Merge master

[disko]Force grub on legacy boot
[fanny] proxypass cloud.malobeo.org
2025-01-19 18:00:27 +01:00 · 2025-01-19 17:59:29 +01:00 · 2025-01-19 14:53:39 +01:00 · 2025-01-19 14:52:33 +01:00 · 2025-01-19 14:52:20 +01:00 · 2025-01-19 14:30:58 +01:00
14 changed files with 522 additions and 225 deletions
--- a/.gitea/workflows/eval-hydra-jobs.yml
+++ b/.gitea/workflows/eval-hydra-jobs.yml
@@ -1,9 +1,8 @@
-name: "Evaluate Hydra Jobs"
+name: "Check flake syntax"
 on:
-  pull_request:
  push:
 jobs:
-  eval-hydra-jobs:
+  flake-check:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
@@ -11,5 +10,5 @@ jobs:
      run: |
        apt update -y
        apt install sudo -y        
-    - uses: cachix/install-nix-action@v27
-    - run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs
+    - uses: cachix/install-nix-action@v30
+    - run: nix flake check --no-update-lock-file --accept-flake-config .
--- a/doc/src/Index.md
+++ b/doc/src/Index.md
@@ -1 +1,82 @@
-# Index
+# malobeo infrastructure
+
+this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner.
+
+the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html)
+
+### deploying configuration
+#### local deployment
+``` shell
+nixos-rebuild switch --use-remote-sudo
+```
+
+#### remote deployment
+you need the hostname and ip address of the host:
+``` shell
+ nixos-rebuild switch --flake .#<hostname> --target-host root@<ip_address> --build-host localhost
+```
+
+in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources
+
+
+## development
+
+### requirements
+we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf*
+``` nix
+nix.extraOptions = ''
+  experimental-features = nix-command flakes
+'';
+```
+
+More information about flakes can be found [here](https://nixos.wiki/wiki/Flakes)
+
+### dev shell
+a development shell with the correct environment can be created by running ```nix develop ```
+
+If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration)
+
+### build a configuration
+
+to build a configuration run the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
+```
+
+### building raspberry image
+
+for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM).
+
+to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix:
+
+``` nix
+boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+```
+
+then you can build the image with:
+
+``` shell
+nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage
+```
+
+### run a configuration as vm
+
+to run a vm we have to build it first using the following command (replace ```<hostname>``` with the actual hostname):
+
+``` shell
+nix build .#nixosConfigurations.<hostname>.config.system.build.vm
+```
+
+afterwards run the following command to start the vm:
+
+``` shell
+./result/bin/run-<hostname>-vm
+```
+
+### documentation
+
+for documentation we currently just use README.md files.
+
+the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
+the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730135292,
-        "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=",
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
        "type": "github"
      },
      "original": {
@@ -67,11 +67,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733951536,
-        "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
+        "lastModified": 1736373539,
+        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
+        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
        "type": "github"
      },
      "original": {
@@ -109,11 +109,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1734041466,
-        "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=",
+        "lastModified": 1736905611,
+        "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3",
+        "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b",
        "type": "github"
      },
      "original": {
@@ -124,11 +124,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1733620091,
-        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
        "type": "github"
      },
      "original": {
@@ -145,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733965598,
-        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
        "type": "github"
      },
      "original": {
@@ -160,11 +160,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733861262,
-        "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
+        "lastModified": 1736978406,
+        "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
+        "rev": "b678606690027913f3434dea3864e712b862dde5",
        "type": "github"
      },
      "original": {
@@ -192,11 +192,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1733759999,
-        "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
+        "lastModified": 1737062831,
+        "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
+        "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
        "type": "github"
      },
      "original": {
@@ -208,11 +208,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1733808091,
-        "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
+        "lastModified": 1736916166,
+        "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
+        "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a",
        "type": "github"
      },
      "original": {
@@ -245,11 +245,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733965552,
-        "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+        "lastModified": 1737107480,
+        "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+        "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
        "type": "github"
      },
      "original": {
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -73,3 +73,12 @@ creation_rules:
      - *admin_kalipso_dsktp
      age:
      - *admin_atlan
+
+  - path_regex: nextcloud/secrets.yaml$
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      - *machine_durruti
+      age:
+      - *admin_atlan
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -26,6 +26,7 @@ in

