From 0a5359138af1fdd0ca99cc2628eb9b0b2ebd1886 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 03:28:04 +0100 Subject: [PATCH 01/33] [nix] init host_builder.nix --- machines/modules/host_builer.nix | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 machines/modules/host_builer.nix diff --git a/machines/modules/host_builer.nix b/machines/modules/host_builer.nix new file mode 100644 index 0000000..46f961a --- /dev/null +++ b/machines/modules/host_builer.nix @@ -0,0 +1,71 @@ +{ ... }: + +{ + malobeo = { + hosts = { + louise = { + type = "host"; + }; + + bakunin = { + type = "host"; + }; + + fanny = { + type = "host"; + }; + + lucia = { + type = "rpi"; + }; + + durruti = { + type = "microvm"; + network = { + address = "10.0.0.5"; + mac = "52:DA:0D:F9:EF:F9"; + }; + }; + + vpn = { + type = "microvm"; + network = { + address = "10.0.0.10"; + mac = "D0:E5:CA:F0:D7:E6"; + }; + }; + + infradocs = { + type = "microvm"; + network = { + address = "10.0.0.11"; + mac = "D0:E5:CA:F0:D7:E7"; + }; + }; + + uptimekuma = { + type = "microvm"; + network = { + address = "10.0.0.12"; + mac = "D0:E5:CA:F0:D7:E8"; + }; + }; + + nextcloud = { + type = "microvm"; + network = { + address = "10.0.0.13"; + mac = "D0:E5:CA:F0:D7:E9"; + }; + }; + + overwatch = { + type = "microvm"; + network = { + address = "10.0.0.14"; + mac = "D0:E5:CA:F0:D7:E0"; + }; + }; + }; + }; +} -- 2.51.2 From 47eda8101984c9e92a64de6e41d114a07af51d2c Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 04:22:43 +0100 Subject: [PATCH 02/33] [nix] generate hosts --- machines/configuration.nix | 211 ++++++++++++++++++++----------------- 1 file changed, 112 insertions(+), 99 deletions(-) diff --git a/machines/configuration.nix b/machines/configuration.nix index 0e7fd4b..887023e 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -95,104 +95,117 @@ let ] ++ defaultModules ++ modules; inputsMod = inputs // { malobeo = self; }; + + hosts = import ./modules/host_builer.nix {}; in -{ - louise = nixosSystem { - system = "x86_64-linux"; + builtins.mapAttrs (host: settings: nixosSystem { + system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./louise/configuration.nix - ]; - }; - - bakunin = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./bakunin/configuration.nix - inputs.disko.nixosModules.disko - ]; - }; - - lucia = nixosSystem { - system = "aarch64-linux"; - specialArgs.inputs = inputs; - modules = defaultModules ++ [ - ./lucia/configuration.nix - ./lucia/hardware_configuration.nix - ]; - }; - - fanny = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputsMod; - modules = defaultModules ++ [ - self.nixosModules.malobeo.vpn - ./fanny/configuration.nix - ]; - }; - - durruti = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [ - ./durruti/configuration.nix - ]; - }; - - vpn = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [ - self.nixosModules.malobeo.vpn - ./vpn/configuration.nix - ]; - }; - - infradocs = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [ - self.nixosModules.malobeo.vpn - ./infradocs/configuration.nix - ]; - }; - - uptimekuma = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [ - ./uptimekuma/configuration.nix - ]; - }; - - nextcloud = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [ - ./nextcloud/configuration.nix - ]; - }; - - overwatch = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = makeMicroVM "overwatch" "10.0.0.14" "D0:E5:CA:F0:D7:E0" [ - ./overwatch/configuration.nix - ]; - }; - - testvm = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = defaultModules ++ [ ./testvm ]; - }; - -} + modules = (if (settings.type != "microvm") then + defaultModules ++ [ ./${host}/configuration.nix ] + else + makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ + ./${host}/configuration.nix + ]); + }) hosts.malobeo.hosts // + { + testvm = nixosSystem { + system = "x86_64-linux"; + specialArgs.inputs = inputs; + specialArgs.self = self; + modules = defaultModules ++ [ ./testvm ]; + }; + } +#{ +# louise = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# modules = defaultModules ++ [ +# ./louise/configuration.nix +# ]; +# }; +# +# bakunin = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# modules = defaultModules ++ [ +# ./bakunin/configuration.nix +# inputs.disko.nixosModules.disko +# ]; +# }; +# +# lucia = nixosSystem { +# system = "aarch64-linux"; +# specialArgs.inputs = inputs; +# modules = defaultModules ++ [ +# ./lucia/configuration.nix +# ./lucia/hardware_configuration.nix +# ]; +# }; +# +# fanny = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputsMod; +# modules = defaultModules ++ [ +# self.nixosModules.malobeo.vpn +# ./fanny/configuration.nix +# ]; +# }; +# +# durruti = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [ +# ./durruti/configuration.nix +# ]; +# }; +# +# vpn = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [ +# self.nixosModules.malobeo.vpn +# ./vpn/configuration.nix +# ]; +# }; +# +# infradocs = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [ +# self.nixosModules.malobeo.vpn +# ./infradocs/configuration.nix +# ]; +# }; +# +# uptimekuma = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [ +# ./uptimekuma/configuration.nix +# ]; +# }; +# +# nextcloud = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [ +# ./nextcloud/configuration.nix +# ]; +# }; +# +# overwatch = nixosSystem { +# system = "x86_64-linux"; +# specialArgs.inputs = inputs; +# specialArgs.self = self; +# modules = makeMicroVM "overwatch" "10.0.0.14" "D0:E5:CA:F0:D7:E0" [ +# ./overwatch/configuration.nix +# ]; +# }; +# +#} -- 2.51.2 From 9794c8189451085c389870a7f104aa4c34700404 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 11:52:47 +0100 Subject: [PATCH 03/33] [nix] mv host declarations to hosts.nix, add util to host_builer.nix --- machines/hosts.nix | 71 +++++++++++++ machines/modules/host_builer.nix | 165 +++++++++++++++++++------------ 2 files changed, 173 insertions(+), 63 deletions(-) create mode 100644 machines/hosts.nix diff --git a/machines/hosts.nix b/machines/hosts.nix new file mode 100644 index 0000000..46f961a --- /dev/null +++ b/machines/hosts.nix @@ -0,0 +1,71 @@ +{ ... }: + +{ + malobeo = { + hosts = { + louise = { + type = "host"; + }; + + bakunin = { + type = "host"; + }; + + fanny = { + type = "host"; + }; + + lucia = { + type = "rpi"; + }; + + durruti = { + type = "microvm"; + network = { + address = "10.0.0.5"; + mac = "52:DA:0D:F9:EF:F9"; + }; + }; + + vpn = { + type = "microvm"; + network = { + address = "10.0.0.10"; + mac = "D0:E5:CA:F0:D7:E6"; + }; + }; + + infradocs = { + type = "microvm"; + network = { + address = "10.0.0.11"; + mac = "D0:E5:CA:F0:D7:E7"; + }; + }; + + uptimekuma = { + type = "microvm"; + network = { + address = "10.0.0.12"; + mac = "D0:E5:CA:F0:D7:E8"; + }; + }; + + nextcloud = { + type = "microvm"; + network = { + address = "10.0.0.13"; + mac = "D0:E5:CA:F0:D7:E9"; + }; + }; + + overwatch = { + type = "microvm"; + network = { + address = "10.0.0.14"; + mac = "D0:E5:CA:F0:D7:E0"; + }; + }; + }; + }; +} diff --git a/machines/modules/host_builer.nix b/machines/modules/host_builer.nix index 46f961a..e65e198 100644 --- a/machines/modules/host_builer.nix +++ b/machines/modules/host_builer.nix @@ -1,71 +1,110 @@ -{ ... }: +{ self +, nixpkgs-unstable +, nixpkgs +, sops-nix +, inputs +, nixos-hardware +, home-manager +, ... +}: -{ - malobeo = { - hosts = { - louise = { - type = "host"; +rec { + nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; + nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem; + + baseModules = [ + # make flake inputs accessiable in NixOS + { _module.args.inputs = inputs; } + { + imports = [ + ({ pkgs, ... }: { + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + + settings = { + substituters = [ + "https://cache.dynamicdiscord.de" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4=" + ]; + trusted-users = [ "root" "@wheel" ]; + }; + }; + }) + + sops-nix.nixosModules.sops + ]; + } + ]; + defaultModules = baseModules; + + makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ + inputs.microvm.nixosModules.microvm + { + microvm = { + hypervisor = "cloud-hypervisor"; + mem = 2560; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + { + source = "/var/lib/microvms/${hostName}/etc"; + mountPoint = "/etc"; + tag = "etc"; + proto = "virtiofs"; + socket = "etc.socket"; + } + { + source = "/var/lib/microvms/${hostName}/var"; + mountPoint = "/var"; + tag = "var"; + proto = "virtiofs"; + socket = "var.socket"; + } + ]; + + interfaces = [ + { + type = "tap"; + id = "vm-${hostName}"; + mac = "${macAddr}"; + } + ]; }; - bakunin = { - type = "host"; - }; - - fanny = { - type = "host"; - }; - - lucia = { - type = "rpi"; - }; - - durruti = { - type = "microvm"; - network = { - address = "10.0.0.5"; - mac = "52:DA:0D:F9:EF:F9"; + systemd.network.enable = true; + + systemd.network.networks."20-lan" = { + matchConfig.Type = "ether"; + networkConfig = { + Address = [ "${ipv4Addr}/24" ]; + Gateway = "10.0.0.1"; + DNS = ["1.1.1.1"]; + DHCP = "no"; }; }; + } + ] ++ defaultModules ++ modules; - vpn = { - type = "microvm"; - network = { - address = "10.0.0.10"; - mac = "D0:E5:CA:F0:D7:E6"; - }; - }; + inputsMod = inputs // { malobeo = self; }; - infradocs = { - type = "microvm"; - network = { - address = "10.0.0.11"; - mac = "D0:E5:CA:F0:D7:E7"; - }; - }; - - uptimekuma = { - type = "microvm"; - network = { - address = "10.0.0.12"; - mac = "D0:E5:CA:F0:D7:E8"; - }; - }; - - nextcloud = { - type = "microvm"; - network = { - address = "10.0.0.13"; - mac = "D0:E5:CA:F0:D7:E9"; - }; - }; - - overwatch = { - type = "microvm"; - network = { - address = "10.0.0.14"; - mac = "D0:E5:CA:F0:D7:E0"; - }; - }; - }; - }; + buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { + system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; + specialArgs.inputs = inputsMod; + modules = (if (settings.type != "microvm") then + defaultModules ++ [ ../${host}/configuration.nix ] + else + makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ + ./${host}/configuration.nix + ]); + }) hosts); } -- 2.51.2 From 72c614d3300d32c69e653d31752e3a5b4286bf1b Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 11:53:41 +0100 Subject: [PATCH 04/33] [nix] create nixosConfigurations using malobeo.hosts --- outputs.nix | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/outputs.nix b/outputs.nix index 9cfbf03..8a9a301 100644 --- a/outputs.nix +++ b/outputs.nix @@ -229,11 +229,17 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }; }; - })) // { - nixosConfigurations = import ./machines/configuration.nix (inputs // { - inherit inputs; - self = self; - }); + })) // ( + let + utils = import ./machines/modules/host_builer.nix ( inputs // { inherit inputs; self = self; }); + hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); + in + { + nixosConfigurations = utils.buildHost hosts.malobeo.hosts; + #nixosConfigurations = import ./machines/configuration.nix (inputs // { + # inherit inputs; + # self = self; + #}); nixosModules.malobeo = { host.imports = [ ./machines/durruti/host_config.nix ]; @@ -255,4 +261,4 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations ); -} +}) -- 2.51.2 From 883549f15c9f675f0641ad0f4fe6e8dc51f82b1b Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 11:55:24 +0100 Subject: [PATCH 05/33] [nix] mv host_builer.nix host_builder.nix --- machines/configuration.nix | 2 +- machines/modules/{host_builer.nix => host_builder.nix} | 0 outputs.nix | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename machines/modules/{host_builer.nix => host_builder.nix} (100%) diff --git a/machines/configuration.nix b/machines/configuration.nix index 887023e..e046d59 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -96,7 +96,7 @@ let inputsMod = inputs // { malobeo = self; }; - hosts = import ./modules/host_builer.nix {}; + hosts = import ./modules/host_builder.nix {}; in builtins.mapAttrs (host: settings: nixosSystem { system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; diff --git a/machines/modules/host_builer.nix b/machines/modules/host_builder.nix similarity index 100% rename from machines/modules/host_builer.nix rename to machines/modules/host_builder.nix diff --git a/outputs.nix b/outputs.nix index 8a9a301..d75afbd 100644 --- a/outputs.nix +++ b/outputs.nix @@ -231,7 +231,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems })) // ( let - utils = import ./machines/modules/host_builer.nix ( inputs // { inherit inputs; self = self; }); + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; }); hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); in { -- 2.51.2 From e61f29055d6a2d3b9a8ba4be12fb9f9ab28845e4 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 12:21:33 +0100 Subject: [PATCH 06/33] [nix] mv vm overwrites to host_builder --- outputs.nix | 83 ++--------------------------------------------------- 1 file changed, 2 insertions(+), 81 deletions(-) diff --git a/outputs.nix b/outputs.nix index d75afbd..3c2433f 100644 --- a/outputs.nix +++ b/outputs.nix @@ -15,86 +15,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}"; - vmMicroVMOverwrites = hostname: options: { - microvm = { - mem = pkgs.lib.mkForce 4096; - hypervisor = pkgs.lib.mkForce "qemu"; - socket = pkgs.lib.mkForce null; - shares = pkgs.lib.mkForce ([ - { - tag = "ro-store"; - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ] ++ pkgs.lib.optionals (options.varPath != "") [ - { - source = "${options.varPath}"; - securityModel = "mapped"; - mountPoint = "/var"; - tag = "var"; - } - ]); - interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ - type = "user"; - id = "eth0"; - mac = "02:23:de:ad:be:ef"; - }]); - }; - - fileSystems = { - "/".fsType = pkgs.lib.mkForce "tmpfs"; - - # prometheus uses a memory mapped file which doesnt seem supported by 9p shares - # therefore we mount a tmpfs inside the datadir - "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { - fsType = pkgs.lib.mkForce "tmpfs"; - }); - }; - - boot.isContainer = pkgs.lib.mkForce false; - services.timesyncd.enable = false; - users.users.root.password = ""; - services.getty.helpLine = '' - Log in as "root" with an empty password. - Use "reboot" to shut qemu down. - ''; - }; - - vmDiskoOverwrites = { - boot.initrd = { - secrets = pkgs.lib.mkForce {}; - network.ssh.enable = pkgs.lib.mkForce false; - }; - - malobeo.disks.enable = pkgs.lib.mkForce false; - networking.hostId = "a3c3101f"; - }; - - vmSopsOverwrites = host: { - sops.defaultSopsFile = pkgs.lib.mkForce ./machines/${host}/dummy.yaml; - - environment.etc = { - devHostKey = { - source = ./machines/secrets/devkey_ed25519; - mode = "0600"; - }; - }; - - services.openssh.hostKeys = [{ - path = "/etc/devHostKey"; - type = "ed25519"; - }]; - }; - - buildVM = host: networking: sopsDummy: disableDisko: varPath: (self.nixosConfigurations.${host}.extendModules { - modules = [ - (vmMicroVMOverwrites host { withNetworking = networking; varPath = "${varPath}"; }) - (if sopsDummy then (vmSopsOverwrites host) else {}) - (if disableDisko then vmDiskoOverwrites else {}) - ] ++ pkgs.lib.optionals (! self.nixosConfigurations.${host}.config ? microvm) [ - microvm.nixosModules.microvm - ]; - }).config.microvm.declaredRunner; + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; }); in { devShells.default = @@ -130,7 +51,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems scripts.run-vm = self.packages.${system}.run-vm; }; - vmBuilder = buildVM; + vmBuilder = utils.buildVM; packages = { docs = pkgs.stdenv.mkDerivation { -- 2.51.2 From f7130d14832070e99957570e6e3b1b228f245260 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 12:29:11 +0100 Subject: [PATCH 07/33] [nix] fix imports --- machines/fanny/configuration.nix | 1 + machines/infradocs/configuration.nix | 2 +- machines/lucia/configuration.nix | 1 + machines/vpn/configuration.nix | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 6c19159..6d215a3 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -13,6 +13,7 @@ in ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix + inputs.self.nixosModules.malobeo.vpn inputs.self.nixosModules.malobeo.initssh inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.microvm diff --git a/machines/infradocs/configuration.nix b/machines/infradocs/configuration.nix index fece076..d1cc2fa 100644 --- a/machines/infradocs/configuration.nix +++ b/machines/infradocs/configuration.nix @@ -9,7 +9,7 @@ with lib; }; imports = [ - self.nixosModules.malobeo.metrics + inputs.malobeo.nixosModules.malobeo.metrics ../durruti/documentation.nix ../modules/malobeo_user.nix ../modules/sshd.nix diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix index 7184763..3688f84 100644 --- a/machines/lucia/configuration.nix +++ b/machines/lucia/configuration.nix @@ -6,6 +6,7 @@ in { imports = [ # Include the results of the hardware scan. + ./hardware_configuration.nix ../modules/malobeo_user.nix ]; diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index 82914b4..6caeed1 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -17,6 +17,7 @@ with lib; }; imports = [ + inputs.self.nixosModules.malobeo.vpn ../modules/malobeo_user.nix ../modules/sshd.nix ../modules/minimal_tools.nix -- 2.51.2 From caa0a800a8f7665388bbb61c6ef069ec4174e234 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 12:30:17 +0100 Subject: [PATCH 08/33] [vmBuilder] add writable store flag --- outputs.