fbpJ+ovAK+uaw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ1EwOGcxazlIcy9mdmkr\nMzJCcWkxQXFEQ25sUU1HUFJqSEE1b2M2QmxVCm1hWWExbWtJdmxjMk1VUE43ZkNR\nNmRpdGNPNURwdjJkaXhxcjNxRFFiSWcKLS0tIHB5Y2NWM0pCbGdtTGRUV1hyVlVs\nZTRsUnZoUnN6cHNPTWF2SzhxUUJ0aVEKzchgMPjpDAX7NUTSxUYxoKLoOh7+X9GV\nxrarnXswpSV/bfR4w4x+DmoocG7TbdH+UvCTsg3LtdjWmfpjK/c8Kw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-22T11:49:56Z",
"mac": "ENC[AES256_GCM,data:WKZIdINWSCn9ZOtsnLQ9dXCOdG49Ltf7/G91zEuj88+nvQC4+WTLCCXBGdhVBamV1PWHYnFvZbiXKJ/VFdN3EDZeW9r6cXuF2PEveOn6Bj1bYi0WrzFRfxxvt56AM9j/0D5E1hE9rp2yAWg5V4E3nIGT+rVsOczMk1+Yx4Q8NCc=,iv:DKD+E5yeFJrARfP5Qw6I1Cn9lvvHUHHok+3l8dyzVcE=,tag:lCBrrqfFxvtldBfbha99vQ==,type:str]",
"pgp": [
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/Xn1mh8ojou0/ntHLA+iNzYf6vsJVoWB6Cfh/WL9s/Vxn\nJWhvIzo+blJnoMJMsRPx4wiIuAjT2KkJko5v8Wr9pzzOAqOCghk+8YYnpC49PpCA\nhT8Yuu1v53Ycomwj1IdZj6GWeIkuLw2N4ZVqh1vZnvTT1tWltxmp9lhb/cWP+ze1\ngzIO7wqd9hisX9DVl4IVV/q8QVIfhWR2dMX+xgRcEssAjQu/nFGv88i6NJQsbIwm\nKOlUI3QJ49DEVFxH6Z36ZhUpdszHKi3IPg2IqtpfDicU807rQ3VihM9abkhp7cY6\ndvxW2rMijahy2IXuvGyTuwh9ow4bHXWBQgEkaFo8eKCx/KnR5shpR3/0CdegU45H\nGF/RhIq5wC4lMXy5/O3pgb5QPItcOB4ke+s48sGdxWWyXkp3MLXS1NblEZ6K9xTm\n/1GUcpCeoePWMeNmPgdeEcQL8jBxBol2wP5cXl4Ov86wegd0O56lVi6L2jqhgYiZ\n+SMhqmsMqZFVJWExkyX00lgBzFNsLWpT+KGuesodu9mtbYJ/s7Pz7+d+apgtzLI1\nGyjD9TDyZQUmM4El7SbZ/KNniRhR2Rnthg1r/cAcMYSyOnRbM/n5t5ynUc8vzr4y\nIPGXwW3pEoOh\n=48Pd\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//S41vk86ETjZa/AI9N5rS/RnPk3SuvGCiFxVkPl+ScY+j\nMOIqQFr55JpZm2Tb2nYA07yzW0b9q7jnVDt1dGp1MEC9QZZj1dEoZNGU+UjLhD3F\nDW9/NLeoJ2+D2rSxQmIwWdMqw3XehZDXvcicmKprtSK1MThV1cy5BITTStoX+qSQ\n4pFg7AVJij7+mtEK6pdV3S9BT1R27X9fanm4v785MEB+KERhe+5rQ7QR33Ohrotk\nqp6FqQJRAkc2ea+SFLRp8q4oIKK8lIoVv2mos/RUyBMf1HYPERohvqBjOF7oUjHt\ntOGGb+TLpVicPEsrAiNG5krfLCcI8vZeqkZQvu3YZx1zopYrW1mQuW1/kedFqtpc\nN6piYNz7KaYX0zpCJv1YQN8z1YOc+9LxTIemDUNt3zEYwrehi/DeXMt+Np+U0PKq\nSmfxRiMnbTT14la8mUa4Uov6KNUhzLgDVm8z/6XuM4qqEPw1ApG2UT+n5swZeqhN\nXBIAdSfybLW6vGhIOJduiI7LbQOADcEqlwiMDM4WMtG5acM/MLFQVQzP0DnQeIYj\nlNeGxT0m92ZfhwPupJG8PlC4dAANU3anBVGtMGn66aAEoVq/5RdOI9Iw8z8FIvnq\nN4Sef+5eqJuNeFdvxWG4IP6mrU1BmeWTXgI59aifSPUc0vrviYD6eRYCuI1NySLS\nWAHY6GESDXqeH6mlUryle6HSnJD43faFNkdlUaEBt0tH4ij2OvM5s8XTnr03hPnT\nYOHSVh6PVF2wwgV+JJuy7Nfj1+ylZCl2G61GO4QXtLexeWpPSzbo3Hw=\n=A2Pv\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

