kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:8b33a1c70473addc8f74c954f9bfea49b2a19f72
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:issue31
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

8 Commits
8b33a1c704 ... issue31

Author SHA1 Message Date
kalipso
2f4cb3787b [disko] rm duplicate filesystems entry
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m16s
Details
2025-02-05 14:31:39 +01:00
kalipso
4f9e66ba82 Merge branch 'master' into issue31
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m0s
Details
2025-02-05 14:25:57 +01:00
kalipso
1f9d39b53d [malovpn] add hetzner
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m39s
Details
2025-01-28 14:56:09 +01:00
ahtlon
c51c1e8e92 Merge master
All checks were successful
Check flake syntax / flake-check (push) Successful in 6m6s
Details
2025-01-19 18:00:27 +01:00
ahtlon
a96b8f65c9 [disko]Force grub on legacy boot
Some checks failed
Check flake syntax / flake-check (push) Waiting to run
Details
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Has been cancelled
Details
Check flake syntax / flake-check (pull_request) Has been cancelled
Details
2025-01-19 17:59:29 +01:00
Ahtlon
29d6bc02e0 Merge branch 'master' into issue31
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m41s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m46s
Details
Check flake syntax / flake-check (pull_request) Failing after 2m20s
Details
Check flake syntax / flake-check (push) Failing after 2m15s
Details
2025-01-18 22:57:21 +01:00
ahtlon
c0cef1ff1e Apply legacy to bakunin
Some checks failed
Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 5m14s
Details
2025-01-18 21:33:41 +01:00
ahtlon
7099c92236 [disko] add legacy option 
I don't know if the grub device is right
 2025-01-18 21:33:23 +01:00
8 changed files with 214 additions and 310 deletions
Expand all files Collapse all files

7
machines/.sops.yaml
View File

@@ -100,10 +100,3 @@ creation_rules:
- *admin_kalipso_dsktp
age:
- *admin_atlan
- path_regex: modules/malobeo/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

10
machines/bakunin/configuration.nix
View File

@@ -8,11 +8,12 @@ in
[ # Include the results of the hardware scan.
#./hardware-configuration.nix
../modules/xserver.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
inputs.self.nixosModules.malobeo.disko
inputs.self.nixosModules.malobeo.initssh
inputs.self.nixosModules.malobeo.users
];
malobeo.autoUpdate = {
@@ -25,6 +26,7 @@ in
malobeo.disks = {
enable = true;
legacy = true;
hostId = "a3c3102f";
root = {
disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
@@ -32,13 +34,9 @@ in
};
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"];
enable = false;
};
malobeo.users.malobeo = true;
hardware.sane.enable = true; #scanner support
nix.settings.experimental-features = [ "nix-command" "flakes" ];

379
machines/modules/disko/default.nix
View File

@@ -20,6 +20,11 @@ in
default = true;
description = "Allows encryption to be disabled for testing";
};
legacy = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable legacy boot (bios)";
};
devNodes = lib.mkOption {
type = lib.types.str;
default = "/dev/disk/by-id/";
@@ -81,198 +86,220 @@ in
};
};
config = lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
config = lib.mkMerge [
(lib.mkIf (cfg.enable && !cfg.legacy) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
};
fileSystems."/boot".neededForBoot = true;
})
(lib.mkIf (cfg.enable && cfg.legacy) {
boot.loader.grub = {
enable = lib.mkForce true;
device = "/dev/${cfg.root.disk0}-part1";
efiSupport = false;
enableCryptodisk = cfg.encryption;
zfsSupport = true;
};
})
(lib.mkIf cfg.enable {
networking.hostId = cfg.hostId;
disko.devices = {
disk = lib.mkMerge [
{
ssd0 = lib.mkIf (cfg.root.disk0 != "") {
type = "disk";
device = "/dev/${cfg.root.disk0}";
content = {
type = "gpt";
partitions = {
ESP = lib.mkIf (!cfg.legacy) {
size = "1024M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
};
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
boot = lib.mkIf cfg.legacy {
size = "1024M";
type = "EF02";
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
encryptedSwap = {
size = cfg.root.swap;
content = {
type = "swap";
randomEncryption = true;
};
};
};
};
};
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
}) cfg.storage.disks
)
))
];
};
ssd1 = lib.mkIf (cfg.root.disk1 != "") {
type = "disk";
device = "/dev/${cfg.root.disk1}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
}
(lib.mkIf cfg.storage.enable (
lib.mkMerge (
map (diskname: {
"${diskname}" = {
type = "disk";
device = "/dev/${diskname}";
content = {
type = "gpt";
partitions = {
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "storage";
};
};
};
};
};
}) cfg.storage.disks
)
))
];
zpool = {
zroot = {
type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd";
"com.sun:auto-snapshot" = "false";
zpool = {
zroot = {
type = "zpool";
mode = lib.mkIf cfg.root.mirror "mirror";
# Workaround: cannot import 'zroot': I/O error in disko tests
options.cachefile = "none";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
compression = "zstd";
"com.sun:auto-snapshot" = "false";
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
};
type = "zfs_fs";
};
};
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="file:///root/secret.key" storage/encrypted;
'';
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
};
"encrypted/var" = {
type = "zfs_fs";
mountpoint = "/var";
options.mountpoint = "legacy";
};
"encrypted/etc" = {
type = "zfs_fs";
mountpoint = "/etc";
options.mountpoint = "legacy";
};
"encrypted/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.mountpoint = "legacy";
};
"encrypted/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.root.reservation}";
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
};
type = "zfs_fs";
};
};
};
storage = lib.mkIf cfg.storage.enable {
type = "zpool";
mode = lib.mkIf (cfg.storage.mirror) "mirror";
rootFsOptions = {
mountpoint = "none";
xattr = "sa"; # für microvm virtiofs mount
acltype = "posixacl"; # für microvm virtiofs mount
};
datasets = {
encrypted = {
type = "zfs_fs";
options = {
mountpoint = "none";
encryption = lib.mkIf cfg.encryption "aes-256-gcm";
keyformat = lib.mkIf cfg.encryption "passphrase";
keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="file:///root/secret.key" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
};
reserved = {
# for cow delete if pool is full
options = {
canmount = "off";
mountpoint = "none";
reservation = "${cfg.storage.reservation}";
};
type = "zfs_fs";
};
};
};
};
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/var".neededForBoot = true;
fileSystems."/home".neededForBoot = true;
fileSystems."/nix".neededForBoot = true;
})
];
}