  malobeo.disks = {
    enable = true;
+    legacy = true;
    hostId = "a3c3102f";
    root = {
      disk0 = "disk/by-id/ata-HITACHI_HTS725016A9A364_110308PCKB04VNHX9XTJ";
@@ -33,9 +34,7 @@ in
  };

  malobeo.initssh = {
-    enable = true;
-    authorizedKeys = sshKeys.admins;
-    ethernetDrivers = ["r8169"];
+    enable = false;
  };

  hardware.sane.enable = true; #scanner support
--- a/machines/configuration.nix
+++ b/machines/configuration.nix
@@ -3,6 +3,7 @@
 , nixpkgs
 , sops-nix
 , inputs
+, microvm
 , nixos-hardware
 , home-manager
 , ...
@@ -34,15 +35,14 @@ let
            };
          };
        })
-
        sops-nix.nixosModules.sops
+        microvm.nixosModules.microvm
      ];
    }
  ];
  defaultModules = baseModules;

  makeMicroVM = hostName: ipv4Addr: macAddr: modules: [
-    inputs.microvm.nixosModules.microvm
    {
      microvm = {
        hypervisor = "cloud-hypervisor";
@@ -170,10 +170,20 @@ in
    ];
  };

+  nextcloud = nixosSystem {
+    system = "x86_64-linux";
+    specialArgs.inputs = inputs;
+    specialArgs.self = self;
+    modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [
+      ./nextcloud/configuration.nix
+    ];
+  };
+
  testvm = nixosSystem {
    system = "x86_64-linux";
    specialArgs.inputs = inputs;
    specialArgs.self = self;
    modules = defaultModules ++ [ ./testvm ];
  };
+
 }
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -53,7 +53,7 @@ in
  };

  services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ "infradocs" ];
+  services.malobeo.microvm.deployHosts = [ "infradocs" "nextcloud" ];

  networking = {
    firewall = {
@@ -70,6 +70,14 @@ in
        '';
      };
    };
+
+    virtualHosts."cloud.malobeo.org" = {
+      locations."/" = {
+        proxyPass = "http://10.0.0.13";
+        extraConfig = ''
+        '';
+      };
+    };
  };

  services.tor = {
--- a/machines/modules/disko/default.nix
+++ b/machines/modules/disko/default.nix
@@ -20,6 +20,11 @@ in
      default = true;
      description = "Allows encryption to be disabled for testing";
    };
+    legacy = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Enable legacy boot (bios)";
+    };
    devNodes = lib.mkOption {
      type = lib.types.str;
      default = "/dev/disk/by-id/";
@@ -81,198 +86,220 @@ in
    };
  };