31
machines/secrets/keys/itag/fanny/fanny
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:HyKweXScDgvctgx168oBvB22fQcq6mCAs/Bsy0f1+UClAf313UynPJpBig41XVZdRFHOKkAMh/GmyIP04DtrXC/eAO9As+kaLkli/mBWiXSUA9l8pU8Wb3rC5YUu6/9ZraKWaC1ONAty2+d/v2EpWJhKMJWeeihiYfT8FMqRy2tjx0wmIz/Y6HgrR2pvHxyS2nGyrGhraaMnpm1WLsJ5b5yTbgkKVAoMwKNltnSIVA9AYvWmoNB8qIEPI5ppPvrSFSLOxYBG8zl/bBVtJ5ekM2bg733nCISRWhmelQLFVrUrN+3jsfpmE/nTe+xXClUmPC+7ePsCQuU2RKVWw5g99RewPdiszHdq/73Eo+7+ETLgRmo2vtLB/zFSiC8hmtJWh7WvVc4DXhGPDrqYPsh9GR87ZlSORgvadd5Mj/JuMzvmacWoFV9ERLnWjTTlIg+vSEBa0zB2vZHgAzBL+6R7WW3VgsBylRHQqsaJP5RIc4ktT6Qrt3REnArg/V/zJJGYBw+nQrqr5rrbbAmSA/57,iv:BdRM22/SMiHrq4SWVZTIpYPy/eHS1Kc/XxYj49Jf3H4=,tag:QdIwNFO7PnChvhWJAYNONw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYVnRlb2x4SGdPbWltWVUy\nZEl5OC83UldXMjEwOUdTNTFWMytYejFVRkI0CldKN0F0MUp6U2hnRUJQaGZKbzJR\nZFByOHRwbWgxTlJndGh3NWZIR2FKbmsKLS0tIFNjNDVHWjZNYlRCY0tQRlVtTlQ2\nMTlUVFd4dEo4dythYVV1WEQ5dWlEQTgKYqoEes44TbflFTFBzNwEVP9DDHtkmhfn\ndCFBPhBTwuoFKai3kOOX/E9gEOwqY24HAqKdeyiO2VXrL8JKEazggg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-22T11:49:08Z",
"mac": "ENC[AES256_GCM,data:V7B26cct1W4ihesyVxpAI8AvMXSy7dd0hWFdYqWtzKkCN73au2V3h1DilOiNn3gclFhL9Crw38iNUtnGeHscGLGrNbwkyCMDj1KXKl6wnSYdFkw9XD+PnRwYq7hMTTLIH19nqBg+K9tjaDEkK7y8WygUHfknxJj5D4bURgl/jow=,iv:/f3GXl6o2oxRJjIJEpYN5T5x9q4acxFqqakzBRG4hlg=,tag:G6F9hXdO9BoXZ2eXaEG43Q==,type:str]",
"pgp": [
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQwAk5+mzJ/KJX4bxyb5w8dUiLXilBMJQiBxQZWsC8Q+G5v6\n9LGMMWPrQeLuTHkNe9FpddIUixjuFox1TJxaph3t+DfamR3yPdUYDuRckc9iF+jZ\n4oa8txJ9oWoEYx5QlxCCricSxomC9LV4DcBKQ2gyXnAeX2Wwe5/3uw+S/KyHZM+y\n9flO7qIVQk8MkVzZOc2KVCyvUL1UnAwgXzR1OmznpGBiZpaipCmXBs/elncxViry\nrmgA/+Aob37ChXQk5mVQLyrV+E1M+u1PwigML7PbbE3WpBVgpbb+MH639nBC/rTV\n+B70BaayFdzvUln4OFonfvsvPQEynmE1rfJRUavvAQDORHHmmbOKdWWVaYHDlp4Z\nAgYI10mnnFBpm2Qd/EjBa2a1CWboaGCaz/KldTzjp+TxW0GVf6WQ5SKlqZj3MdGM\nVS+91ph2LaRCTB5WObTX4KKDiwwoRAB+0A4ewu5ttsmeuhTy3o/r1Liu/UBdaL6i\nA9t59cMopIL6YXRD1YwF0lgBHtGC/KGsnZjC4dscoU2eTfmJ4rFx9vmc8I/JaO+h\nNDoFnd0sk2FQhnMvAN16U8HurfAzbHiqf3utEcMOg0bPw43Q/8g8JgUAaxqkJIQn\nn4fqE2GFjBqJ\n=Eivh\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9Hy7wKpuAeKotD/HBoM+aptxnKiExf7mphpdZZ1sr8fHE\nDDdVehwhFxsxLkcIwh+dj35KswHw6aMzyQGj4bYsxSmsFKscATknsklR1UATWfSw\np3hVjNFCZ+yd+uzSJnfTkldTcaJiN9MxPmaOMd4e7Ui5k7dcYo0/FD5AZQZMjKDO\nQYUsUASWLHWAoiS7nnFrbaFvXKAPS4wOsB2T263QsoZyEvpQIgWP6lb9kS7V4ftZ\nxetGJFIk2hanYfdGXZy3TiHaJO+fESpVYmp6YykDqeZqZkWB59aeWVL/7Cz7H/wj\n4RU9RWBMbXGjPz+5WMo7X7kLrJgLAWywch6bM2fktkadG9n2tAa/FISysR25qtmQ\nzJtwCY8j26ZZJdc/FEA6dYwIYeGZ0BwV91dPaEotAtgSVpSihdXI/DzE9T9OjWuQ\n1c2sCjVJ7Kw19uCHLaZg+Tvob0RQJu5mnKPnLqinpxDn6Vf/nxIU80gFsPPr4f2T\n627iBaQOaMxdxHLV8r16WrNzBRj28sPZDBlGQ0HouToO2dn3uN+onQGszRAAIadJ\nZMo8SoWCdx+xiDK0S5oxnoxfk2QMAW75qyFiR373axb6HgMMSpJSG8TE+vg9++oa\nE7dddc7nq6ZnuhRNDn9V6cam8hfkFvKwRCeul1Yg5qZn5qI9H0/glR+KisKZVK/S\nWAF/XJucPmK9gsScxB4FgfKmpZD0cJkKmwndB5Idc6waRrjHxFnLFTFxbUnUD2KC\n198dZo7Y4ftOIWKHCY1R4RWhsmIUX5XzxwEnYSzy0pta/uyaqwa6sWs=\n=wi7r\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