3
machines/modules/malobeo/initssh.nix
View File

@@ -26,9 +26,6 @@ in
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = {
requestEncryptionCredentials = true;
};

7
machines/modules/malobeo/peers.nix
View File

@@ -30,6 +30,13 @@
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"hetzner" = {
role = "client";
address = [ "10.100.0.6/24" ];
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
};
"fanny" = {
role = "client";
address = [ "10.100.0.101/24" ];

59
machines/modules/malobeo/secrets.yaml
View File

@@ -1,59 +0,0 @@
malobeoUserPassword: ENC[AES256_GCM,data:/w9Q89njBL5eL8RU6IhOxegJqtvBmx/R2+b7+asop98PN4SZn3r53lagM/3UiNnbde/Mh1/3T3OtddNFTh+v64NNzMdKE65T/A==,iv:8o97dDxA6GHkFN0uAfbdG0DnatoiP3ytEGLTHOOZe0w=,tag:Jl2EPOooYdnSfyfOr9Pn2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b2lTY1hhTUwxalZ6bHJJ
aUpUelB6K0hweW8rWXJzaTVKWC94Q0E4c2hRCnBaM3hwTkxwWGZjUCtycTR0aFJr
QXZPVkNjK2dIOWpHYUhxd2x6cW9MMTgKLS0tIEh4N2d5TEZuK2RRMklxRGNlOTFP
ZCtqbzVZYnB4WTh1RUt4V0FPYzRualUKh3lyO+Ow2698jZ05PZjeKK5CnuUnIAJ2
IdBRJNhalleoJPdQnsq/Yj3aewXtIYDdXKnhN4QdEfbQnrIrm1B7FQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-28T11:04:06Z"
mac: ENC[AES256_GCM,data:ZfWuWafknBtaLPjpujLfFjh4oRIk6Bq521NnI1woEamV1MZ53AbmGqZRroW4mAz2uI1KA3RSX7CLvFjJRzQiCBA/OblD89xGNEsQdRvsMCfkEGN85TgV5RVZ+Iqi/VoSXQUc4WcUZenBtgua8p84Ujikr/XT08dEB8hNVAOsSaw=,iv:fVX8LyxT3QkogpF/zRUY0LWzemp6ugrlK2eTag8jtWk=,tag:9kIXxg2hI1+D4XXx/ZPILw==,type:str]
pgp:
- created_at: "2025-01-28T11:02:47Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+JmOlIv1eupyfTV+T0jpZ0Ux49fjTP8xo/6aBNrukFFej
1JNX7Y57c5jUPUIWYX/obbhrT0yOj5w7yiA2lOO4ZUoHswDs70F7kuEXfdlEiL+Y
R2Zl5aAL+1Q0ydmjEG/P11H/ts0csHJTFwf6bR463Kv8yn8wjrpZKWcBTWoKzxbQ
LfEiDZ5F4FAjRJFgJRioWdUWCnMTaWWM6hQRathbVIi0DgddjzDma7I1l8qdsEEX
rh5y+SQSfajIPn1MxstY3Y8kkYb/LUOXIGGDxJV5UOuem8z2O0wiHsuRGtNAmQVJ
O0XjRALgoXbLFZYvej5xkDBvkr13JsJsa7P9IrVChF72ktFhWjPd5ALM63L3Rj//
voFD3JXmwOZsgsy+0wgfWwYb89xKcrLSrNkZKXFfLM1fUGx3huOw3YYqH35IccHe
KVPB0w5NkFRjq0Ubs9M/FpdspZPZmUgz6Y3hNUdSPsmd8+KWdDqFX0Nijv4dW/5k
1lMNcr6K/bHY9mWpqhsF0lgBfV1uX9Gw+rPVxpfbAmrqScw4XOnsYRhr39Ew2jyr
FY+EDPYj84AlfKCRr21lDOYsEYlxvRRL94LuzaJ5ZPsvc4fSRlLfA6CaTnyMO/Uh
0UaAUmo9gj8D
=oYMG
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-28T11:02:47Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ/+O8kqGBbX22K56L7/TRjZIFsvPKNO89QADDuL8R9cYYug