-  config = lib.mkIf cfg.enable {
-    networking.hostId = cfg.hostId;
-    disko.devices = {
-      disk = lib.mkMerge [
-        {
-          ssd0 = lib.mkIf (cfg.root.disk0 != "") {
-            type = "disk";
-            device = "/dev/${cfg.root.disk0}";
-            content = {
-              type = "gpt";
-              partitions = {
-                ESP = {
-                  size = "1024M";
-                  type = "EF00";
-                  content = {
-                    type = "filesystem";
-                    format = "vfat";
-                    mountpoint = "/boot";
-                    mountOptions = [ "umask=0077" ];
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && !cfg.legacy) {
+      boot = {
+        loader.systemd-boot.enable = true;
+        loader.efi.canTouchEfiVariables = true;
+        supportedFilesystems = [ "vfat" "zfs" ];
+      };
+      fileSystems."/boot".neededForBoot = true;
+    })
+    (lib.mkIf (cfg.enable && cfg.legacy) {
+      boot.loader.grub = {
+        enable = lib.mkForce true;
+        device = "/dev/${cfg.root.disk0}-part1";
+        efiSupport = false;
+        enableCryptodisk = cfg.encryption;
+        zfsSupport = true;
+      };
+    })
+    (lib.mkIf cfg.enable {
+      networking.hostId = cfg.hostId;
+      disko.devices = {
+        disk = lib.mkMerge [
+          {
+            ssd0 = lib.mkIf (cfg.root.disk0 != "") {
+              type = "disk";
+              device = "/dev/${cfg.root.disk0}";
+              content = {
+                type = "gpt";
+                partitions = {
+                  ESP = lib.mkIf (!cfg.legacy) {
+                    size = "1024M";
+                    type = "EF00";
+                    content = {
+                      type = "filesystem";
+                      format = "vfat";
+                      mountpoint = "/boot";
+                      mountOptions = [ "umask=0077" ];
+                    };
                  };
-                };
-                encryptedSwap = {
-                  size = cfg.root.swap;
-                  content =  {
-                    type = "swap";
-                    randomEncryption = true;
+                  boot = lib.mkIf cfg.legacy {
+                    size = "1024M";
+                    type = "EF02";
                  };
-                };
-                zfs = {
-                  size = "100%";
-                  content = {
-                    type = "zfs";
-                    pool = "zroot";
+                  encryptedSwap = {
+                    size = cfg.root.swap;
+                    content =  {
+                      type = "swap";
+                      randomEncryption = true;
+                    };
                  };
-                };
-              };
-            };
-          };
-          ssd1 = lib.mkIf (cfg.root.disk1 != "") {
-            type = "disk";
-            device = "/dev/${cfg.root.disk1}";
-            content = {
-              type = "gpt";
-              partitions = {
-                zfs = {
-                  size = "100%";
-                  content = {
-                    type = "zfs";
-                    pool = "zroot";
-                  };
-                };
-              };
-            };
-          };
-        }
-        (lib.mkIf cfg.storage.enable (
-          lib.mkMerge (
-            map (diskname: {
-              "${diskname}" = {
-                type = "disk";
-                device = "/dev/${diskname}";
-                content = {
-                  type = "gpt";
-                  partitions = {
-                    zfs = {
-                      size = "100%";
-                      content = {
-                        type = "zfs";
-                        pool = "storage";
-                      };
+                  zfs = {
+                    size = "100%";
+                    content = {
+                      type = "zfs";
+                      pool = "zroot";
                    };
                  };
                };
              };
-            }) cfg.storage.disks
-          )
-        ))
-      ];
+            };
+            ssd1 = lib.mkIf (cfg.root.disk1 != "") {
+              type = "disk";
+              device = "/dev/${cfg.root.disk1}";
+              content = {
+                type = "gpt";
+                partitions = {
+                  zfs = {
+                    size = "100%";
+                    content = {
+                      type = "zfs";
+                      pool = "zroot";
+                    };
+                  };
+                };
+              };
+            };
+          }
+          (lib.mkIf cfg.storage.enable (
+            lib.mkMerge (
+              map (diskname: {
+                "${diskname}" = {
+                  type = "disk";
+                  device = "/dev/${diskname}";
+                  content = {
+                    type = "gpt";
+                    partitions = {
+                      zfs = {
+                        size = "100%";
+                        content = {
+                          type = "zfs";
+                          pool = "storage";
+                        };
+                      };
+                    };
+                  };
+                };
+              }) cfg.storage.disks
+            )
+          ))
+        ];