31
machines/secrets/keys/itag/fanny/fanny-init
View File

@@ -1,31 +0,0 @@
{
"data": "ENC[AES256_GCM,data:2RNOB8VVg+TGykuRU0h9fElGUhrje8gDkMdQyYQaF1U9P68oMJCEJYJno4qB0jEb5IPeTHrJamDjoQKv97OsGBkhPiamlImuBHjAUIxQq9a8xmFAhT60dZqCqIPqSuBs2OeVJE+wbHlo4pjGqe/PymMtz5M85SgOxvYSOktYRUZLmHIkZ9APy6PVit7AeUzRkf5H9Y58Xhg8gh4wCK0djorszPSY3Pf+G5PeV4EdNjIZ2FoL8MjWnYyEl8e/C11w1qdRA39J6l9LDTn8kNp3zHzYEWfY1G1sShc9M6kT83qmU4HMExERs4MlXEXkPd8EztAAgMKZIZWiwJ2Eu+9854V7KDb6T48sILCesjJwB94DWuXmdf/2CV1uGVat9baGOIE0ImGHTZYtGutxP1pBl1qZcU89LLRSPlmnRNWnTLcc3nnw0dgSsk132/7Qckrq5mUpD7F/fs1bYfG2LZGCqnXq6olnzh5jILe5iffvZprEH/Fm6jcDXBQN8WR4ADReSvHN7r0Vpvm1aZ01NtkJ,iv:6IIpVx4Dtrn+uahiH3kZHy6bmBj9ti1UiswKwAe2qZE=,tag:hGJkYXIarS+QEwJiHVmP/w==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMXJSeTFQdElLc2FKVFlG\nTjdlOGZHaUZkNjMzZDJTcXh1ZjF2bVpzRlU4CjdiS3NYeDZyNit1OCswSjFWbWJU\nT1BTNWFsRnpQWjZGbzJFV05tV1lNS2sKLS0tIEdrb3JOMUFRMkdIdFUwK0dHSXRQ\nbmtCVEJjRllnMHZFNkJ2UndBcXlaQkUK9bHFPsVaZovR4rGuQ6GfqAvZxNKqVhC5\nHybQWv1PCoaNOvQbtBgCxMlV8HOJfwe2EgysJErvriXeyVad5+zY2g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-22T11:49:08Z",
"mac": "ENC[AES256_GCM,data:IFctz/f9I9vcWN82u3qta+o/oILTHpCScSezHwt0ifsENnUQLz+uAmpMs+ok1ZR5+20XpEq4C7f1s4n2h8dijxsPuE/IOQM7rvwjoVPsM/0XUglDK3Vc5u1oooGpLJg1PchwWGOAlKQHun3mh4j/bz5UMpD8AWC++NLPE1Hr0Jc=,iv:y0aD+4iLSKedGAjZP1SygyzzIE0/SHWcOUS/aghzrII=,tag:01dQZoLlz0w5dE3DePwjbA==,type:str]",
"pgp": [
