kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:eb7db0dc95ee22711f2f90c338316e38aa4af4fa
Branches Tags
kalipso:master kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:8a998e7068c276afd7f1e42b2fe1638ba923bdd6
Branches Tags
kalipso:nextcloud_deck_derivation kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

19 Commits
eb7db0dc95 ... 8a998e7068

Author SHA1 Message Date
kalipso
8a998e7068 [nixpkgs] update
All checks were successful
Check flake syntax / flake-check (push) Successful in 5m25s
Details
2025-02-11 18:00:59 +01:00
kalipso
f9a8a27f9d [fanny] more ram and cores for vmVariantWithDisko 2025-02-11 18:00:59 +01:00
kalipso
4fc2eff84a [disko] no encrypted swap when encryption disabled 2025-02-11 18:00:59 +01:00
ahtlon
4ea8af2523 Add microvm data dirs 
(untested because virtiofs mounts currently dont work)
 2025-02-11 18:00:59 +01:00
ahtlon
015a07c1f2 Fix #67 2025-02-11 18:00:59 +01:00
ahtlon
4e5b402115 [nextcloud] add some attributes 2025-02-11 18:00:59 +01:00
kalipso
7065b5d589 [nextcloud] update sops key 2025-02-11 18:00:59 +01:00
kalipso
c2db0813e8 [sops] update secrets 2025-02-11 18:00:59 +01:00
kalipso
1b70443e15 [fanny] update sops key after reset 2025-02-11 18:00:59 +01:00
kalipso
a093b47fd8 [malovpn] add hetzner 2025-02-11 18:00:59 +01:00
ahtlon
20dd200540 [fanny] enable storage creation with disko 2025-02-11 18:00:59 +01:00
ahtlon
96a5b68237 [scripts] only need to unlock once 2025-02-11 18:00:59 +01:00
ahtlon
0820dea377 [disko] Bit of a hack but the storage partition now gets mounted after zroot using a file on the disk. 2025-02-11 18:00:59 +01:00
ahtlon
c27566ccda [disko] rm btrfs-laptop.nix 2025-02-11 18:00:58 +01:00
kalipso
e14898525c [testvm] integrate into hosts.nix 2025-02-11 18:00:58 +01:00
kalipso
894a95ebad [run-vm] optional forward ports 
currently only allows forwarding to port 80, i was to lazy to handle two
arguments in bash
 2025-02-11 18:00:58 +01:00
kalipso
6319e3e757 [testvm] add to nixosConfigurations again 2025-02-11 18:00:58 +01:00
kalipso
91e681e879 [fanny] nat microvm traffic 2025-02-11 18:00:58 +01:00
kalipso
3b1ab5e14c [nextcloud] add deck and polls 2025-02-11 18:00:58 +01:00
17 changed files with 173 additions and 177 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -6,3 +6,4 @@ result
.direnv/
book/
fanny-efi-vars.fd
nix-store-overlay.img

30
flake.lock generated
View File

@@ -109,11 +109,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1736905611,
"narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=",
"lastModified": 1739104176,
"narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b",
"rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1736978406,
"narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=",
"lastModified": 1738816619,
"narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b678606690027913f3434dea3864e712b862dde5",
"rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1737062831,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"lastModified": 1739020877,
"narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
"type": "github"
},
"original": {
@@ -208,11 +208,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1736916166,
"narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=",
"lastModified": 1739206421,
"narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e24b4c09e963677b1beea49d411cd315a024ad3a",
"rev": "44534bc021b85c8d78e465021e21f33b856e2540",
"type": "github"
},
"original": {
@@ -245,11 +245,11 @@
]
},
"locked": {
"lastModified": 1737107480,
"narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github"
},
"original": {

8
machines/.sops.yaml
View File

@@ -8,10 +8,12 @@ keys:
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp
- &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda
- &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
- &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
- &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
- &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce
- &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k
#this dummy key is used for testing.
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
creation_rules:

19
machines/fanny/configuration.nix
View File

@@ -20,6 +20,13 @@ in
inputs.self.nixosModules.malobeo.metrics
];
virtualisation.vmVariantWithDisko = {
virtualisation = {
memorySize = 4096;
cores = 3;
};
};
malobeo.metrics = {
enable = true;
enablePromtail = true;
@@ -51,11 +58,17 @@ in
disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
};
storage = {
enable = true;
disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
mirror = true;
};
};
systemd.tmpfiles.rules = [
"L /var/lib/microvms/data - - - - /data/microvms"
"d /data/microvms 0755 root root" #not needed for real host?
];
malobeo.initssh = {
enable = true;
authorizedKeys = sshKeys.admins;
@@ -72,6 +85,12 @@ in
services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
networking = {
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "microvm" ];
};
firewall = {
allowedTCPPorts = [ 80 ];
};