-      zpool = {
-        zroot = {
-          type = "zpool";
-          mode = lib.mkIf cfg.root.mirror "mirror";
-          # Workaround: cannot import 'zroot': I/O error in disko tests
-          options.cachefile = "none";
-          rootFsOptions = {
-            mountpoint = "none";
-            xattr = "sa";         # für microvm virtiofs mount
-            acltype = "posixacl"; # für microvm virtiofs mount 
-            compression = "zstd";
-            "com.sun:auto-snapshot" = "false";
+        zpool = {
+          zroot = {
+            type = "zpool";
+            mode = lib.mkIf cfg.root.mirror "mirror";
+            # Workaround: cannot import 'zroot': I/O error in disko tests
+            options.cachefile = "none";
+            rootFsOptions = {
+              mountpoint = "none";
+              xattr = "sa";         # für microvm virtiofs mount
+              acltype = "posixacl"; # für microvm virtiofs mount 
+              compression = "zstd";
+              "com.sun:auto-snapshot" = "false";
+            };
+
+            datasets = {
+              encrypted = {
+                type = "zfs_fs";
+                options = {
+                  mountpoint = "none";
+                  encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                  keyformat = lib.mkIf cfg.encryption "passphrase";
+                  keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+                };
+                # use this to read the key during boot
+                postCreateHook = lib.mkIf cfg.encryption ''
+                  zfs set keylocation="prompt" zroot/encrypted;
+                '';
+              };
+              "encrypted/root" = {
+                type = "zfs_fs";
+                mountpoint = "/";
+                options.mountpoint = "legacy";
+              };
+              "encrypted/var" = {
+                type = "zfs_fs";
+                mountpoint = "/var";
+                options.mountpoint = "legacy";
+              };
+              "encrypted/etc" = {
+                type = "zfs_fs";
+                mountpoint = "/etc";
+                options.mountpoint = "legacy";
+              };
+              "encrypted/home" = {
+                type = "zfs_fs";
+                mountpoint = "/home";
+                options.mountpoint = "legacy";
+              };
+              "encrypted/nix" = {
+                type = "zfs_fs";
+                mountpoint = "/nix";
+                options.mountpoint = "legacy";
+              };
+              reserved = {
+                # for cow delete if pool is full
+                options = {
+                  canmount = "off";
+                  mountpoint = "none";
+                  reservation = "${cfg.root.reservation}";
+                };
+                type = "zfs_fs";
+              };
+            };
          };

-          datasets = {
-            encrypted = {
-              type = "zfs_fs";
-              options = {
-                mountpoint = "none";
-                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
-                keyformat = lib.mkIf cfg.encryption "passphrase";
-                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+          storage = lib.mkIf cfg.storage.enable {
+            type = "zpool";
+            mode = lib.mkIf (cfg.storage.mirror) "mirror";
+            rootFsOptions = { 
+              mountpoint = "none";
+              xattr = "sa";         # für microvm virtiofs mount
+              acltype = "posixacl"; # für microvm virtiofs mount 
+            };
+            datasets = {
+              encrypted = {
+                type = "zfs_fs";
+                options = {