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv6A4kG9S33l07+BwNeUsDZVrzRTP2Gz5F679VKTBrr96t/\nTJaa+FlCWDU3DczaC18Y6yIyU22+97xqQ4WYnno0h7bF2uhjbyXjp3JV5na7BgGe\nn3V6p0yJcBM5XfrJRuKghEB3kHddQIcVR8JurWrynCKy1C4njR6pJDA3pqp9PReP\n0ubTiJqAwJfx5hGSAjSDWitQ2vpubowCXssqyh9S2P07H5u8HHbLRyJGgvl/LgTR\nEe2EUh7KrTMT6cCXBHAPSK2bZgwP667bhEOJzuCpknG4/Q7EtVQzjKaXGrDR0vMi\nIwA7knQ0UMeRCa/jSSPYUbscMJIb5+wh0rnPfWGGgtVshdd6YtuETBnqZsjUETXd\nsXdem+UoMEN6Co1ABzHEeSGT7y6D8OghoodofLBvgf5TduiX5Pqceo7SkfXPN/3G\n4fqg+e+VTT63Jwp7rk+ekRJYPkHNoB5w0VIrvsyBPlDUhEVywKWJTfzu8905hkVP\ntsQEoJxkpT27PFACoxZ80lgB/9kyQKvsRG9kl68osivg2gIB/13+4TjMdS+x3ycL\no5QnE0D/adRJHpDRwuPfzGyRwFWT8bHFEpw8qErLEWaXh27QMStOgr2By2PsOFTP\nAtJo/wheNGMb\n=qa04\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2025-02-22T11:49:08Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ/9F41AW+ruudLanRh8Rn8rHJRfGpdhv1oFkFRIK+Z/2oGr\nMGMm+2EPhCHCMp2tFJRm0HwZruGJda31iFNbaFSqHmTlqWfEMoEj4ztcOhe1vFG/\nhqtp39DawyHb/1AXPHvsuwbucEf/DH9gflXgbnBrZQ0K+7FiOSnXNi34YByKipbI\nbGg+8PV1iYXw0vuLgERy5aP20zyvr+sg53jnr8RR98A2E7VWg2YNfxEOKxxQczxe\nlgblSVqLLmEKAJcE3JWY6c5HR5Xlt4Y02JrAYD11qD21hmtS8plEZ70kiz4elgMU\nkWxM1HSm9Tyq2I5c9v8uk8VOCfEYE+glASJKtyHtyzDJRJcKwvaE8SqStlfoGot6\nKiJ4flqGapTOkJtOvR7FczO7T3j19Ga62dUvoHrei9Q0FYcyG70/lvTWEJy4/jYg\nOk5QJyseRhrDhcLKg9nUbuSfYhXtJc9C/S8B1n/bwjO1O3vslkewFAnhBIqweh1D\nnHjrSHsssrpkeyefmjVh7NiQZtn122hnPnIz5B62is27MD+m8qWWoWghc5lzsw5S\nCGBRY8l+vvGca1TZFJX1JO/L6vhdN4qd/H4IWRmj1oSR8qtQ6SKbt1UmQtB2BtPg\ncqlRCn4x2ORpRgwAIZtD6GFUFUjUduz6LpaxG2tpnmZcQfPAF7YYjjpR07oPIg3S\nWAGomgQyyubfDCH/tM0RwuTlMX4hkMtlKyMDuOHuZVxWZqoh/utGazasBogGm6zK\nIz0nKh+z0w0nv9kGzalq9L+ek0A07ylIlakSaR/vxh2ZaKHojBEEPh8=\n=1EB6\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.2"
}
}