78
machines/fanny/secrets.yaml
View File

@@ -5,63 +5,63 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf
- recipient: age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh
cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy
WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK
RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL
2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmFmVEd0cjY1QkJNRXRQ
NytpanU0UzF5aXlhRklJbW5yOExrbVFoREFjClRlVGVhOHZ2OW56Z21NU1FjaVFh
ZnJHZk5mV3ZKQm84M0Z6em14akc4Rk0KLS0tIHRMQTdOZTVvNUNoM29tZ2Nockp6
VUJFMEpxb0Y4WlJhZGZPTk54ZXhIMEkKPwkXj7gRlIZ9aYGNlX+PdZa9BcaHt1G6
DVNxfuYvecprnQWQ+pjVGzm8j78p7HpAcmJ/Aue3FTYo6S/vyEmK6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK
U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX
eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS
cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/
MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzF1WW82MlB3N2tmVjVa
UGlLaThRUFNQOVV0d1ZxK2hJTE1pSGVoV2hVCis0UW41cXRVaC8yWGdCUEVaZjFM
MmViQXJrV3pTNzN4aDNpVCtYNmdXUjQKLS0tIGZsYTRwUDI2YWlMNjBJY2ZNREVu
ZzI3MWRLZ3lseitrQ0YrZ1BuM3BacmsK1gbJH+Qs6sTLrSZSUJtnvUNmbLNnPWVT
WOs8Pxf6ROYmstcF8yEGHxbVesWn0jMbC4aIAZOIyglh+6glxsbnpw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:41:07Z"
mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str]
pgp:
- created_at: "2025-01-14T12:32:13Z"
- created_at: "2025-02-05T15:31:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8
5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO
8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN
zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA
cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O
/MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24
9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict
iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k
UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p
Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N
J+o9dahBHvIF
=GKm4
hQGMA5HdvEwzh/H7AQv9FdyMi1hVqhXAHEIjv5hiCw+l+OU+WomhmQTNue3pfgLi
eP15nIqjOg4H+akley0alE5ZL7AU/x5catwmd+JqG3p+j4v3z4GGgpgob6srxhRR
jcSZZZpOi5kMdvayX90Mm1zbzTSdxgHcI7tOtnr00kuUfkvTNyYP8ofvb19OZ3sS
ednM9E6h+qfCI+R2iv0WcyF0UXS8vExCl5djL4kV/gzc8iQz5qm1f67xem7kiN8M
dJZMmAkGSbSzCx/czqZ7pIB5LCmnGmLeYNBoMXdnj970dJrJ6/1DZqQNq4mkE8PG
odn7U4dq37pfpp8LJR9XZuCuQ2TbW8WqczQ3l2u4hqQNhHNRGDB/FGJrkn31BirN
Mwbb7UJQYQR5OzGwHTigpXDJnrf9j1CyAxbx3TrSHBrh63eVgUs1+mD9SUj6vVN7
aBb8Y1M/cPiDyo2dpsa5lG6hzDQzlpBuJI4a8kN9JVTbcwYuWECx2kTGnZDBW+xf
KPNPrNzZmhIyZXMjPuK/0lgBuskgYg3sLqGgwUMisKCV56yRJr0zCoje3XWY6X2y
J7F0+/R3ESt98Za/qs4PG+U5oOXsUVlDZK0D+zVvnunJLOP/fT2yu4YoCZxy9Y6I
HbJzEdNC98ow
=nYXr
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-14T12:32:13Z"
- created_at: "2025-02-05T15:31:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs
W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF
e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR
GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q
yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM
wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap
FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT
cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul
QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2
MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB
5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS
WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw
CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE=
=9FN4
hQIMA98TrrsQEbXUAQ//b/vbXzTW+NgmpAfTEkrha0OeU3w4UEwejZVYJeFcTHrS
nOh1W/a4pMNJ0n/xabGkwJs1o1CPEcV8ctta6OgwiXLFmfuVDYiT4YZw2zUML8kd
umCgGFcCq5xjxIVbY7GXz/Grv+cJa6JfdQirNRoaDFvhgZxinAcuOhlb01pmf4o2
frGrbCvkbDU/OLjMkfakUT87tZh6wfhlT14FABpZNrDHl7mpEvNH/prUMzj87ZME
g1OkwdjC7sBXngPQjstgMeZmLfsXVhDlhPIPi2kh6LUCdDFkadOZG9+dMf5HpTPW
v69CKJyzK8WcH5RoksYgYuACIMRO1VXfIpm6sJqHn2gXc/6CsiST7ofvGtBUhaW+
B342tjWJiRhcU96KCP91NAo4aiNeQ/UjW6EAbJ9BaPWwAod6f3nxBEVvg8pMlLOR
pdW6p/Bz4HmvNW+xXLyxUER+ynkOouCMVrb7/eSvzV1Lf2Yz6K8hVe2ehgyVz++v
sXl6KqMGu5FNJS9j07hXYgWzwk6M+IBBC/YcjQdZQys4IadS1QbtuQOuP3KJ3wwk
qa4wyHRxb7/3svBP+2vi7HvjizwiEdk7r4CRnrdUm0C7Qozy8UdFMFWMdPMIdL2L
tI2n71HASMmc7ekU4J45/d9MHqLUahO0wuTd7L4IvAsepZqY+uWuYBVoZW/vHc7S
WAGwfJ7/D8i3lbRP91TslhrCMdzrdzgAb/TLWAyKwSwPPzzf1dCLNp6yF4QRICwJ
d/yxpSHBVgShCN3qIsiryx4FtUCPRwzgY96delesewJOIzxwjByIvTY=
=vEEz
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted

4
machines/hosts.nix
View File

@@ -66,6 +66,10 @@
mac = "D0:E5:CA:F0:D7:E0";
};
};
testvm = {
type = "host";
};
};
};
}

63
machines/modules/disko/btrfs-laptop.nix
View File

@@ -1,63 +0,0 @@
{ config, self, inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
# https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix
disko.devices = {
disk = {
main = {
type = "disk";
# When using disko-install, we will overwrite this value from the commandline
device = "/dev/disk/by-id/some-disk-id";
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = /tmp/secret.key; # Interactive
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "20M";
};
};
};
};
};
};
};
};
};
};
}

12
machines/modules/disko/default.nix
View File

@@ -102,7 +102,7 @@ in
mountOptions = [ "umask=0077" ];
};
};
encryptedSwap = {
encryptedSwap = lib.mkIf cfg.encryption {
size = cfg.root.swap;
content = {
type = "swap";
@@ -187,6 +187,7 @@ in
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" zroot/encrypted;
'';
};
"encrypted/root" = {
type = "zfs_fs";
@@ -244,13 +245,16 @@ in
};
# use this to read the key during boot
postCreateHook = lib.mkIf cfg.encryption ''
zfs set keylocation="prompt" storage/encrypted;
zfs set keylocation="file:///root/secret.key" storage/encrypted;
'';
};
"encrypted/data" = {
type = "zfs_fs";
mountpoint = "/data";
options.mountpoint = "legacy";
};
"encrypted/data/microvm" = {
type = "zfs_fs";
mountpoint = "/data/microvm";
};
reserved = {
# for cow delete if pool is full
@@ -267,7 +271,7 @@ in
};
boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ];
fileSystems."/".neededForBoot = true;
fileSystems."/etc".neededForBoot = true;
fileSystems."/boot".neededForBoot = true;

16
machines/modules/host_builder.nix
View File

@@ -70,6 +70,13 @@ rec {
proto = "virtiofs";
socket = "var.socket";
}
{
source = "/var/lib/microvms/data/${hostName}";
mountPoint = "/data";
tag = "data";
proto = "virtiofs";
socket = "microdata.socket";
}
];
interfaces = [
@@ -135,8 +142,8 @@ rec {
}]);
#if networking is disabled forward port 80 to still have access to webservices
forwardPorts = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [
{ from = "host"; host.port = 8080; guest.port = 80; }
forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
{ from = "host"; host.port = options.fwdPort; guest.port = 80; }
]);
};
@@ -212,12 +219,13 @@ rec {
builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
};
buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: (self.nixosConfigurations.${host}.extendModules {
buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
modules = [
(vmMicroVMOverwrites host {
withNetworking = networking;
varPath = "${varPath}";
writableStore = writableStore; })
writableStore = writableStore;
fwdPort = fwdPort; })
(if sopsDummy then (vmSopsOverwrites host) else {})
(if disableDisko then vmDiskoOverwrites else {})
] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [

2
machines/modules/malobeo/initssh.nix
View File

@@ -30,9 +30,7 @@ in
loader.efi.canTouchEfiVariables = true;
supportedFilesystems = [ "vfat" "zfs" ];
zfs = {
forceImportAll = true;
requestEncryptionCredentials = true;
};
initrd = {
availableKernelModules = cfg.ethernetDrivers;

7
machines/modules/malobeo/peers.nix
View File

@@ -30,6 +30,13 @@
publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y=";
};
"hetzner" = {
role = "client";
address = [ "10.100.0.6/24" ];
allowedIPs = [ "10.100.0.6/32" ];
publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ=";
};
"fanny" = {
role = "client";
address = [ "10.100.0.101/24" ];

9
machines/nextcloud/configuration.nix
View File

@@ -37,6 +37,7 @@ with lib;
hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
#https = true; #disable for testing
datadir = "/data/services/nextcloud/";
database.createLocally = true;
config.dbtype = "pgsql";
configureRedis = true;
@@ -46,7 +47,7 @@ with lib;
};
extraAppsEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls;
collectives = pkgs.fetchNextcloudApp {
sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
@@ -55,6 +56,12 @@ with lib;
};
settings = {
trusted_domains = ["10.0.0.13"];
"maintenance_window_start" = "1";
"default_phone_region" = "DE";
};
phpOptions = {
"realpath_cache_size" = "0";
"opcache.interned_strings_buffer" = "23";
};
};

78
machines/nextcloud/secrets.yaml
View File

@@ -8,60 +8,60 @@ sops:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp
Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh
SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1
aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW
WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi
VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU
Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5
ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8
4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr
- recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6
cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt
aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO
WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC
9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ
cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs
VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5
WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8
lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-26T20:00:50Z"
mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
pgp:
- created_at: "2025-01-21T21:04:08Z"
- created_at: "2025-02-06T12:36:59Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W
GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl
8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs
NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV
cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb
CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb
nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj
wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO
TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2
46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m
bUOvx3Ho80EC
=oQd6
hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695
JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8
CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw
qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl
bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt
eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk
Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy
F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt
c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4
bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV
xRvlnfPW9voB
=xqAk
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2025-01-21T21:04:08Z"
- created_at: "2025-02-06T12:36:59Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY
r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn
59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM
FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat
QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL
qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0
MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6
7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc
oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX
or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3
BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS
WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj
8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k=
=s9pl
hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U
bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z
N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW
R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp
I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv
pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg
l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z
189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I
S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3
bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ
4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS
WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ
lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns=
=Uvc2
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
unencrypted_suffix: _unencrypted

2
machines/testvm/default.nix → machines/testvm/configuration.nix
View File

@@ -24,7 +24,7 @@ in
malobeo.disks = {
enable = true;
encryption = false;
encryption = true;
hostId = "83abc8cb";
devNodes = "/dev/disk/by-path/";
root = {

2
scripts/remote-install-encrypt.sh
View File

@@ -37,9 +37,11 @@ trap cleanup EXIT
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/root/"
diskKey=$(sops -d machines/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
echo "$diskKey" > $temp/root/secret.key
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""

13
scripts/run-vm.sh
View File

@@ -6,6 +6,7 @@ usage() {
echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny"
echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
echo "--fwd-port forwards the given port to port 80 on vm"
exit 1
}
@@ -22,6 +23,7 @@ DUMMY_SECRETS=false
NO_DISKO=false
RW_STORE=false
VAR_PATH=""
FWD_PORT=0
# check argws
shift
@@ -40,6 +42,15 @@ while [[ "$#" -gt 0 ]]; do
usage
fi
;;
--fwd-port)
if [[ -n "$2" && ! "$2" =~ ^- ]]; then
FWD_PORT="$2"
shift
else
echo "Error: --var requires a non-empty string argument."
usage
fi
;;
*) echo "Unknown argument: $1"; usage ;;
esac
shift
@@ -53,4 +64,4 @@ if [ -n "$VAR_PATH" ]; then
echo "sharing var directory: $VAR_PATH"
fi
nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE).config.microvm.declaredRunner"
nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner"

6
scripts/unlock-boot.sh
View File

@@ -23,18 +23,14 @@ echo
if [ $# = 1 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
else
echo
echo "Unlock the root disk on a remote host."