+                  mountpoint = "none";
+                  encryption = lib.mkIf cfg.encryption "aes-256-gcm";
+                  keyformat = lib.mkIf cfg.encryption "passphrase";
+                  keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+                };
+                # use this to read the key during boot
+                postCreateHook = lib.mkIf cfg.encryption ''
+                  zfs set keylocation="prompt" storage/encrypted;
+                '';
              };
-              # use this to read the key during boot
-              postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="prompt" zroot/encrypted;
-              '';
-            };
-            "encrypted/root" = {
-              type = "zfs_fs";
-              mountpoint = "/";
-              options.mountpoint = "legacy";
-            };
-            "encrypted/var" = {
-              type = "zfs_fs";
-              mountpoint = "/var";
-              options.mountpoint = "legacy";
-            };
-            "encrypted/etc" = {
-              type = "zfs_fs";
-              mountpoint = "/etc";
-              options.mountpoint = "legacy";
-            };
-            "encrypted/home" = {
-              type = "zfs_fs";
-              mountpoint = "/home";
-              options.mountpoint = "legacy";
-            };
-            "encrypted/nix" = {
-              type = "zfs_fs";
-              mountpoint = "/nix";
-              options.mountpoint = "legacy";
-            };
-            reserved = {
-              # for cow delete if pool is full
-              options = {
-                canmount = "off";
-                mountpoint = "none";
-                reservation = "${cfg.root.reservation}";
+              "encrypted/data" = {
+                type = "zfs_fs";
+                mountpoint = "/data";
+                options.mountpoint = "legacy";
              };
-              type = "zfs_fs";
-            };
-          };
-        };
-
-        storage = lib.mkIf cfg.storage.enable {
-          type = "zpool";
-          mode = lib.mkIf (cfg.storage.mirror) "mirror";
-          rootFsOptions = { 
-            mountpoint = "none";
-            xattr = "sa";         # für microvm virtiofs mount
-            acltype = "posixacl"; # für microvm virtiofs mount 
-          };
-          datasets = {
-            encrypted = {
-              type = "zfs_fs";
-              options = {
-                mountpoint = "none";
-                encryption = lib.mkIf cfg.encryption "aes-256-gcm";
-                keyformat = lib.mkIf cfg.encryption "passphrase";
-                keylocation = lib.mkIf cfg.encryption "file:///tmp/secret.key";
+              reserved = {
+                # for cow delete if pool is full
+                options = {
+                  canmount = "off";
+                  mountpoint = "none";
+                  reservation = "${cfg.storage.reservation}";
+                };
+                type = "zfs_fs";
              };
-              # use this to read the key during boot
-              postCreateHook = lib.mkIf cfg.encryption ''
-                zfs set keylocation="prompt" storage/encrypted;
-              '';
-            };
-            "encrypted/data" = {
-              type = "zfs_fs";
-              mountpoint = "/data";
-              options.mountpoint = "legacy";
-            };
-            reserved = {
-              # for cow delete if pool is full
-              options = {
-                canmount = "off";
-                mountpoint = "none";
-                reservation = "${cfg.storage.reservation}";
-              };
-              type = "zfs_fs";
            };
          };
        };
      };
-    };

-    boot.zfs.devNodes = lib.mkDefault cfg.devNodes;
+      boot.zfs.devNodes = lib.mkDefault cfg.devNodes;

-    fileSystems."/".neededForBoot = true;
-    fileSystems."/etc".neededForBoot = true;
-    fileSystems."/boot".neededForBoot = true;
-    fileSystems."/var".neededForBoot = true;
-    fileSystems."/home".neededForBoot = true;
-    fileSystems."/nix".neededForBoot = true;
-  };
+      fileSystems."/".neededForBoot = true;
+      fileSystems."/etc".neededForBoot = true;
+      fileSystems."/var".neededForBoot = true;
+      fileSystems."/home".neededForBoot = true;
+      fileSystems."/nix".neededForBoot = true;
+    })
+  ];
 }
--- a/machines/modules/malobeo/initssh.nix
+++ b/machines/modules/malobeo/initssh.nix
@@ -26,13 +26,9 @@ in
  
  config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
    boot = {
-      loader.systemd-boot.enable = true;
-      loader.efi.canTouchEfiVariables = true;
-      supportedFilesystems = [ "vfat" "zfs" ];
      zfs = {
        forceImportAll = true;
        requestEncryptionCredentials = true;
-        
      };
      initrd = {
        availableKernelModules = cfg.ethernetDrivers;
--- a/machines/nextcloud/configuration.nix
+++ b/machines/nextcloud/configuration.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs,  ... }:
+
+with lib;
+
+{
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    nextcloudAdminPass = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  networking = {
+    hostName = mkDefault "nextcloud";
+    useDHCP = false;
+  };
+
+  imports = [
+    ../modules/malobeo_user.nix
+    ../modules/sshd.nix
+    ../modules/minimal_tools.nix
+    ../modules/autoupdate.nix
+  ];
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud30;
+    hostName = "cloud.malobeo.org";
+    config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
+    #https = true; #disable for testing
+    database.createLocally = true;
+    config.dbtype = "pgsql";
+    configureRedis = true;
+    caching = {
+      redis = true;
+      apcu = true;
+    };
+    extraAppsEnable = true;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
+      collectives = pkgs.fetchNextcloudApp {
+        sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY=";
+        url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz";
+        license = "agpl3Plus";
+      };
+    };
+    settings = {
+      trusted_domains = ["10.0.0.13"];
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
--- a/machines/nextcloud/secrets.yaml
+++ b/machines/nextcloud/secrets.yaml
@@ -0,0 +1,79 @@
+nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVGxsNmZ3Z0RIYmMyL0Mr
+            UUpaMEZLTCtQaGFrL1YwOVBicEtNRTVaVGhRCmhDSUgxYXpRcldaMngvOWJDdnNo
+            b2ZFbUdmcE9EV2E3SkMvZ1RpKzZmeU0KLS0tIE5hNmVFTXpBZFZ3bHYwQlJQaUtw
+            UFJmTVFaOTJXN09QLzY4emh5Z3hqRjAKXk1PSwR2x0H2cMN06fyigiusz8v2IRIg
+            S4ZTq/JX39U4QQHgWA1dFPfC636LNBo+QKdl/2mjwnXW7duqDJ+5kA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-26T20:00:50Z"
+    mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
+    pgp:
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA5HdvEwzh/H7AQv+KkX46UGQzLvhrk/VUCnnMdLEcNbYfk4h+sZJzs1riOGA
+            LAKYNeaeN6iLLeZX+T2/s5OT4WkIEKGg8/gziurdx01BR70M96Faubp6EVtdK44+
+            6F5BLLrDhlEKDNOx48qPwJdFjbYW4wZLWmv5nzwPmmRCKO7MoI9UHKq69msCor1i
+            ralbjlVHyKSuRfvflKAlxFoEqeB6H+ryc54g3stk1j2eFiMNuF/oKDJZT+XI5LHZ
+            Ai80DAWoUBYgpP4aWiNC075GPutdPlZ3mrGf5+7QnNm7GmNUdJN5VAWmI2NUGr1J
+            BLopnPFo4juWNsZkLMj2aAuKvGTkhz2PuFKfLj6Erpu82RAjadpFWx239n+i4Ryq
+            wSquYshpuiecLEejntTBKLEacwp+aPx8IHKnOOKBTdJj+YYaISiznQAlkF7WS+lg
+            MTZR85BvCxiPogujL7uhYSx1wM5FVkuAIPf1JOJCRvQt30eRRrR0VMrmqQ1Kl5OT
+            VMzZRIGIoC5vrKGeIIjJ0lgBWQ3bYFh/LGrwKetku6TRAH29mp/XwQqBC97RsUYb