1
machines/secrets/keys/itag/fanny/fanny-init.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY60NKfdjFiXNvl1r4mBcXKADHA80laxio+qN6izevN atlan@nixos

1
machines/secrets/keys/itag/fanny/fanny.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiKzGgQVfvfSqhdWNqkhTWd8gfJCVoyYoe9zh1LATsC atlan@nixos

4
outputs.nix
View File

@@ -39,7 +39,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
pkgs.age pkgs.age
pkgs.python310Packages.grip pkgs.python310Packages.grip
pkgs.mdbook pkgs.mdbook
pkgs.ssh-to-age
microvmpkg.microvm microvmpkg.microvm
]; ];
@@ -50,7 +49,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
legacyPackages = { legacyPackages = {
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh); scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh);
scripts.run-vm = self.packages.${system}.run-vm; scripts.run-vm = self.packages.${system}.run-vm;
}; };
@@ -110,7 +108,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
nixosModules.malobeo = { nixosModules.malobeo = {
host.imports = [ ./machines/durruti/host_config.nix ]; host.imports = [ ./machines/durruti/host_config.nix ];
microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ]; microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ./machines/modules/malobeo/microvm_client.nix];
vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ]; vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ]; initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
metrics.imports = [ ./machines/modules/malobeo/metrics.nix ]; metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];

50
scripts/add_new_host_keys.sh
View File

@@ -1,50 +0,0 @@
set -o errexit
#set -o pipefail
if [ ! -e flake.nix ]
then
echo "flake.nix not found. Searching down."
while [ ! -e flake.nix ]
do
if [ $PWD = "/" ]
then
echo "Found root. Aborting."
exit 1
else
cd ..
fi
done
fi
pwpath="machines"
hostkey="ssh_host_ed25519_key"
initrdkey="initrd_ed25519_key"
read -p "Enter new host name: " host
if [ "$host" = "" ]; then exit 0
fi
mkdir -p $pwpath/$host/secrets
cd $pwpath/$host/secrets
# Generate SSH keys
ssh-keygen -f $hostkey -t ed25519 -N ""
ssh-keygen -f $initrdkey -t ed25519 -N ""
#encrypt the private keys
sops -e -i ./$hostkey
sops -e -i ./$initrdkey
#generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
sops -e -i ./disk.key
# Info
echo
echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo
echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
exit 0

12
scripts/remote-install-encrypt.sh
View File

@@ -25,9 +25,6 @@ fi
hostname=$1 hostname=$1
ipaddress=$2 ipaddress=$2
pwpath="machines/$hostname/secrets"
hostkey="ssh_host_ed25519_key"
initrdkey="initrd_ed25519_key"
# Create a temporary directory # Create a temporary directory
temp=$(mktemp -d) temp=$(mktemp -d)
@@ -42,13 +39,12 @@ trap cleanup EXIT
install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/root/" install -d -m755 "$temp/root/"
diskKey=$(sops -d $pwpath/disk.key) diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key echo "$diskKey" > /tmp/secret.key
echo "$diskKey" > $temp/root/secret.key echo "$diskKey" > $temp/root/secret.key
sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname" ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
# # Set the correct permissions so sshd will accept the key # # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname" chmod 600 "$temp/etc/ssh/$hostname"
@@ -64,4 +60,4 @@ if [ $# = 3 ]
else else
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
fi fi

6
scripts/unlock-boot.sh
View File

@@ -19,15 +19,15 @@ if [ ! -e flake.nix ]
done done
fi fi
diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key)
echo echo
if [ $# = 1 ] if [ $# = 1 ]
then then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ] elif [ $# = 2 ]
then then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2 IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
@@ -37,4 +37,4 @@ else
echo "Usage: $0 <hostname> [ip]" echo "Usage: $0 <hostname> [ip]"
echo "If an IP is not provided, the hostname will be used as the IP address." echo "If an IP is not provided, the hostname will be used as the IP address."
exit 1 exit 1
fi fi