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/outputs.nix b/outputs.nix index 3c2433f..86be7f6 100644 --- a/outputs.nix +++ b/outputs.nix @@ -78,6 +78,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems echo "--networking setup interfaces. requires root and hostbridge enabled on the host" echo "--dummy-secrets run vm with dummy sops secrets" echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" + echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny" echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" exit 1 } @@ -93,6 +94,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems NETWORK=false DUMMY_SECRETS=false NO_DISKO=false + RW_STORE=false VAR_PATH="" # check argws @@ -102,6 +104,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems --networking) NETWORK=true ;; --dummy-secrets) DUMMY_SECRETS=true ;; --no-disko) NO_DISKO=true ;; + --writable-store) RW_STORE=true ;; --var) if [[ -n "$2" && ! "$2" =~ ^- ]]; then VAR_PATH="$2" @@ -119,11 +122,12 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems echo "enable networking: $NETWORK" echo "deploy dummy secrets: $DUMMY_SECRETS" echo "disable disko and initrd secrets: $NO_DISKO" + echo "use writable store: $RW_STORE" if [ -n "$VAR_PATH" ]; then echo "sharing var directory: $VAR_PATH" fi - ${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\")" + ${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE).config.microvm.declaredRunner" ''; }; -- 2.51.2 From 13db9eb4c975d3fe58597a57a585022a068e61aa Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 17:17:16 +0100 Subject: [PATCH 09/33] [nix] mv buildVM to host_builder --- machines/modules/host_builder.nix | 142 ++++++++++++++++++++++++++++-- outputs.nix | 5 +- 2 files changed, 140 insertions(+), 7 deletions(-) diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index e65e198..98e7bb4 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -3,11 +3,12 @@ , nixpkgs , sops-nix , inputs -, nixos-hardware -, home-manager +, hosts , ... }: - +let + pkgs = nixpkgs.legacyPackages."x86_64-linux"; +in rec { nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem; @@ -43,7 +44,6 @@ rec { defaultModules = baseModules; makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ - inputs.microvm.nixosModules.microvm { microvm = { hypervisor = "cloud-hypervisor"; @@ -97,14 +97,146 @@ rec { inputsMod = inputs // { malobeo = self; }; + + vmMicroVMOverwrites = hostname: options: { + microvm = rec { + mem = pkgs.lib.mkForce 4096; + hypervisor = pkgs.lib.mkForce "qemu"; + socket = pkgs.lib.mkForce null; + + + #needed for hosts that deploy imperative microvms (for example fanny) + writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store"; + volumes = pkgs.lib.mkIf options.writableStore [ { + image = "nix-store-overlay.img"; + mountPoint = writableStoreOverlay; + size = 2048; + } ]; + + shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ] ++ pkgs.lib.optionals (options.varPath != "") [ + { + source = "${options.varPath}"; + securityModel = "mapped"; + mountPoint = "/var"; + tag = "var"; + } + ]); + + interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{ + type = "user"; + id = "eth0"; + mac = "02:23:de:ad:be:ef"; + }]); + + #if networking is disabled forward port 80 to still have access to webservices + forwardPorts = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [ + { from = "host"; host.port = 8080; guest.port = 80; } + ]); + + }; + + fileSystems = { + "/".fsType = pkgs.lib.mkForce "tmpfs"; + + # prometheus uses a memory mapped file which doesnt seem supported by 9p shares + # therefore we mount a tmpfs inside the datadir + "/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce { + fsType = pkgs.lib.mkForce "tmpfs"; + }); + }; + + boot.isContainer = pkgs.lib.mkForce false; + services.timesyncd.enable = false; + users.users.root.password = ""; + services.getty.helpLine = '' + Log in as "root" with an empty password. + Use "reboot" to shut qemu down. + ''; + }; + + vmDiskoOverwrites = { + boot.initrd = { + secrets = pkgs.lib.mkForce {}; + network.ssh.enable = pkgs.lib.mkForce false; + }; + + malobeo.disks.enable = pkgs.lib.mkForce false; + networking.hostId = "a3c3101f"; + }; + + vmSopsOverwrites = host: { + sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml; + + environment.etc = { + devHostKey = { + source = ../secrets/devkey_ed25519; + mode = "0600"; + }; + }; + + services.openssh.hostKeys = [{ + path = "/etc/devHostKey"; + type = "ed25519"; + }]; + }; + + vmNestedMicroVMOverwrites = host: sopsDummy: { + + services.malobeo.microvm.deployHosts = pkgs.lib.mkForce []; + microvm.vms = + let + # Map the values to each hostname to then generate an Attrset using listToAttrs + mapperFunc = name: { inherit name; value = { + specialArgs.inputs = inputsMod; + specialArgs.self = self; + config = { + imports = (makeMicroVM "${name}" + "${hosts.malobeo.hosts.${name}.network.address}" + "${hosts.malobeo.hosts.${name}.network.mac}" [ + ../${name}/configuration.nix + (vmMicroVMOverwrites name { + withNetworking = true; + varPath = ""; + writableStore = false; }) + (if sopsDummy then (vmSopsOverwrites name) else {}) + ]); + }; + }; }; + in + builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); + }; + + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: (self.nixosConfigurations.${host}.extendModules { + modules = [ + (vmMicroVMOverwrites host { + withNetworking = networking; + varPath = "${varPath}"; + writableStore = writableStore; }) + (if sopsDummy then (vmSopsOverwrites host) else {}) + (if disableDisko then vmDiskoOverwrites else {}) + ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ + inputs.microvm.nixosModules.microvm + ] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [ + (vmNestedMicroVMOverwrites host sopsDummy) + ]; + }); + buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem { system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; specialArgs.inputs = inputsMod; + specialArgs.self = self; modules = (if (settings.type != "microvm") then defaultModules ++ [ ../${host}/configuration.nix ] else makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ - ./${host}/configuration.nix + inputs.microvm.nixosModules.microvm + ../${host}/configuration.nix ]); }) hosts); } diff --git a/outputs.nix b/outputs.nix index 86be7f6..248d332 100644 --- a/outputs.nix +++ b/outputs.nix @@ -15,7 +15,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}"; - utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; }); + hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); in { devShells.default = @@ -156,8 +157,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems })) // ( let - utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; }); hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; }); + utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); in { nixosConfigurations = utils.buildHost hosts.malobeo.hosts; -- 2.51.2 From d91760f7816358122d17e65d48c521165a9190c0 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 17:18:46 +0100 Subject: [PATCH 10/33] [nix] rm machines/configuration.nix --- machines/configuration.nix | 211 ------------------------------------- outputs.nix | 4 - 2 files changed, 215 deletions(-) delete mode 100644 machines/configuration.nix diff --git a/machines/configuration.nix b/machines/configuration.nix deleted file mode 100644 index e046d59..0000000 --- a/machines/configuration.nix +++ /dev/null @@ -1,211 +0,0 @@ -{ self -, nixpkgs-unstable -, nixpkgs -, sops-nix -, inputs -, nixos-hardware -, home-manager -, ... -}: -let - nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; - nixosSystemUnstable = nixpkgs-unstable.lib.makeOverridable nixpkgs-unstable.lib.nixosSystem; - - baseModules = [ - # make flake inputs accessiable in NixOS - { _module.args.inputs = inputs; } - { - imports = [ - ({ pkgs, ... }: { - nix = { - extraOptions = '' - experimental-features = nix-command flakes - ''; - - settings = { - substituters = [ - "https://cache.dynamicdiscord.de" - "https://cache.nixos.org/" - ]; - trusted-public-keys = [ - "cache.dynamicdiscord.de:DKueZicqi2NhJJXz9MYgUbiyobMs10fTyHCgAUibRP4=" - ]; - trusted-users = [ "root" "@wheel" ]; - }; - }; - }) - - sops-nix.nixosModules.sops - ]; - } - ]; - defaultModules = baseModules; - - makeMicroVM = hostName: ipv4Addr: macAddr: modules: [ - inputs.microvm.nixosModules.microvm - { - microvm = { - hypervisor = "cloud-hypervisor"; - mem = 2560; - shares = [ - { - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - tag = "store"; - proto = "virtiofs"; - socket = "store.socket"; - } - { - source = "/var/lib/microvms/${hostName}/etc"; - mountPoint = "/etc"; - tag = "etc"; - proto = "virtiofs"; - socket = "etc.socket"; - } - { - source = "/var/lib/microvms/${hostName}/var"; - mountPoint = "/var"; - tag = "var"; - proto = "virtiofs"; - socket = "var.socket"; - } - ]; - - interfaces = [ - { - type = "tap"; - id = "vm-${hostName}"; - mac = "${macAddr}"; - } - ]; - }; - - systemd.network.enable = true; - - systemd.network.networks."20-lan" = { - matchConfig.Type = "ether"; - networkConfig = { - Address = [ "${ipv4Addr}/24" ]; - Gateway = "10.0.0.1"; - DNS = ["1.1.1.1"]; - DHCP = "no"; - }; - }; - } - ] ++ defaultModules ++ modules; - - inputsMod = inputs // { malobeo = self; }; - - hosts = import ./modules/host_builder.nix {}; -in - builtins.mapAttrs (host: settings: nixosSystem { - system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux"; - specialArgs.inputs = inputs; - modules = (if (settings.type != "microvm") then - defaultModules ++ [ ./${host}/configuration.nix ] - else - makeMicroVM "${host}" "${settings.network.address}" "${settings.network.mac}" [ - ./${host}/configuration.nix - ]); - }) hosts.malobeo.hosts // - { - testvm = nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = defaultModules ++ [ ./testvm ]; - }; - } -#{ -# louise = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# modules = defaultModules ++ [ -# ./louise/configuration.nix -# ]; -# }; -# -# bakunin = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# modules = defaultModules ++ [ -# ./bakunin/configuration.nix -# inputs.disko.nixosModules.disko -# ]; -# }; -# -# lucia = nixosSystem { -# system = "aarch64-linux"; -# specialArgs.inputs = inputs; -# modules = defaultModules ++ [ -# ./lucia/configuration.nix -# ./lucia/hardware_configuration.nix -# ]; -# }; -# -# fanny = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputsMod; -# modules = defaultModules ++ [ -# self.nixosModules.malobeo.vpn -# ./fanny/configuration.nix -# ]; -# }; -# -# durruti = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "durruti" "10.0.0.5" "52:DA:0D:F9:EF:F9" [ -# ./durruti/configuration.nix -# ]; -# }; -# -# vpn = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "vpn" "10.0.0.10" "D0:E5:CA:F0:D7:E6" [ -# self.nixosModules.malobeo.vpn -# ./vpn/configuration.nix -# ]; -# }; -# -# infradocs = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "infradocs" "10.0.0.11" "D0:E5:CA:F0:D7:E7" [ -# self.nixosModules.malobeo.vpn -# ./infradocs/configuration.nix -# ]; -# }; -# -# uptimekuma = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "uptimekuma" "10.0.0.12" "D0:E5:CA:F0:D7:E8" [ -# ./uptimekuma/configuration.nix -# ]; -# }; -# -# nextcloud = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [ -# ./nextcloud/configuration.nix -# ]; -# }; -# -# overwatch = nixosSystem { -# system = "x86_64-linux"; -# specialArgs.inputs = inputs; -# specialArgs.self = self; -# modules = makeMicroVM "overwatch" "10.0.0.14" "D0:E5:CA:F0:D7:E0" [ -# ./overwatch/configuration.nix -# ]; -# }; -# -#} diff --git a/outputs.nix b/outputs.nix index 248d332..a846a48 100644 --- a/outputs.nix +++ b/outputs.nix @@ -162,10 +162,6 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems in { nixosConfigurations = utils.buildHost hosts.malobeo.hosts; - #nixosConfigurations = import ./machines/configuration.nix (inputs // { - # inherit inputs; - # self = self; - #}); nixosModules.malobeo = { host.imports = [ ./machines/durruti/host_config.nix ]; -- 2.51.2 From eb7db0dc95ee22711f2f90c338316e38aa4af4fa Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 22 Jan 2025 17:33:27 +0100 Subject: [PATCH 11/33] [run-vm] mv to /scripts --- outputs.nix | 59 +---------------------------------------------- scripts/run-vm.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 58 deletions(-) create mode 100644 scripts/run-vm.sh diff --git a/outputs.nix b/outputs.nix index a846a48..c8dac17 100644 --- a/outputs.nix +++ b/outputs.nix @@ -72,64 +72,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems ''; }; - run-vm = pkgs.writeShellScriptBin "run-vm" '' - usage() { - echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" - echo "ATTENTION: This script must be run from the flakes root directory" - echo "--networking setup interfaces. requires root and hostbridge enabled on the host" - echo "--dummy-secrets run vm with dummy sops secrets" - echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" - echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny" - echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" - exit 1 - } - - # check at least one arg was given - if [ "$#" -lt 1 ]; then - usage - fi - - HOSTNAME=$1 - - # Optionale Argumente - NETWORK=false - DUMMY_SECRETS=false - NO_DISKO=false - RW_STORE=false - VAR_PATH="" - - # check argws - shift - while [[ "$#" -gt 0 ]]; do - case $1 in - --networking) NETWORK=true ;; - --dummy-secrets) DUMMY_SECRETS=true ;; - --no-disko) NO_DISKO=true ;; - --writable-store) RW_STORE=true ;; - --var) - if [[ -n "$2" && ! "$2" =~ ^- ]]; then - VAR_PATH="$2" - shift - else - echo "Error: --var requires a non-empty string argument." - usage - fi - ;; - *) echo "Unknown argument: $1"; usage ;; - esac - shift - done - echo "starting host $HOSTNAME" - echo "enable networking: $NETWORK" - echo "deploy dummy secrets: $DUMMY_SECRETS" - echo "disable disko and initrd secrets: $NO_DISKO" - echo "use writable store: $RW_STORE" - if [ -n "$VAR_PATH" ]; then - echo "sharing var directory: $VAR_PATH" - fi - - ${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE).config.microvm.declaredRunner" - ''; + run-vm = pkgs.writeShellScriptBin "run-vm" (builtins.readFile ./scripts/run-vm.sh); }; apps = { diff --git a/scripts/run-vm.sh b/scripts/run-vm.sh new file mode 100644 index 0000000..c9eee2a --- /dev/null +++ b/scripts/run-vm.sh @@ -0,0 +1,56 @@ +usage() { + echo "Usage: run-vm [--networking] [--dummy-secrets] [--no-disko]" + echo "ATTENTION: This script must be run from the flakes root directory" + echo "--networking setup interfaces. requires root and hostbridge enabled on the host" + echo "--dummy-secrets run vm with dummy sops secrets" + echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" + echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny" + echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" + exit 1 +} + +# check at least one arg was given +if [ "$#" -lt 1 ]; then + usage +fi + +HOSTNAME=$1 + +# Optionale Argumente +NETWORK=false +DUMMY_SECRETS=false +NO_DISKO=false +RW_STORE=false +VAR_PATH="" + +# check argws +shift +while [[ "$#" -gt 0 ]]; do + case $1 in + --networking) NETWORK=true ;; + --dummy-secrets) DUMMY_SECRETS=true ;; + --no-disko) NO_DISKO=true ;; + --writable-store) RW_STORE=true ;; + --var) + if [[ -n "$2" && ! "$2" =~ ^- ]]; then + VAR_PATH="$2" + shift + else + echo "Error: --var requires a non-empty string argument." + usage + fi + ;; + *) echo "Unknown argument: $1"; usage ;; + esac + shift +done +echo "starting host $HOSTNAME" +echo "enable networking: $NETWORK" +echo "deploy dummy secrets: $DUMMY_SECRETS" +echo "disable disko and initrd secrets: $NO_DISKO" +echo "use writable store: $RW_STORE" +if [ -n "$VAR_PATH" ]; then + echo "sharing var directory: $VAR_PATH" +fi + +nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE).config.microvm.declaredRunner" -- 2.51.2 From 3b1ab5e14c6663fa4f71d909a9f0f95e18ff3cb6 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 23 Jan 2025 17:31:38 +0100 Subject: [PATCH 12/33] [nextcloud] add deck and polls --- machines/nextcloud/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index 88939dc..eea2e2d 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -46,7 +46,7 @@ with lib; }; extraAppsEnable = true; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) contacts calendar; + inherit (config.services.nextcloud.package.packages.apps) contacts calendar deck polls; collectives = pkgs.fetchNextcloudApp { sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY="; url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz"; -- 2.51.2 From 91e681e879dbb1c0773079bab382f4f2b0ec143c Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 23 Jan 2025 19:03:46 +0100 Subject: [PATCH 13/33] [fanny] nat microvm traffic --- machines/fanny/configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 6d215a3..1d16e76 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -72,6 +72,12 @@ in services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ]; networking = { + nat = { + enable = true; + externalInterface = "enp1s0"; + internalInterfaces = [ "microvm" ]; + }; + firewall = { allowedTCPPorts = [ 80 ]; }; -- 2.51.2 From 6319e3e7575f85e27851a6a84056dabea4f975a5 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 23 Jan 2025 21:11:31 +0100 Subject: [PATCH 14/33] [testvm] add to nixosConfigurations again --- outputs.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/outputs.nix b/outputs.nix index c8dac17..3d95f1b 100644 --- a/outputs.nix +++ b/outputs.nix @@ -104,7 +104,14 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); in { - nixosConfigurations = utils.buildHost hosts.malobeo.hosts; + nixosConfigurations = utils.buildHost hosts.malobeo.hosts // { + testvm = utils.nixosSystem { + system = "x86_64-linux"; + specialArgs.inputs = inputs; + specialArgs.self = self; + modules = utils.defaultModules ++ [ ./testvm ]; + }; + }; nixosModules.malobeo = { host.imports = [ ./machines/durruti/host_config.nix ]; -- 2.51.2 From 894a95ebade4f132d261af2ea747f390e45eecb9 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 23 Jan 2025 21:12:53 +0100 Subject: [PATCH 15/33] [run-vm] optional forward ports currently only allows forwarding to port 80, i was to lazy to handle two arguments in bash --- machines/modules/host_builder.nix | 9 +++++---- scripts/run-vm.sh | 13 ++++++++++++- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index 98e7bb4..772ce49 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -135,8 +135,8 @@ rec { }]); #if networking is disabled forward port 80 to still have access to webservices - forwardPorts = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [ - { from = "host"; host.port = 8080; guest.port = 80; } + forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [ + { from = "host"; host.port = options.fwdPort; guest.port = 80; } ]); }; @@ -212,12 +212,13 @@ rec { builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts); }; - buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: (self.nixosConfigurations.${host}.extendModules { + buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules { modules = [ (vmMicroVMOverwrites host { withNetworking = networking; varPath = "${varPath}"; - writableStore = writableStore; }) + writableStore = writableStore; + fwdPort = fwdPort; }) (if sopsDummy then (vmSopsOverwrites host) else {}) (if disableDisko then vmDiskoOverwrites else {}) ] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [ diff --git a/scripts/run-vm.sh b/scripts/run-vm.sh index c9eee2a..3968cdd 100644 --- a/scripts/run-vm.sh +++ b/scripts/run-vm.sh @@ -6,6 +6,7 @@ usage() { echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny" echo "--writable-store enables writable store. necessary for host with nested imperative microvms like fanny" echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate" + echo "--fwd-port forwards the given port to port 80 on vm" exit 1 } @@ -22,6 +23,7 @@ DUMMY_SECRETS=false NO_DISKO=false RW_STORE=false VAR_PATH="" +FWD_PORT=0 # check argws shift @@ -40,6 +42,15 @@ while [[ "$#" -gt 0 ]]; do usage fi ;; + --fwd-port) + if [[ -n "$2" && ! "$2" =~ ^- ]]; then + FWD_PORT="$2" + shift + else + echo "Error: --var requires a non-empty string argument." + usage + fi + ;; *) echo "Unknown argument: $1"; usage ;; esac shift @@ -53,4 +64,4 @@ if [ -n "$VAR_PATH" ]; then echo "sharing var directory: $VAR_PATH" fi -nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE).config.microvm.declaredRunner" +nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\" $RW_STORE $FWD_PORT).config.microvm.declaredRunner" -- 2.51.2 From e14898525c87391ae594ddcfa349211f9056cf8b Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 23 Jan 2025 21:20:37 +0100 Subject: [PATCH 16/33] [testvm] integrate into hosts.nix --- machines/hosts.nix | 4 ++++ machines/testvm/{default.nix => configuration.nix} | 0 outputs.nix | 9 +-------- 3 files changed, 5 insertions(+), 8 deletions(-) rename machines/testvm/{default.nix => configuration.nix} (100%) diff --git a/machines/hosts.nix b/machines/hosts.nix index 46f961a..f780fc3 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -66,6 +66,10 @@ mac = "D0:E5:CA:F0:D7:E0"; }; }; + + testvm = { + type = "host"; + }; }; }; } diff --git a/machines/testvm/default.nix b/machines/testvm/configuration.nix similarity index 100% rename from machines/testvm/default.nix rename to machines/testvm/configuration.nix diff --git a/outputs.nix b/outputs.nix index 3d95f1b..c8dac17 100644 --- a/outputs.nix +++ b/outputs.nix @@ -104,14 +104,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; hosts = hosts; }); in { - nixosConfigurations = utils.buildHost hosts.malobeo.hosts // { - testvm = utils.nixosSystem { - system = "x86_64-linux"; - specialArgs.inputs = inputs; - specialArgs.self = self; - modules = utils.defaultModules ++ [ ./testvm ]; - }; - }; + nixosConfigurations = utils.buildHost hosts.malobeo.hosts; nixosModules.malobeo = { host.imports = [ ./machines/durruti/host_config.nix ]; -- 2.51.2 From c27566ccda05c6fc8089d56e42a14fda3853d671 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 15:08:24 +0100 Subject: [PATCH 17/33] [disko] rm btrfs-laptop.nix --- machines/modules/disko/btrfs-laptop.nix | 63 ------------------------- 1 file changed, 63 deletions(-) delete mode 100644 machines/modules/disko/btrfs-laptop.nix diff --git a/machines/modules/disko/btrfs-laptop.nix b/machines/modules/disko/btrfs-laptop.nix deleted file mode 100644 index eef6931..0000000 --- a/machines/modules/disko/btrfs-laptop.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, self, inputs, ... }: - -{ - imports = [ - inputs.disko.nixosModules.disko - ]; - - # https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix - disko.devices = { - disk = { - main = { - type = "disk"; - # When using disko-install, we will overwrite this value from the commandline - device = "/dev/disk/by-id/some-disk-id"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - passwordFile = /tmp/secret.key; # Interactive - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "20M"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} -- 2.51.2 From 0820dea377556280196d8f596f99856372dc063d Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 18:30:31 +0100 Subject: [PATCH 18/33] [disko] Bit of a hack but the storage partition now gets mounted after zroot using a file on the disk. --- machines/modules/disko/default.nix | 6 +++--- machines/modules/malobeo/initssh.nix | 2 -- machines/testvm/configuration.nix | 2 +- scripts/remote-install-encrypt.sh | 2 ++ 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 2794fff..6174bf3 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -187,6 +187,7 @@ in postCreateHook = lib.mkIf cfg.encryption '' zfs set keylocation="prompt" zroot/encrypted; ''; + }; "encrypted/root" = { type = "zfs_fs"; @@ -244,13 +245,12 @@ in }; # use this to read the key during boot postCreateHook = lib.mkIf cfg.encryption '' - zfs set keylocation="prompt" storage/encrypted; + zfs set keylocation="file:///root/secret.key" storage/encrypted; ''; }; "encrypted/data" = { type = "zfs_fs"; mountpoint = "/data"; - options.mountpoint = "legacy"; }; reserved = { # for cow delete if pool is full @@ -267,7 +267,7 @@ in }; boot.zfs.devNodes = lib.mkDefault cfg.devNodes; - + boot.zfs.extraPools = lib.mkIf cfg.storage.enable [ "storage" ]; fileSystems."/".neededForBoot = true; fileSystems."/etc".neededForBoot = true; fileSystems."/boot".neededForBoot = true; diff --git a/machines/modules/malobeo/initssh.nix b/machines/modules/malobeo/initssh.nix index 8286084..6a68622 100644 --- a/machines/modules/malobeo/initssh.nix +++ b/machines/modules/malobeo/initssh.nix @@ -30,9 +30,7 @@ in loader.efi.canTouchEfiVariables = true; supportedFilesystems = [ "vfat" "zfs" ]; zfs = { - forceImportAll = true; requestEncryptionCredentials = true; - }; initrd = { availableKernelModules = cfg.ethernetDrivers; diff --git a/machines/testvm/configuration.nix b/machines/testvm/configuration.nix index b338fbc..003a017 100644 --- a/machines/testvm/configuration.nix +++ b/machines/testvm/configuration.nix @@ -24,7 +24,7 @@ in malobeo.disks = { enable = true; - encryption = false; + encryption = true; hostId = "83abc8cb"; devNodes = "/dev/disk/by-path/"; root = { diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 07331a8..277f519 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -37,9 +37,11 @@ trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/etc/ssh/" +install -d -m755 "$temp/root/" diskKey=$(sops -d machines/$hostname/disk.key) echo "$diskKey" > /tmp/secret.key +echo "$diskKey" > $temp/root/secret.key ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" -- 2.51.2 From 96a5b68237de1a686655f7a59abff465697cf95b Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 18:42:31 +0100 Subject: [PATCH 19/33] [scripts] only need to unlock once --- scripts/unlock-boot.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 2c5cea3..347f260 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -23,18 +23,14 @@ echo if [ $# = 1 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root elif [ $# = 2 ] then diskkey=$(sops -d machines/$HOSTNAME/disk.key) IP=$2 - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #storage - echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root - + else echo echo "Unlock the root disk on a remote host." -- 2.51.2 From 20dd20054055e9a9cddc6325da03974274b2b849 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Fri, 24 Jan 2025 23:19:52 +0100 Subject: [PATCH 20/33] [fanny] enable storage creation with disko --- machines/fanny/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 1d16e76..748396e 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -51,6 +51,7 @@ in disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381"; }; storage = { + enable = true; disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"]; mirror = true; }; -- 2.51.2 From a093b47fd86f4e3abd1290fcc066da87ff5242dc Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 28 Jan 2025 14:56:09 +0100 Subject: [PATCH 21/33] [malovpn] add hetzner --- machines/modules/malobeo/peers.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index 787cabf..febf4c5 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -30,6 +30,13 @@ publicKey = "TrJ4UAF//zXdaLwZudI78L+rTC36zEDodTDOWNS4Y1Y="; }; + "hetzner" = { + role = "client"; + address = [ "10.100.0.6/24" ]; + allowedIPs = [ "10.100.0.6/32" ]; + publicKey = "csRzgwtnzmSLeLkSwTwEOrdKq55UOxZacR5D3GopCTQ="; + }; + "fanny" = { role = "client"; address = [ "10.100.0.101/24" ]; -- 2.51.2 From 1b70443e154142e80bd4630550d9212357d81177 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 5 Feb 2025 16:32:18 +0100 Subject: [PATCH 22/33] [fanny] update sops key after reset --- machines/.sops.yaml | 2 +- machines/fanny/secrets.yaml | 78 ++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 560284a..4ef6149 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -10,7 +10,7 @@ keys: - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index 195e7bc..dd23b25 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age14dpm6vaycd6u34dkndcktpamqgdyj4aqccjnl5533dsza05hxuds0tjfnf + - recipient: age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTmdrV1IyM2hldloxM3Zh - cGVIZmtCZ0FLTEQxcFBLaVh0VXUwNWVGR1hBCnJ6SHpzckh5VVduM0Z2dkh2WHdy - WGxRV0JFZTdqcWgzUFlSZkowZElJd2MKLS0tIGxYL0orSVdmZzJBSEIvRUNDUVlK - RWFLOWp4TVJBM3llS0lmQlBUQ2ZQNkUKEz/dXR0tkVeyC9Oxai5gZEAhRImdL1FL - 2LdVRiCt3MqR9wtfw1/pR7166Bx8nLIN42uWh2YU5j0/0rXNq+I6Qg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmFmVEd0cjY1QkJNRXRQ + NytpanU0UzF5aXlhRklJbW5yOExrbVFoREFjClRlVGVhOHZ2OW56Z21NU1FjaVFh + ZnJHZk5mV3ZKQm84M0Z6em14akc4Rk0KLS0tIHRMQTdOZTVvNUNoM29tZ2Nockp6 + VUJFMEpxb0Y4WlJhZGZPTk54ZXhIMEkKPwkXj7gRlIZ9aYGNlX+PdZa9BcaHt1G6 + DVNxfuYvecprnQWQ+pjVGzm8j78p7HpAcmJ/Aue3FTYo6S/vyEmK6A== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQW5OU2FiNStkazFRRHBK - U2kzNkpWRDVQTDBkTFFNWnREcjh6NlhmRnhZCkxMYlZhcUlGUnN3QWFzbVkyYlpX - eWZaOUxsUCtZYmx0U29ZckFaMjNLTFEKLS0tIExxV0REL3MwUTZpMkgxYlZMc0JS - cTNEYTBGT3VRaDI1eUhucnd5d2JhTWMKNZlkUjxX2QTFoiCWPzz62jz4kK8d5rW/ - MJ1w69Qve7lsUAg74YlFF7i/yYSZZkHoRMs92lRmq3lHlbK6aaUMTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzF1WW82MlB3N2tmVjVa + UGlLaThRUFNQOVV0d1ZxK2hJTE1pSGVoV2hVCis0UW41cXRVaC8yWGdCUEVaZjFM + MmViQXJrV3pTNzN4aDNpVCtYNmdXUjQKLS0tIGZsYTRwUDI2YWlMNjBJY2ZNREVu + ZzI3MWRLZ3lseitrQ0YrZ1BuM3BacmsK1gbJH+Qs6sTLrSZSUJtnvUNmbLNnPWVT + WOs8Pxf6ROYmstcF8yEGHxbVesWn0jMbC4aIAZOIyglh+6glxsbnpw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-05T15:31:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/YM4JBfaFngZt0SmMP3fBCodQXWnWMjy5VYoTOKKaOfG8 - 5GRTf+o1stsru3EKImh5PTqniRO6UH+/DOKBY8zHsy9lXojGka3uPJRKv7JUD5YO - 8NjlHwwg+jcQN/qtrWc+1D69zR1aO/6yxfgujL3r/fJ4reqtSNfkVYVy2lEcw2ZN - zhlN+fBxZCyHyUTKLcXrG7Fg8BRudjwBnIsBTLAVFkWg0bnlq38vicGpF5CHsRjA - cTPq2D9ev888WKHcjFcXYqxeKkXkqBuOOMlCHQyJCv8HHfA/GY+pBQfiVmvSt77O - /MA8hVYl8G4tRFsbUdZzqtPbAsLy30w1e9dpsD2M6tD55V2RNUCrznB2lo0uXZ24 - 9MUnad+NQdntbe5B2OBUF/MNKZ9/tC+B9pBm7Tx3rxSELytGuQF11x4EyLwn+Ict - iBBV5P3RiulxLW6MbDs+7JPILfcMfg6e8q+GY1dnIPZrs8Qf5W60FxbOYYiMvJ9k - UtnZAixVdlpkAsQz/t630lgBX9DLYjEVgaxC+zqtRjfHkoyvGIac6cgHDX/fBs7p - Woud0RbwffhOhaIF47Z2W4UPfn5Mtcu63fQpjCM9urk9asaRPeNDTeEYVjqSZD6N - J+o9dahBHvIF - =GKm4 + hQGMA5HdvEwzh/H7AQv9FdyMi1hVqhXAHEIjv5hiCw+l+OU+WomhmQTNue3pfgLi + eP15nIqjOg4H+akley0alE5ZL7AU/x5catwmd+JqG3p+j4v3z4GGgpgob6srxhRR + jcSZZZpOi5kMdvayX90Mm1zbzTSdxgHcI7tOtnr00kuUfkvTNyYP8ofvb19OZ3sS + ednM9E6h+qfCI+R2iv0WcyF0UXS8vExCl5djL4kV/gzc8iQz5qm1f67xem7kiN8M + dJZMmAkGSbSzCx/czqZ7pIB5LCmnGmLeYNBoMXdnj970dJrJ6/1DZqQNq4mkE8PG + odn7U4dq37pfpp8LJR9XZuCuQ2TbW8WqczQ3l2u4hqQNhHNRGDB/FGJrkn31BirN + Mwbb7UJQYQR5OzGwHTigpXDJnrf9j1CyAxbx3TrSHBrh63eVgUs1+mD9SUj6vVN7 + aBb8Y1M/cPiDyo2dpsa5lG6hzDQzlpBuJI4a8kN9JVTbcwYuWECx2kTGnZDBW+xf + KPNPrNzZmhIyZXMjPuK/0lgBuskgYg3sLqGgwUMisKCV56yRJr0zCoje3XWY6X2y + J7F0+/R3ESt98Za/qs4PG+U5oOXsUVlDZK0D+zVvnunJLOP/fT2yu4YoCZxy9Y6I + HbJzEdNC98ow + =nYXr -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-14T12:32:13Z" + - created_at: "2025-02-05T15:31:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAmD4PfLpRVUXTo5yyS9LSs5vmEvnCmNc0ad4Oiv7YAxhs - W7SCKHq2zOfGIeZZHP0wjRnJELwMCVLy4dVo/slDHCiy8T4MZXaYR04ZaJJ+OHrF - e5xxAA6FjipufvxgRZvLhDj+g+RaX2TuxdL9gFSVS81rvEpSRDnydt2O/6G4SGBR - GO5b176eMerrqOqRLL5Ou4b6oitagvRwZzOXQ+YonKZz3STlyXRMgWxeFTDK9T/q - yYOwPVAOU1jhYzUjHNAYCp3CH4ERScrO7AwomAWH+Fe48WRbg2ebdqRnuv/Vl4PM - wc5DQcCIIIIENMGIYOzUo1KrfQlevzXF/mbgAgo/uVuRl3Y3lCRAcZBQOtUCF5Ap - FhsO87EMXlZWj3bv08f21t3hQztfuaHIqFpCbSIGgmiE9cAY0cOtCYpJfCYdV7iT - cOElJgYRbAsAbFC9wTQWEvwIxrgnCIrkCg1bzP5KNLG1K+ae5J7qN77qeTQw2/ul - QDDUUNnzjes562t+/xFLQa/bust1Y8pAYn1s1LEBol1hLX4Igonlkw303UPjZOI2 - MyH5hOh0hNUReuOpHpre/pYquE8Dd27XKAHfJsSd3ZLJG5+1Msw23lIsptgovNrB - 5VRvPj8WPojiDHqN27kt/IuayN3TeoJFjmAjkoFjlyKTcs+b6cDkxUw3LcP+6NjS - WAHQI0pWTa5zD8UPow4DHxteP4jW/6ddBfJ1Vz1scqKMXYvxFkRqZvn3uAJOtcuw - CgQ4CXE43n4G7g5gvWl6ZFW8tdXR7Sw+USnHR/9oS9fV0rHcxxDFEfE= - =9FN4 + hQIMA98TrrsQEbXUAQ//b/vbXzTW+NgmpAfTEkrha0OeU3w4UEwejZVYJeFcTHrS + nOh1W/a4pMNJ0n/xabGkwJs1o1CPEcV8ctta6OgwiXLFmfuVDYiT4YZw2zUML8kd + umCgGFcCq5xjxIVbY7GXz/Grv+cJa6JfdQirNRoaDFvhgZxinAcuOhlb01pmf4o2 + frGrbCvkbDU/OLjMkfakUT87tZh6wfhlT14FABpZNrDHl7mpEvNH/prUMzj87ZME + g1OkwdjC7sBXngPQjstgMeZmLfsXVhDlhPIPi2kh6LUCdDFkadOZG9+dMf5HpTPW + v69CKJyzK8WcH5RoksYgYuACIMRO1VXfIpm6sJqHn2gXc/6CsiST7ofvGtBUhaW+ + B342tjWJiRhcU96KCP91NAo4aiNeQ/UjW6EAbJ9BaPWwAod6f3nxBEVvg8pMlLOR + pdW6p/Bz4HmvNW+xXLyxUER+ynkOouCMVrb7/eSvzV1Lf2Yz6K8hVe2ehgyVz++v + sXl6KqMGu5FNJS9j07hXYgWzwk6M+IBBC/YcjQdZQys4IadS1QbtuQOuP3KJ3wwk + qa4wyHRxb7/3svBP+2vi7HvjizwiEdk7r4CRnrdUm0C7Qozy8UdFMFWMdPMIdL2L + tI2n71HASMmc7ekU4J45/d9MHqLUahO0wuTd7L4IvAsepZqY+uWuYBVoZW/vHc7S + WAGwfJ7/D8i3lbRP91TslhrCMdzrdzgAb/TLWAyKwSwPPzzf1dCLNp6yF4QRICwJ + d/yxpSHBVgShCN3qIsiryx4FtUCPRwzgY96delesewJOIzxwjByIvTY= + =vEEz -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted -- 2.51.2 From c2db0813e876763c76164552495bb2e2dfb409bf Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 13:37:46 +0100 Subject: [PATCH 23/33] [sops] update secrets --- machines/.sops.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 4ef6149..5fc798f 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,10 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1xu6kxpf8p0r8d6sgyl0m20p5hmw35nserl7rejuzm66eql0ur4mq03u0vp + - &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda + - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se + - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce - - &machine_nextcloud age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: -- 2.51.2 From 7065b5d589ac93a2884300eecf51f0ea3d7c1530 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 13:37:54 +0100 Subject: [PATCH 24/33] [nextcloud] update sops key --- machines/nextcloud/secrets.yaml | 78 ++++++++++++++++----------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 0327a08..860d17b 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqSk9GWktrZ3FsRHpOcTJp - Y3VWMytTRlhxVXJma1puT1lMRTN2NHBNV2xrCi8xYTFWeVN6RWl0Um9mZXpoKzFh - SjVFcGJRNlhkVUZQYXpEb0EwYzUvUjQKLS0tIGEvdGdMRGxvcndxMllZTWZqKzg1 - aWlJOTdYV1JMM0dIWEFDSHRuQWdlcVUKsdwGZ3SkJEf4ALDhHUlSQJNKrFyWd7fW - WTGk66NJ2yD8ko/6OyB9J9U0WPbFLgr972H+klBq/IDmOx0hClbYNA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi + VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU + Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5 + ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8 + 4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1w07s4y2uh0xd322ralyyh79545lvxzqncd0s65q9cx4ttlqv5u9s7y78gr + - recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNzdib3Ztd0g0MlVqYVF6 - cUtjZzEyY2FJYVRoT1p5RlJwYVQwUXVOUkNVCkp4V3hMYlJsaVN4RjlwQXNWS1Jt - aitzWVdOcUdrNHorenZGZU1iWFZzVjgKLS0tIGNGcTU5OUJLM3VzQk1uODFwS1hO - WG16Y25tMDkreGFnSFRKN1AybyttYWcKcLHJScp2Ozh0jIdi7Hb/tSjaCGorqXaC - 9DIrQPHbPP1RIc6Ak8Kn30/BHEWV3VaiBCT3vfS9pNJQNjB4T+901g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ + cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs + VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5 + WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8 + lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-06T12:36:59Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv/ejIylIgs3yeVcZriQTA8d/xyXTdFw6On422lTCDk3d0W - GOdV44vAzUzNX5tziQtLjectLUrKh9Qb9WaP4VnTCGI0XJ/dEtYRCkYMx8MjjbLl - 8GqFi3Hw958Uykp9wt0iiP6BQ42Fo77EPxVcn21eHKZY0zg/vaeRXXeXSzkjzANs - NN/KFS06uFRJhmp+0z6hDRrHnpb0wd5JGjHOp96jK9LmpwfZZZlVpAHp04hOhlPV - cMmdjg9IRSubvbraTbDrgwB0h3JKdqovFDnAP/KvT+rw5xnVUVMq/3tUNq4MbfZb - CvQrXsjQJQbEhY+eAJZVRO07kX0+zMvIin4ss7Xt++qlo4/OvFvuGbnUhJE+hrBb - nkyGhbDrjpsfa3djCEZ0UxMAWtPeIQ7T8QMkGY+UKeJKxfOGSchARnfCtGD/rtsj - wuhqGya7g7WP78WzwASzlPwB5jpdQ29/zLWXR60lNCYu0UYSVYmlspZnKEB0FkLO - TNUrwXXMrM0XwMVaG/sF0lgBEPE6CTuE85evCHFyu6zhEAa7YimKAPIowcwYLSJ2 - 46KfttJAYnRnb68Kk9N5xcFyvhKyTx/6eMdxkgr2LMoSTBDUgZfG3rDQC+ZbFE3m - bUOvx3Ho80EC - =oQd6 + hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695 + JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8 + CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw + qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl + bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt + eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk + Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy + F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt + c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4 + bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV + xRvlnfPW9voB + =xqAk -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-21T21:04:08Z" + - created_at: "2025-02-06T12:36:59Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//eu7YkPL7dU4AYWCZI7THsiJ51SOMahOXp/qC5yL18aZY - r4SpyNhFezGIJfMuhwBSZZBI/MNW6M+zMwIJ2wkioxUDnDvfVi10/cV6p85U75Jn - 59e1afN+eekG2DCI6sWPmLy8jmYh4CQRdEurtfzquDOARZ4IHZjotP5AWI8OPHlM - FdK2jGXFVevQY0m619CNm78D2NEdlGe1QtLVSazWQ8MsDLfMnHTYFUy3EoSihzat - QkcR//8whzlLT/NcqKlnBDNBU7FvPov+ZdUmIw1mx2wp5f2sGp4m737Yhoey2aFL - qLXHDc91nVRcw95FBDNYlSH8a2AzT4sm4vFR5EkC6vrfz+v1pdg1Fc3dc++hPgE0 - MYWn6f4v8lDhPhw2kpmAP4Oz4uPdmPgdfXKiIzr7qf3O5lIC6ZIIwoqhj2f0odj6 - 7anDUN5C3B5ruFU3UNJEBLrZelbmg4zf2hAtzfoi0L9paIZX5SCLP3PDbvdRbADc - oyC3Gw/DeddQ9ZeP+wYiwJ/614zRBmZRzQr9RFowf0gJBSS7TaWPCONfUJ/3eekX - or8JpLTD5PMQNoS0L4S41Cj+yOg/AlmHF/9yvj1GVTKT9rBj3Snki9NOmY2ZUQo3 - BDdnsftA3w4q4iu06ojQkrjn/FJjmNzb83XR2WxrHFUAaY//nISyY/9uTsEhwFbS - WAFlKfmyVc7nLBI12i0yWLLy/tcVF3c8gtGfNmyoe/RIr+6EQmzUi0v+X49Tnzpj - 8JAnE+4Jzm2ijqF4Ats5KoXqFiLUenJZQHJ3IFoI36n+hM4P/ICeZ4k= - =s9pl + hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U + bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z + N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW + R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp + I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv + pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg + l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z + 189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I + S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3 + bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ + 4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS + WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ + lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns= + =Uvc2 -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted -- 2.51.2 From 4e5b402115a5e7e0935a86c20fdbfe2e0e3fe291 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 25 Jan 2025 01:21:05 +0100 Subject: [PATCH 25/33] [nextcloud] add some attributes --- machines/nextcloud/configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index eea2e2d..e577bdd 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -55,6 +55,12 @@ with lib; }; settings = { trusted_domains = ["10.0.0.13"]; + "maintenance_window_start" = "1"; + "default_phone_region" = "DE"; + }; + phpOptions = { + "realpath_cache_size" = "0"; + "opcache.interned_strings_buffer" = "23"; }; }; -- 2.51.2 From 015a07c1f2ea18529b375f9d953ee177a42e17d5 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 28 Jan 2025 12:19:53 +0100 Subject: [PATCH 26/33] Fix #67 --- machines/nextcloud/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix index e577bdd..a2cacdf 100644 --- a/machines/nextcloud/configuration.nix +++ b/machines/nextcloud/configuration.nix @@ -37,6 +37,7 @@ with lib; hostName = "cloud.malobeo.org"; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; #https = true; #disable for testing + datadir = "/data/services/nextcloud/"; database.createLocally = true; config.dbtype = "pgsql"; configureRedis = true; -- 2.51.2 From 4ea8af2523d042268a4992bfe0190375960dff29 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Thu, 6 Feb 2025 15:40:25 +0100 Subject: [PATCH 27/33] Add microvm data dirs (untested because virtiofs mounts currently dont work) --- .gitignore | 1 + machines/fanny/configuration.nix | 5 +++++ machines/modules/disko/default.nix | 4 ++++ machines/modules/host_builder.nix | 7 +++++++ 4 files changed, 17 insertions(+) diff --git a/.gitignore b/.gitignore index a2fa571..8bea5d2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ result .direnv/ book/ fanny-efi-vars.fd +nix-store-overlay.img diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 748396e..f6af913 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -57,6 +57,11 @@ in }; }; + systemd.tmpfiles.rules = [ + "L /var/lib/microvms/data - - - - /data/microvms" + "d /data/microvms 0755 root root" #not needed for real host? + ]; + malobeo.initssh = { enable = true; authorizedKeys = sshKeys.admins; diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 6174bf3..9ffd02c 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -252,6 +252,10 @@ in type = "zfs_fs"; mountpoint = "/data"; }; + "encrypted/data/microvm" = { + type = "zfs_fs"; + mountpoint = "/data/microvm"; + }; reserved = { # for cow delete if pool is full options = { diff --git a/machines/modules/host_builder.nix b/machines/modules/host_builder.nix index 772ce49..c75f6f0 100644 --- a/machines/modules/host_builder.nix +++ b/machines/modules/host_builder.nix @@ -70,6 +70,13 @@ rec { proto = "virtiofs"; socket = "var.socket"; } + { + source = "/var/lib/microvms/data/${hostName}"; + mountPoint = "/data"; + tag = "data"; + proto = "virtiofs"; + socket = "microdata.socket"; + } ]; interfaces = [ -- 2.51.2 From 4fc2eff84a6bad4b4dd53b48f81ecefcae2bc73c Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 17:36:25 +0100 Subject: [PATCH 28/33] [disko] no encrypted swap when encryption disabled --- machines/modules/disko/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index 9ffd02c..e8770f6 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -102,7 +102,7 @@ in mountOptions = [ "umask=0077" ]; }; }; - encryptedSwap = { + encryptedSwap = lib.mkIf cfg.encryption { size = cfg.root.swap; content = { type = "swap"; -- 2.51.2 From f9a8a27f9d278c8a16841dd890ee389059ec9ef3 Mon Sep 17 00:00:00 2001 From: kalipso Date: Thu, 6 Feb 2025 17:37:00 +0100 Subject: [PATCH 29/33] [fanny] more ram and cores for vmVariantWithDisko --- machines/fanny/configuration.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index f6af913..075db24 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -20,6 +20,13 @@ in inputs.self.nixosModules.malobeo.metrics ]; + virtualisation.vmVariantWithDisko = { + virtualisation = { + memorySize = 4096; + cores = 3; + }; + }; + malobeo.metrics = { enable = true; enablePromtail = true; -- 2.51.2 From 8a998e7068c276afd7f1e42b2fe1638ba923bdd6 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 18:00:43 +0100 Subject: [PATCH 30/33] [nixpkgs] update --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index dcad527..9d20960 100644 --- a/flake.lock +++ b/flake.lock @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1736905611, - "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=", + "lastModified": 1739104176, + "narHash": "sha256-bNvtud2PUcbYM0i5Uq1v01Dcgq7RuhVKfjaSKkW2KRI=", "owner": "astro", "repo": "microvm.nix", - "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b", + "rev": "d3a9b7504d420a1ffd7c83c1bb8fe57deaf939d2", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736978406, - "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b678606690027913f3434dea3864e712b862dde5", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1739020877, + "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736916166, - "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=", + "lastModified": 1739206421, + "narHash": "sha256-PwQASeL2cGVmrtQYlrBur0U20Xy07uSWVnFup2PHnDs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a", + "rev": "44534bc021b85c8d78e465021e21f33b856e2540", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1737107480, - "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { -- 2.51.2 From 5b1ee218a1a767756662fbf41f2835e954391d72 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 19:31:37 +0100 Subject: [PATCH 31/33] [disko] fix dataset typo --- machines/modules/disko/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/modules/disko/default.nix b/machines/modules/disko/default.nix index e8770f6..7911beb 100644 --- a/machines/modules/disko/default.nix +++ b/machines/modules/disko/default.nix @@ -252,9 +252,9 @@ in type = "zfs_fs"; mountpoint = "/data"; }; - "encrypted/data/microvm" = { + "encrypted/data/microvms" = { type = "zfs_fs"; - mountpoint = "/data/microvm"; + mountpoint = "/data/microvms"; }; reserved = { # for cow delete if pool is full -- 2.51.2 From f3d2d6aec55bea571b4c546210756f531de27c93 Mon Sep 17 00:00:00 2001 From: kalipso Date: Tue, 11 Feb 2025 19:33:02 +0100 Subject: [PATCH 32/33] [fanny] update sops key after reset --- machines/.sops.yaml | 2 +- machines/fanny/secrets.yaml | 78 ++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 5fc798f..d3af0e2 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -12,7 +12,7 @@ keys: - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - - &machine_fanny age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce + - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng diff --git a/machines/fanny/secrets.yaml b/machines/fanny/secrets.yaml index dd23b25..37dfc12 100644 --- a/machines/fanny/secrets.yaml +++ b/machines/fanny/secrets.yaml @@ -5,63 +5,63 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1f53q3kkv0qsarlrkdaddjchdzckp5szkv4tu9kly7slkwd966sfs3vccce + - recipient: age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTmFmVEd0cjY1QkJNRXRQ - NytpanU0UzF5aXlhRklJbW5yOExrbVFoREFjClRlVGVhOHZ2OW56Z21NU1FjaVFh - ZnJHZk5mV3ZKQm84M0Z6em14akc4Rk0KLS0tIHRMQTdOZTVvNUNoM29tZ2Nockp6 - VUJFMEpxb0Y4WlJhZGZPTk54ZXhIMEkKPwkXj7gRlIZ9aYGNlX+PdZa9BcaHt1G6 - DVNxfuYvecprnQWQ+pjVGzm8j78p7HpAcmJ/Aue3FTYo6S/vyEmK6A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2ZFBYMHMzTFRMLzhCbnBE + MXkreklWSUVOckl5OTJ0VzlWS2tIOFBRRVVJCk90OXJoMHQza0hTSGt5VUphNjY1 + MkFrTHQwTHJNSGZjT2JOYXJLWExwQTQKLS0tIHlTeVgvRlU0MXA3cUl2OE9tYUls + TStjbTBkMTNOcHBja0JRYUdvSWJUN00KtOPBH8xZy/GD9Ua3H6jisoluCR+UzaeE + pAWM9Y6Gn6f7jv2BPKVTaWsyrafsYP7cDabQe2ancAuuKvkng/jrEw== -----END AGE ENCRYPTED FILE----- - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbzF1WW82MlB3N2tmVjVa - UGlLaThRUFNQOVV0d1ZxK2hJTE1pSGVoV2hVCis0UW41cXRVaC8yWGdCUEVaZjFM - MmViQXJrV3pTNzN4aDNpVCtYNmdXUjQKLS0tIGZsYTRwUDI2YWlMNjBJY2ZNREVu - ZzI3MWRLZ3lseitrQ0YrZ1BuM3BacmsK1gbJH+Qs6sTLrSZSUJtnvUNmbLNnPWVT - WOs8Pxf6ROYmstcF8yEGHxbVesWn0jMbC4aIAZOIyglh+6glxsbnpw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhc282T2VVamFGcG1Ub3hp + S1VwKzVsWW1sRXczZnRNdkxDWE5Sd0hhVUJRCkovNGZ1ZlN0c1VyMXV0WThJMGFi + QVM3WW5Eam81dWpGaFd3bm80TmtQSlUKLS0tIFFSUy9SYWdKeE5KWk0yZld5dDYy + QVZyNWVOMTh3ejBha21Qb2xCRkFERGMKH9nMQUoS5bGcLUx2T1dOmKd9jshttTrP + SKFx7MXcjFRLKS2Ij12V8ftjL3Uod6be5zoMibkxK19KmXY/514Jww== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-14T12:41:07Z" mac: ENC[AES256_GCM,data:RJ4Fa8MmX8u8S3zrD/SaywTC3d2IfHQPBDy3C9u4GuXJ/ruEChAB1kN8rqMPvkmET8UUgHIEp7RpbzMtg/FOmKYKYTTx5t//3/VozvAEZurhG/4mnN3r6uaZ0R9+wSjym8IyOKsJ7p4XrfE5tRdzNyU4EqfkEiyf+jO751uSnYI=,iv:eiTdmbcrpUvyDPFmGawxJs/ehmD7KqulaoB+nfpC6ko=,tag:+TKr53cFS3wbLXNgcbZfJQ==,type:str] pgp: - - created_at: "2025-02-05T15:31:49Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv9FdyMi1hVqhXAHEIjv5hiCw+l+OU+WomhmQTNue3pfgLi - eP15nIqjOg4H+akley0alE5ZL7AU/x5catwmd+JqG3p+j4v3z4GGgpgob6srxhRR - jcSZZZpOi5kMdvayX90Mm1zbzTSdxgHcI7tOtnr00kuUfkvTNyYP8ofvb19OZ3sS - ednM9E6h+qfCI+R2iv0WcyF0UXS8vExCl5djL4kV/gzc8iQz5qm1f67xem7kiN8M - dJZMmAkGSbSzCx/czqZ7pIB5LCmnGmLeYNBoMXdnj970dJrJ6/1DZqQNq4mkE8PG - odn7U4dq37pfpp8LJR9XZuCuQ2TbW8WqczQ3l2u4hqQNhHNRGDB/FGJrkn31BirN - Mwbb7UJQYQR5OzGwHTigpXDJnrf9j1CyAxbx3TrSHBrh63eVgUs1+mD9SUj6vVN7 - aBb8Y1M/cPiDyo2dpsa5lG6hzDQzlpBuJI4a8kN9JVTbcwYuWECx2kTGnZDBW+xf - KPNPrNzZmhIyZXMjPuK/0lgBuskgYg3sLqGgwUMisKCV56yRJr0zCoje3XWY6X2y - J7F0+/R3ESt98Za/qs4PG+U5oOXsUVlDZK0D+zVvnunJLOP/fT2yu4YoCZxy9Y6I - HbJzEdNC98ow - =nYXr + hQGMA5HdvEwzh/H7AQwAmorRyo7mguHQxATRRuKstaXertmyz2AhKFr1Kr880vBJ + ODjEKmkH77wIpOnZjOYrx7j2JWosoJ1KgsUUh4VlAPM3O6cXVwqDucu1d8O/HzK3 + RPuPfTKDr/lKl7QyQCx5lQuxE1/qn88D/g/fMQYu3NAVJa7acpTdSsfyo9nZ3QMb + ly6YEyGDc/IhBy5igc7bIWy1o+XATmyUxA+jZVMLiBKhetogMC507Eq71tUCMEht + CItRoFFPeoCzC8JPjpQNQmXoe5WDv3hzWpUBRJgjScYz3JuEfakbsAnzrPc41Mga + yPhSPYPBtHlEt+DntW9i/CFLEJ+I0V+uz3gnNtNdHTIIe2AZbGympjZldZThldb3 + Tupo7ep6VQgi+hG37wLmQdvSVWR8lVJDMvOmV9xZqdFYfQdBr2gewTT6Y2QCc8GZ + HBtJASlpIbydd/rtLtaTwtdOz64g+F5Vw/6T3ciyExt6RCoPALqZCoyzQnvnQm7e + JPPauAs8BH8ejoDlJYjK0lgBBMSJTZ2xlGYh4wG8zmGtGok2wvXYy+DeqlXuCIy6 + 7Xu4BLTL9eOZZo0sPR+RQfYbII0zMIc2fPBtU2c2z89YOTI44FI0BVbTlhLIIXXz + NJMDln08MWwr + =hhKC -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-02-05T15:31:49Z" + - created_at: "2025-02-11T18:32:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUAQ//b/vbXzTW+NgmpAfTEkrha0OeU3w4UEwejZVYJeFcTHrS - nOh1W/a4pMNJ0n/xabGkwJs1o1CPEcV8ctta6OgwiXLFmfuVDYiT4YZw2zUML8kd - umCgGFcCq5xjxIVbY7GXz/Grv+cJa6JfdQirNRoaDFvhgZxinAcuOhlb01pmf4o2 - frGrbCvkbDU/OLjMkfakUT87tZh6wfhlT14FABpZNrDHl7mpEvNH/prUMzj87ZME - g1OkwdjC7sBXngPQjstgMeZmLfsXVhDlhPIPi2kh6LUCdDFkadOZG9+dMf5HpTPW - v69CKJyzK8WcH5RoksYgYuACIMRO1VXfIpm6sJqHn2gXc/6CsiST7ofvGtBUhaW+ - B342tjWJiRhcU96KCP91NAo4aiNeQ/UjW6EAbJ9BaPWwAod6f3nxBEVvg8pMlLOR - pdW6p/Bz4HmvNW+xXLyxUER+ynkOouCMVrb7/eSvzV1Lf2Yz6K8hVe2ehgyVz++v - sXl6KqMGu5FNJS9j07hXYgWzwk6M+IBBC/YcjQdZQys4IadS1QbtuQOuP3KJ3wwk - qa4wyHRxb7/3svBP+2vi7HvjizwiEdk7r4CRnrdUm0C7Qozy8UdFMFWMdPMIdL2L - tI2n71HASMmc7ekU4J45/d9MHqLUahO0wuTd7L4IvAsepZqY+uWuYBVoZW/vHc7S - WAGwfJ7/D8i3lbRP91TslhrCMdzrdzgAb/TLWAyKwSwPPzzf1dCLNp6yF4QRICwJ - d/yxpSHBVgShCN3qIsiryx4FtUCPRwzgY96delesewJOIzxwjByIvTY= - =vEEz + hQIMA98TrrsQEbXUAQ//cBdyq4JxOhU9t7Z9iWAp2DRObgv7HMbhIXh1351wuzA7 + Fe0Kqcoo/ekCkIPrLZOC5z4CMjXwOCPSncMMm5vK5ibixTlX9446+Hv7AQ1vq2Nt + 2daL8ZzpCeCJmi07Vyp72/NJOZYa6YY/gFiiRw044lNLFS//b0sYkipne5COjvca + I7BxWCpGwLLWZ7LNKhg6i0at+0AqEdBDiwSE7jfeY6IL9tPOIqmBxYIWMbiAkPMd + /nK8PVPrt41NkJkuxfjXcYowJRcJmAYHGiRUQaAkUZyRQxmolbLwwJ+/CVYxv5Kk + hN5QvT82z5I8gK5LXrt3ZGEcC9dADkRSQr/qcWQT+CEnsGZi8b0unwUZZruDVb7d + eIwICaXu62gH/mlJN1z/J5jEciwQtC9Eh932x5qY3sdtd6Gm7/EHTf9NJ9Zg3gTk + nfytwpfUmtJO/bI5RvYSUkXkU6CLY6bqRW12+YrsAP+vDITYcLVEJGt7jrXDFto2 + Z9rlywZsQiZhLrzi1UImCTthcceI6Hd7l3TOYV84gMxdahBo3FLKnoZRK2I7ukGq + Wi0KjajcsJ6LBUCCpMg/tW+TT8/+66QY9BDzcv/hBdRc4lCKNeKDwwGFPSFZCcib + uyT8UB6iUYVMiNSHRqdGGcH0NwH45Oe2g9nF/lrJ0vYw1toN3WSpEc5v/Nch8DbS + WAE3DazXQgd4UQ19q+5cC+L5POWcAjgWpZlRwBXBRdeOKFDF9maCPL6MpfMm6XG1 + /JNfzhipjL5OXgJgK7iUFJlH9AuD18g/by7yID0bTsg2fkfLglwjfm8= + =Sdch -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted -- 2.51.2 From f346ba6f247c5d9236d9162c1fcfb4643e38be82 Mon Sep 17 00:00:00 2001 From: kalipso Date: Wed, 19 Feb 2025 15:35:14 +0100 Subject: [PATCH 33/33] [sops] update keys --- machines/.sops.yaml | 8 ++-- machines/nextcloud/secrets.yaml | 78 ++++++++++++++++----------------- 2 files changed, 43 insertions(+), 43 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index d3af0e2..c919312 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -8,12 +8,12 @@ keys: - &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2 - &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db - - &machine_durruti age1pd2kkscyh7fuvm49umz8lfhse4fpkmp5pa3gvnh4ranwxs4mz9nqdy7sda - - &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se - - &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0 + - &machine_durruti age1arwef7t65lz40lxhs5svyzentskjzam3e0e0yxen872vwy6v234s9uftvr + - &machine_infradocs age15rqsygf7yfe6pv6t4c6c9jc6yk4vu5grmmcu7sexvqfw8763mf2q6qw50h + - &machine_overwatch age1075ep3sl5ztshnq4jrygxqqqfts9wzk4gvvtwfjcep5ke8nzqs5sxtw7vd - &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh - &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk - - &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k + - &machine_nextcloud age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk #this dummy key is used for testing. - &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng creation_rules: diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml index 860d17b..01c7c15 100644 --- a/machines/nextcloud/secrets.yaml +++ b/machines/nextcloud/secrets.yaml @@ -8,60 +8,60 @@ sops: - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dCt1ZFR0QnRqVFdiL0Zi - VTR6Zy9ZTy9YNDBZaDRTZzJnU2ZKcjJ0MG1vCldpRU5tTzc1YU5KbjlDbXlNRjBU - Sm8yc0oyNWU1WHJoYTRvK3o4aGtTY2MKLS0tIE9wY0R0V3Vkc3Y1T1YwTkFTY0J5 - ZCtzbVdtNlh0cXpra2RWbEwzUDM0UjgKY3zZn5PUWuLBQgYxm9BUpLYWw3CdXYA8 - 4U6OVdRF6foj4/GrKKyhVf8dMbLbkhPvxqZ5wg40o6bwHEw9QNM+5Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cFBEempENHlXNnhNb1d5 + UitGNFliTDliZUdCSVBPRUVEWDc1Skw3N2xvCkFoL01DL2ZmWHhoMHV4TGdhaFdH + bG9XdUQ4ano4VjRxVTloNnl4OHJ6dkkKLS0tIDJvK2ZjNVhYZ1FkQTVWWjBhSFlt + R1Ixc3pWNFMvUVl0M1NsZ0txRXFMTkkK5aDgbCd13gAfZUrROnwRHgyXvIF67o1W + EzEFyhWatq2KKzv6VoJSFnvEx5lMPSs0LLvOK2qgrsz0jWdy6yUkAg== -----END AGE ENCRYPTED FILE----- - - recipient: age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k + - recipient: age19mn55pz5dgeghjg5cp7mymwax20jshmp8gwzuf2s3h5xlvzjksyqfscsqk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDZaYjRTTDc0SFU2U2xQ - cUhESStvKzM5Z0QyZlJldURtRUJZTHhvNEFrCmxReGJ6MU9qdkh6UFVPYmRuQThs - VmVCMTQwc0xkR0gzemlSUVlnN0NCZE0KLS0tIDFtK041ZlF4VFBreHVacitSVEN5 - WXg4UkJtU2dTR3ZjeFYzR3lRODhLYzgKrO+NtT0Q3K8FgDwW0WiZJOUHwkEz+wp8 - lgBkXy2QJuuJ11f2e9ZJ3hx1xgOm6SMBmgl3zQVfVpq88yZE8uDe2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc3BSNVdqSTNYZSt4c05K + TnpuYXF1L2lzQkdZOS9uUnA5aUpGTldWZVQ0CkZvN2hubmwvUW5xUWhtaE0xMzlp + U3dpRHlmdU5UVG1nTS9XUVpTSjdQQ00KLS0tIC9sWTBOMStOYis1SDhLbjFlVk1F + M2dYNEpmWmxyeXU5S0FuV083NkVaQ3cKXuGyR0YQy+22z2kgM7IPhr0gurWQYczm + FA7C/2hoqb4tyyejomitndBSyxIxnaReO0Apl6JXeTLor8Dpuu42oQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-11-26T20:00:50Z" mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] pgp: - - created_at: "2025-02-06T12:36:59Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQGMA5HdvEwzh/H7AQv8DLbU8OaQmYtAjTPlqeg1nv+/z3gA16MTZjz8rRBqK695 - JaEbWoCJ2Nv5Mnzj7owQSk/+f+Q/d00osr4KOhQWTNoq1442MyWgIXKGPDmHgXv8 - CxFT3hIKMEFFvFtkSdo+HlBSTQJZtHgDSGabd2xd4e45tLnHsPvWQ4ngGn+piUaw - qz5+YIpmFNlnL9ubsB8NivryXlIL6wBXL83FyfAPnY+qG0/7frVWwP1Cejg1CGYl - bOYxgb1uPYIIqvvU9bZ4r46DfojFFGur9pwG/wKGOgIQ867vsXtRnNm6+SJIHeyt - eNqil3tee++V4VVUrDTf+gWufx9YFS/afRgMKuf1pUvQGTBMbUJNhIp+PjpOSBCk - Kk6uyMWrBhiCpAVU9GKFW1AbDBCgUig2sLIUGOrfb+RkzDLX4pEoa9DVVDC2pRVy - F2fjEEbPAZepsPFNbgDyaixv+FeA5oWWiBnA7qO/v8t142UOtqBcexUZjBYYgRmt - c0S+lTk//xEip9wYvY6W0lgBOLqEUEiLg1tw0xvt9H4R9aGNLkCyvUediwuAbfw4 - bGha9PTckYpnKN589xxsDMqbQ0Vn/rxeSzC7RT+qtjUg1gDbDJQTZdYr0+//e0YV - xRvlnfPW9voB - =xqAk + hQGMA5HdvEwzh/H7AQwAkNhF9L1ocTsJRDyIA+0y24gtvRKAZhSRwds2wvTiBkPS + jzse8z4wY2yWz/JbEgqJqeFxJCaE64oc+2dETJIl2IsiRBDlXKfpL4yfRV+P6Ffu + DQfAR57hKIYa9emx+iFGoDMpRSuuLg4EGDoe1tmAu2OwLhKsqJrbL1ak88GB7/ko + gFk02AF/QYuEetc7R0pZPxB6n1HQGBrvqAFrnHEsxw2rR7I4kNYpEzyf0IuGHfB1 + 92WfYtdYSni7cqmTPV+t+k6P1VcJe6GXdlQnHk2pByqC2WrcrP+MtaAMkmWqxU72 + AGarWEV2bnXmBsM5LcOQF6Mbui9tpEBE0O3lMlzUNXoVYHpOczlqdWkqh/y3Ea8V + bnHcaLQ8XubRyccK4JYZ4AIMJVPlVcnXdjZ4VFJwjRzGrllorq4x8L0niv60HV/g + akxsjW1DPnJURNFacT3JYF+PsN+hpj/ma2k8qUTX5wFVJy3Gm0psVYqE5901ivBA + yg7mfiftchDvIeGQR8tE0lgBZrJbf/SjpVdawq7DORFVxkaNeoSAxOkCnqZ5kc7C + w6zfxABWvwz73QM0AqfNzjkyswGk7N/09Zpj4BvjbbYuAfvIdiVVDHRPez/qWjnB + vkt9aLXFepLl + =4LVt -----END PGP MESSAGE----- fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-02-06T12:36:59Z" + - created_at: "2025-02-19T14:34:54Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA98TrrsQEbXUARAAqGyBZLrJ1UpiJKIbQSTQpKA7bRD7olMczjh0Bx1fTN0U - bctdfIGVvdp5pM1C6xbvubNqAMEisQ1tMVozDkXCnLARTwcaq6lyE9vl3gJ1iF1Z - N8SbxVTYV1SXg3qokyBsZIggQ6gJqAr62Pyoansp4HfwwFwYohwR2zTfHJ8pFkkW - R2FfEI2Gw5nN4GaauIxUGFDPuvvZapCWZ/ejt4s/ezT9cYrwYfu9XIlqsivsi3yp - I03ohKS/pKhxlE7RV2ufRboG+m6TUCnyj5U5AzQa09hkSHd94s9A6M8I6M6zWebv - pdX73sCjWZQdIZoeM5oXcyY/s/h4/w37loOUE/thh1+hIjybAG0CH31nJkjcdcLg - l/fqTLa89JVt37bU9c/hVsx2Bc1cTO7nqhG3kyahkMSLFrsb73yTNn4kOqSKZ7+z - 189oR0EjNySgRt+M20vjKzhPbjxxQTKlpTE0vho6fEHYRmzPQ3IQbVUbPEbZR64I - S+Nk7m95ZV8djaUOwqqU9pwDTvuYIBwhGOY1kefDg1sCCTM8C9RI9sG02HeQpme3 - bgkO+m4khXeiiIrTAODiyM+GCwx6UcwooUSpu8LZJmhiZtfgMsFdGF3P7ngtoOEQ - 4cxP231EI/zoMqRyXYrvAovxXndwghG0LGcCAZZL6mNN2xzE6z1gesVWRjXM8inS - WAFB7DgLTlY43D4QbhkyZfo6XltYe1g1tcJJraG/HICa7hq5BZn48t/BcacCvsrJ - lIkEgOT8gn1SlQbDL+T+3pRNOixGKPNU6Ategoy+Eq0Im3AhE0XO8Ns= - =Uvc2 + hQIMA98TrrsQEbXUARAAmoHJ3i2vABDamIF3Nj6uuawarW+KKjzrIfYvAmWW4fgz + zVAquTl1Oculhv+H4eVuylNUM5kwyCkM/VAxy3KoSNZn6aGZVDuns70r9lbNC1R8 + +diYAIe33rE3h6/Rw74RgOXUgNalONeoBWbIUuG+y9XOIfu7CBoUeGJct4ycYH0h + bn5iI0e4myDldmSc7OYnyruQMYg9OcKBnQPTZl1qzTqpwR6/BnIhWJcItuc3W5rv + aEunQ8lVyNxhGWMDwFucUJ2WbxkOFOFWPrLGXtsUg/I32aCUNR6X/HnYUezqCoSA + SFJAsaPkBr07o5Be5D03m0s5ryktQUdAElyDaz2Sgc58re9mtYKBAf4P4fKD5Zx+ + TJJGr6dmtb28Nxb5mbMroKbTit92NHHatXfz/YrZ1JyCHuINZ5Sq01TGhx6y71Uj + 0Afq3S2la+85UYRsQ5g9q6jM8rBHjm9AdcUkWA1chtn6elAUG8J0B+DUYYwcrMtp + YWFaKNHT09FRn4TcgE50Wgn9lX2RZ03viBbgCvDBLh3fmzl+dU1DsFdwuYmbgOeO + B6SQ2+SF3VVR7vAn4oPKydztCfYmb+38sCQl/FtZdP1RRW150fXtUx7aAzWGsLhq + AObrNp0uMeCBHtpWctwFR1qssfRD3DHkI59MqoGK7ehDtBS6hzayjJp8sTiqCTzS + WAH/vMH2cvGN3q9mr73bBqHBxAL+ANWxrDvQmM4xwbLxET24ULnsC35bn4psWjTN + Y3aQqzhaZdYOki09fLENaYl6BMeIcfBx4qUrgfQKLUNqGV5fvVuXJUc= + =/V5O -----END PGP MESSAGE----- fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 unencrypted_suffix: _unencrypted -- 2.51.2