+            EOxft5sUWaYrXK+z2yzCxOQBWKJISPgcyhdoKfYGnRkHXHi2Uay84oQP4co72eVF
+            cAhEJOxMw36e
+            =bSaN
+            -----END PGP MESSAGE-----
+          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA98TrrsQEbXUARAAmG88ZDt43zj6dCJkYYVj7MGIhIviJzilTvX4+EfNobtA
+            tll60GYfRotKnwbuqzSVaaIcV+6cDQ5I1hG5WNFJSXm7DpJ0W1Ir1x2hpxektXFa
+            fQ+9HiCOfEqUu5PEynCAD1jN6CQLdl87hLQx9TqbZnHuUYPSH1o9Y6kbA/Vp3bpy
+            evJc8qa66WHYH1kjdEw+qneD5HzZQOLOtXZ7xkxjGbyMcYex9JfyGHohO5dpLg6B
+            3XrLlIWWERVz04MlnzlaMKfzhoMCU9ByqJSQ3VBm9kblQqu54fOZD2sN8j9ACEfL
+            YNC7Jm2rasVSqv09G1kso9/VNDw3kNCLvjnpE5rJRP7Ckfj+4FxQN/zPVUwQ1e1k
+            upoQ8MHyf1bJr8vspm/prm9zp+PRRTUwY1Yyts/ffj+CF5ec9M3jr/RSeEAdswsL
+            6dLKBL1LuLAjKXOuVnQ7E6gN940Y994sDFkbqEmzzCUHGcfxSF3IDn/qpkQlqerU
+            B/D43Yef+rtsUDyTA5RUpxKleGORcS4sV0BhQrNXeFclaMTyMr+AbOei4Y77qlD1
+            x/fHB3IT4Intvp9k4m6jJ86RtLpVhEoA4cHEdCCiXHzUpA6aVtNHVAOqT/aBykrf
+            uSm1wu/nl6yKbIwTJueli1OfQYKEYcUdjOrEOwXb+UDQKSohWZrMg0sj7/S6Pl/S
+            WAG1BZ20HXD2ZrVqESV87Pl04nKMqswrio+BINfAT9X3ya7L3DF69MR18bDt+ZIB
+            0F3+9WUREGI5in4S3hXNxrgfLNFl1YLklfWLYcx0HXJN3z6F2eJOUvM=
+            =aT3U
+            -----END PGP MESSAGE-----
+          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
+        - created_at: "2024-11-26T19:59:36Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1kR3vWkIYVnARAAqFyuCtvu6AidWg/9+btEcjWv0sBZaIRpYfX3p2QECwCu
+            UYAtssvSHgHdBEQzU27MA/5CGmEreB3NhWrjGquv88RojLO1JuhNHGYPZKeIcBKr
+            I2oS79RKuYs+d2Qu0KUYDaVoY9M5YJsfkju2FOXqMNYlbqX+lDuWnisigj3n2N4e
+            OEBnVIpfPBQE6c1Z9DaQJE7MyBbKfg5YeWjlwwh+fCf1dV/nGp+QdD88F3dzWMoK
+            xNGt69TwZ8JUVmElAIJqLJTpyDI5xHQUw2A6ddPSTk/u363eHhOnZZUNAAm3FdO5
+            0x+4QhcBaH59S8WDZhw4MVmZN7v4+3l3mf7Rx/TXSz4oJg+U7RMgvc291/gowNVm
+            /cVhBlMYz4Ogx/OYR/t+nzq35r+eBungTB+dRXw7qTTfkCtNgp34JMCkGAq5WWnY
+            57H2HtssGiMF0qN4SfWxw7317oUmqHI2XvG0yWt42G++jNgIGbDOtuc/7wATEbhK
+            SBX2aLqDIB1OUwLHQeawyKkB0qGmRSVPkPg8JLwRp43ICETH1WPkY5m/a2slVlDj
+            qgdw00clTI5Fgu/5G5QBD4Ds9f9ZwjrMD4v+NYfGxa0ajisXl1X6CL1+YvQ6Uicf
+            QmIRJYxyVd0VoXScZnsk0T/XTKjJB/fRLRalA2PmlZ1v+gisCUz2dhM+OHtSjGTS
+            WAG5znRbP8UMVt02O0PgbzHYtIUAtQLCuBnzfEKJn721rqCXf7DXU3jrR73Ys6ce
+            VJzkVBMnBszF71GN56t0PaUYIDOnaGvgjMtHHtOCLQHSK7asnm/Bc+E=
+            =Znii
+            -----END PGP MESSAGE-----
+          fp: 4095412245b6efc14cf92ca25911def5a4218567
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/outputs.nix
+++ b/outputs.nix
@@ -20,6 +20,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
    let
      sops = sops-nix.packages."${pkgs.system}";
      microvmpkg = microvm.packages."${pkgs.system}";
+      installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
    in
    pkgs.mkShell {
      sopsPGPKeyDirs = [
@@ -37,11 +38,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
        pkgs.mdbook
        microvmpkg.microvm
      ];
+      packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
+      shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
+    };
+    legacyPackages = {
+      scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
+      scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
    };
-
    packages = {
-      remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
-      boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
      docs = pkgs.stdenv.mkDerivation {
        name = "malobeo-docs";
        phases = [ "buildPhase" ];
--- a/scripts/remote-install-encrypt.sh
+++ b/scripts/remote-install-encrypt.sh
@@ -1,5 +1,4 @@
 set -o errexit
-set -o nounset
 set -o pipefail

 if [ $# -lt 2 ]; then
@@ -9,6 +8,21 @@ if [ $# -lt 2 ]; then
  exit 1
 fi

+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi
+
 hostname=$1
 ipaddress=$2

--- a/scripts/unlock-boot.sh
+++ b/scripts/unlock-boot.sh
@@ -4,19 +4,33 @@ set -o pipefail
 sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
 HOSTNAME=$1

-echo
-diskkey=$(sops -d machines/$HOSTNAME/disk.key)
+if [ ! -e flake.nix ]
+    then
+    echo "flake.nix not found. Searching down."
+    while [ ! -e flake.nix ]
+        do
+        if [ $PWD = "/" ]
+            then
+            echo "Found root. Aborting."
+            exit 1
+            else
+            cd ..
+        fi
+    done
+fi

+echo
 if [ $# = 1 ]
    then
+    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage

    echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root

 elif [ $# = 2 ]
    then
+    diskkey=$(sops -d machines/$HOSTNAME/disk.key)
    IP=$2
-    
    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage

    echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
Author	SHA1	Message	Date
ahtlon	c51c1e8e92	Merge master All checks were successful Check flake syntax / flake-check (push) Successful in 6m6s Details	2025-01-19 18:00:27 +01:00
ahtlon	a96b8f65c9	[disko]Force grub on legacy boot Some checks failed Check flake syntax / flake-check (push) Waiting to run Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Has been cancelled Details Check flake syntax / flake-check (pull_request) Has been cancelled Details	2025-01-19 17:59:29 +01:00
kalipso	68b3da7df8	[fanny] proxypass cloud.malobeo.org All checks were successful Check flake syntax / flake-check (push) Successful in 6m3s Details	2025-01-19 14:53:39 +01:00
kalipso	affcc71eb1	[fanny] deploy nextcloud Some checks failed Check flake syntax / flake-check (push) Has been cancelled Details	2025-01-19 14:52:33 +01:00
kalipso	4462856fa0	[nextcloud] rm obsolete nameserver	2025-01-19 14:52:20 +01:00
kalipso	5352c1fa4d	[docs] make readme the index still most of it is quite out of date...	2025-01-19 14:30:58 +01:00
ahtlon	fabf48a5c0	[nextcloud] nextcloud works now All checks were successful Check flake syntax / flake-check (push) Successful in 8m17s Details	2025-01-19 14:22:08 +01:00
ahtlon	617c177892	[nextcloud] flake update because for some reason the sha changed	2025-01-19 14:22:08 +01:00
ahtlon	9b4cd02e53	[nextcloud] enable postgress, redis, change domain	2025-01-19 14:22:08 +01:00
ahtlon	fab1b18263	[nextcloud] rm discourse	2025-01-19 14:22:08 +01:00
kalipso	cbd041f563	[nextcloud] fix hostname	2025-01-19 14:22:08 +01:00
ahtlon	ef25c686b4	add nextcloud collectives	2025-01-19 14:22:08 +01:00
ahtlon	66392ca2c2	login geht	2025-01-19 14:22:08 +01:00
ahtlon	9afa8987e7	nextcloud minimal	2025-01-19 14:22:08 +01:00
ahtlon	0239733e62	sops....	2025-01-19 14:22:08 +01:00
ahtlon	d9cf3588bf	Start over but right this time	2025-01-19 14:22:08 +01:00
ahtlon	2500b8ab9a	basic discourse example	2025-01-19 14:22:08 +01:00
ahtlon	52824e39ee	with nix flake check the hydraJobs output is evaluated in the same way as Hydra's hydra-eval-jobs All checks were successful Check flake syntax / flake-check (push) Successful in 13m21s Details	2025-01-18 23:41:53 +01:00
ahtlon	8793120436	Only run on push	2025-01-18 23:40:11 +01:00
Ahtlon	29d6bc02e0	Merge branch 'master' into issue31 Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 3m41s Details Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 3m46s Details Check flake syntax / flake-check (pull_request) Failing after 2m20s Details Check flake syntax / flake-check (push) Failing after 2m15s Details	2025-01-18 22:57:21 +01:00
ahtlon	950ada1e10	[actions] Add flake check All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m33s Details Check flake syntax / flake-check (push) Successful in 7m30s Details	2025-01-18 22:24:21 +01:00
ahtlon	1e269966ff	Merge branch 'fix-flake-check' All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 5m54s Details nix flake check and show now work again	2025-01-18 22:02:19 +01:00
ahtlon	3861daaf76	[modules] move microvm module import from makeMicroVM to baseModules	2025-01-18 22:01:06 +01:00
ahtlon	3a332e77d1	[scripts] move packages to legacyPackages	2025-01-18 21:45:48 +01:00
ahtlon	c0cef1ff1e	Apply legacy to bakunin Some checks failed Evaluate Hydra Jobs / eval-hydra-jobs (push) Has been cancelled Details Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 5m14s Details	2025-01-18 21:33:41 +01:00
ahtlon	7099c92236	[disko] add legacy option I don't know if the grub device is right	2025-01-18 21:33:23 +01:00
ahtlon	79c311b45d	Merge branch 'issue51' All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 6m3s Details Fixes #51	2025-01-18 20:41:06 +01:00
ahtlon	850070f987	[scripts] check for flake.nix All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m15s Details	2025-01-18 20:39:16 +01:00
ahtlon	d242562544	[packages] make scripts available in shell without nix run All checks were successful Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 4m7s Details	2025-01-18 20:04:22 +01:00