From 61ab5f0f5881f2a06c15672df8b047179ac9c480 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 4 Sep 2024 11:25:02 -0500 Subject: [PATCH] Rascal tailscale and beefcake connection declarative --- disko/default.nix | 7 ++++--- nixos/beefcake.nix | 7 +++++++ nixos/rascal.nix | 4 ++++ secrets/beefcake/secrets.yml | 6 ++++-- 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/disko/default.nix b/disko/default.nix index d5cc0a0..ae73e3a 100644 --- a/disko/default.nix +++ b/disko/default.nix @@ -1,5 +1,5 @@ {lib, ...}: let - inherit (lib.attrSets) mapAttrs' filterAttrs; + inherit (lib.attrsets) mapAttrs' filterAttrs; in { standardWithHibernateSwap = { disks ? ["/dev/sda"], @@ -191,7 +191,7 @@ in { }; }; }; - beefcake = {disks, ...}: let + beefcake = let zpools = { zroot = { name = "zroot"; @@ -344,6 +344,7 @@ in { name = "m"; }; "/dev/sdn" = { + # TODO: this is my holding cell for random stuff right now enable = false; name = "n"; }; @@ -368,7 +369,7 @@ in { }) (filterAttrs (_: {enable, ...}: enable) storageDisks); in { disko.devices = { - disk = diskoBoot / diskoStorage; + disk = diskoBoot // diskoStorage; zpool = { zroot = zpools.zroot.config; }; diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 7be19a9..a447181 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -115,6 +115,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # }; # nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password"; "forgejo-runner.env" = {mode = "0400";}; + restic-rascal-passphrase = { + mode = "0400"; + }; + restic-rascal-ssh-private-key = { + mode = "0400"; + }; }; }; systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"]; @@ -1348,6 +1354,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # }; }; environment.systemPackages = with pkgs; [ + restic btrfs-progs zfs smartmontools diff --git a/nixos/rascal.nix b/nixos/rascal.nix index 69ac0e3..bdb3a09 100644 --- a/nixos/rascal.nix +++ b/nixos/rascal.nix @@ -28,11 +28,13 @@ users.users = { beefcake = { # used for restic backups + # TODO: can this be a system user? isNormalUser = true; openssh.authorizedKeys.keys = config.users.users.daniel.openssh.authorizedKeys.keys ++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7HrojwoyHED+A/FzRjYmIL0hzofwBd9IYHH6yV0oPO root@beefcake" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOEI82VdbyR1RYqSnFtlffHBtHFdXO0v9RmQH7GkfXo restic@beefcake" ]; }; @@ -60,5 +62,7 @@ }; }; + services.tailscale.useRoutingFeatures = "server"; + system.stateVersion = "24.05"; } diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index 9b93499..40bc808 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -18,6 +18,8 @@ forgejo-runner.env: ENC[AES256_GCM,data:10wKRImXKS7ezcWnkwz7ak194snQ4wG8GBePeHXN jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str] dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLFk8ey3SeXkCf9+GnqpIU5xIZfCP1ZqeSxR03kJx3TPbQeBLZeN/QAYBxHOg/tjXIE6jdIGv0INkVLkExKPlvGN8F+ijwYkwgfqlhKPBf+Q==,iv:EMGlqUxcfvxqn1G1NohrAtJP/fLdolP++zcvaxIvVR4=,tag:1+ueIDCJTxmM586Z7i0aUA==,type:str] api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] +restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYejw9rdOTdCNW3a7zL/Ny1+XCI/P3bMOsY6UTmg/gxA2itp4cSbvqjg==,iv:5GwaEExn7b3dIkCVehLxaBXW+nUuSexY/bcqfCUwF5Q=,tag:dinyyw2XeVoSnw/IsYfK0w==,type:str] +restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str] sops: kms: [] gcp_kms: [] @@ -42,8 +44,8 @@ sops: bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-04T01:56:45Z" - mac: ENC[AES256_GCM,data:Fya3eyW0EhWFNi0IWJUoFpZh0AGB9jCMrAx0wAuiZr1+gRWHk5RmLiw/bBCQjtYSF9EpI7joeOzTeIQcheL/oJChUHBTfdj3ZOzPZgUmMBXylV5XblIJrnub6ZSLdaSfsot29VRhobE8Mh3NfaJF5/+FAl3gHCUpNoEJE7R4WLg=,iv:di1j8BV24LxoQaL+dga7OeKlEsUhLobfO+z5nhoXCgk=,tag:e5RQeUzcv7bPk06Ger1u9w==,type:str] + lastmodified: "2024-09-04T15:59:57Z" + mac: ENC[AES256_GCM,data:QDjNbqIMvZ+8hRd2jdywNiEoUrS3DXoLqmvgCTSWOjc4oT3zzhiS/4+fziPEK/eYDwi1XgA5+tZaINsZI8j9DCCq2R/I65Thv0WMaD3yUERsyf0zef3XcdhmxP4jkbeQ1NoIvd9G0uBtGWNn3cvjf4SuBK5ulmLLzGf92dTdd9g=,iv:Z0pcPzYpQLc+q3XDxEcb0g0lls7iWW5XZfkjl1tKhHU=,tag:rI+o0I/NHSYhIbEBJ7/c4g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0