iKvtCp1rjSkRZZOxEqdLltqlub7Qvm/FmOTTV/Ha97FyLu908ci9FhZhYSIu95PO
VVBKRqEvcjtYj7HV/WbHUPc0KNq3EJ2XmJPAbNel0vbLv5Y5RMCiPK7ZtP5owIX+
Vq5wxu92MUyQOcryqzVnP5Ly7hWjlQEVg88zHtOvzMBf2OtVh10f5xF6nNpxfmXO
ni0UvlzzatLmGX1t9CDchVvRkgvlALZAgwDnFqc3L3HbKlATgaH8Ilr5rEmjt3v1
wWSQWewoEH3BtMgNTvXcVZu4mji9wYTNR2MfrL7eIqkhQzxCgL+vIh9wpNXYN+jO
ghnQKUoGFpM0AnT8OXGODDfOqQd2nkUuySUP+n+N8LnEN021ve5500t4uAjZnASe
kVrNXK+9XUEIDNaWnO9ykRRvB4y41yqf5Pu5FfMtHg5s53ypqox3rSqQMPhwFtVz
HLSQ5iyv2v66RoXUX9Esk+QcTQuDRQpZFzM7v4tyU+IeT7rOe7dC0YEOYRetKApQ
bru47ZS4nPFfaCdOnMr5tmTMwv/dzMDQHeRkxqEKPTyYx56nHjrMRE13PjYUvSbT
aQVoAspsYXhxQ6eDVzGbBlbA1KXS7fbl9Ji0aVWXVS2otdL0hPRd6Nh0Cy0RuLnS
WAF5hbffH9AgRLC8HlAFAsYvf42JSjwpLdeFnGYka8dWZX0ItxLFEOJ1IAyilFy6
mkBFyUYLRwlbExJNEH+WFlbMSDWzZ6eXmuPzUBvhwOC/8AxKvhk8je4=
=x1tN
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted
version: 3.9.2

58
machines/modules/malobeo/users.nix
View File

@@ -1,58 +0,0 @@
{config, lib, pkgs, inputs, ...}:
let
cfg = config.malobeo.users;
sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
in
{
options.malobeo.users = {
malobeo = lib.mkEnableOption "enable malobeo user";
admin = lib.mkEnableOption "enable admin user";
};
config = lib.mkMerge [
(lib.mkIf cfg.malobeo {
sops.secrets.malobeoUserPassword = {
sopsFile = ./secrets.yaml;
neededForUsers = true;
};
users.users.malobeo = {
isNormalUser = true;
description = "malobeo user, password and ssh access, no root";
extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
openssh.authorizedKeys.keys = sshKeys.admins;
hashedPasswordFile = config.sops.secrets.malobeoUserPassword.path;
};
environment.systemPackages = with pkgs; [];
})
(lib.mkIf cfg.admin {
users.users.admin = {
isNormalUser = true;
description = "admin user, passwordless sudo access, only ssh";
hashedPassword = null;
extraGroups = [ "networkmanager" ];
};
environment.systemPackages = with pkgs; [];
security.sudo.extraRules = [
{
users = [ "admin" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
})
{
users.mutableUsers = false;
environment.systemPackages = with pkgs; [
nix-output-monitor
vim
htop
wget
git
pciutils
];
}
];
}

1
outputs.nix
View File

@@ -113,7 +113,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
disko.imports = [ ./machines/modules/disko ];
users.imports = [ ./machines/modules/malobeo/users.nix ];
};
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (