From c563aea6106abbef18611b3055857dd8c73a8b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 17 Jul 2023 10:31:59 +0200 Subject: [PATCH] wip: new server --- modules/flake-module.nix | 6 ++ modules/hetzner-ex101.nix | 7 ++ modules/xfs-lvm-crypto-raid.nix | 85 +++++++++++++++++++ targets/web01-new/configuration.nix | 14 +++ targets/web01-new/nixos-vars.json | 1 + .../web01-new/secrets.auto.tfvars.sops.json | 24 ++++++ targets/web01-new/secrets.yaml | 43 ++++++++++ targets/web01-new/terraform.tf | 17 ++++ targets/web01-new/tf.sh | 1 + 9 files changed, 198 insertions(+) create mode 100644 modules/hetzner-ex101.nix create mode 100644 modules/xfs-lvm-crypto-raid.nix create mode 100644 targets/web01-new/configuration.nix create mode 100644 targets/web01-new/nixos-vars.json create mode 100644 targets/web01-new/secrets.auto.tfvars.sops.json create mode 100644 targets/web01-new/secrets.yaml create mode 100644 targets/web01-new/terraform.tf create mode 120000 targets/web01-new/tf.sh diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 7362a39..8a35142 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -10,6 +10,12 @@ ./single-disk.nix ]; + hetzner-ex101.imports = [ + inputs.srvos.nixosModules.hardware-hetzner-online-intel + ./xfs-lvm-crypto-raid.nix + ./hetzner-ex101.nix + ]; + web01.imports = [ self.nixosModules.server inputs.srvos.nixosModules.mixins-nginx diff --git a/modules/hetzner-ex101.nix b/modules/hetzner-ex101.nix new file mode 100644 index 0000000..2d31202 --- /dev/null +++ b/modules/hetzner-ex101.nix @@ -0,0 +1,7 @@ +{ + # Enable raid support specifically, this will disable srvos's + # systemd-initrd as well, which currently is not compatible with mdraid. + boot.initrd.services.swraid.enable = true; + systemd.services.mdmonitor.enable = false; + boot.loader.systemd-boot.enable = true; +} diff --git a/modules/xfs-lvm-crypto-raid.nix b/modules/xfs-lvm-crypto-raid.nix new file mode 100644 index 0000000..8ff7838 --- /dev/null +++ b/modules/xfs-lvm-crypto-raid.nix @@ -0,0 +1,85 @@ +{ self, lib, ... }: + +let + disk = index: { + type = "disk"; + device = "/dev/nvme${toString index}n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + part-type = "primary"; + start = "0MB"; + end = "1MB"; + name = "boot"; + flags = [ "bios_grub" ]; + # systemd only wants to have one /boot partition + # should we rsync? + } + ] ++ (lib.optional (index == 0) { + name = "ESP"; + start = "1MB"; + end = "1G"; + fs-type = "fat32"; + bootable = true; + content = { + #type = "mdraid"; + #name = "boot"; + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }) ++ + [{ + start = "1G"; + end = "100%"; + name = "luks"; + content = { + type = "luks"; + name = "crypted${toString index}"; + keyFile = "/tmp/secret.key"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }]; + }; + }; +in +{ + imports = [ + self.inputs.disko.nixosModules.disko + ]; + disko.devices = { + disk = { + nvme0n1 = disk 0; + nvme1n1 = disk 1; + }; + + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "95%FREE"; + lvm_type = "raid1"; + extraArgs = [ + "--raidintegrity" + "y" + ]; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/targets/web01-new/configuration.nix b/targets/web01-new/configuration.nix new file mode 100644 index 0000000..a4b7a11 --- /dev/null +++ b/targets/web01-new/configuration.nix @@ -0,0 +1,14 @@ +{ self, ... }: +let + nixosVars = builtins.fromJSON (builtins.readFile ./nixos-vars.json); +in +{ + imports = [ + self.nixosModules.web01 + self.nixosModules.hetzner-ex101 + ]; + systemd.network.networks."10-uplink".networkConfig.Address = "2a01:4f9:3080:282a::1"; + sops.defaultSopsFile = ./secrets.yaml; + users.users.root.openssh.authorizedKeys.keys = nixosVars.ssh_keys; + system.stateVersion = "23.05"; +} diff --git a/targets/web01-new/nixos-vars.json b/targets/web01-new/nixos-vars.json new file mode 100644 index 0000000..b1d8007 --- /dev/null +++ b/targets/web01-new/nixos-vars.json @@ -0,0 +1 @@ +{"ipv6_address":"2a01:4f9:c010:ab77::1","ssh_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIb3uuMqE/xSJ7WL/XpJ6QOj4aSmh0Ga+GtmJl3CDvljGuIeGCKh7YAoqZAi051k5j6ZWowDrcWYHIOU+h0eZCesgCf+CvunlXeUz6XShVMjyZo87f2JPs2Hpb+u/ieLx4wGQvo/Zw89pOly/vqpaX9ZwyIR+U81IAVrHIhqmrTitp+2FwggtaY4FtD6WIyf1hPtrrDecX8iDhnHHuGhATr8etMLwdwQ2kIBx5BBgCoiuW7wXnLUBBVYeO3II957XP/yU82c+DjSVJtejODmRAM/3rk+B7pdF5ShRVVFyB6JJR+Qd1g8iSH+2QXLUy3NM2LN5u5p2oTjUOzoEPWZo7lykZzmIWd/5hjTW9YiHC+A8xsCxQqs87D9HK9hLA6udZ6CGkq4hG/6wFwNjSMnv30IcHZzx6IBihNGbrisrJhLxEiKWpMKYgeemhIirefXA6UxVfiwHg3gJ8BlEBsj0tl/HVARifR2y336YINEn8AsHGhwrPTBFOnBTmfA/VnP1NlWHzXCfVimP6YVvdoGCCnAwvFuJ+ZuxmZ3UzBb2TenZZOzwzV0sUzZk0D1CaSBFJUU3oZNOkDIM6z5lIZgzsyKwb38S8Vs3HYE+Dqpkfsl4yeU5ldc6DwrlVwuSIa4vVus4eWD3gDGFrx98yaqOx17pc4CC9KXk/2TjtJY5xmQ==","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE joerg@turingmachine"]} \ No newline at end of file diff --git a/targets/web01-new/secrets.auto.tfvars.sops.json b/targets/web01-new/secrets.auto.tfvars.sops.json new file mode 100644 index 0000000..4cd7ac3 --- /dev/null +++ b/targets/web01-new/secrets.auto.tfvars.sops.json @@ -0,0 +1,24 @@ +{ + "hetznerdns_token": "ENC[AES256_GCM,data:QMMn/j2Lv0Mz/2PhaYQygBjxEoU6f6hL23D5DrderFo=,iv:lOeXBlx/Lb7adzK2SKDKELxXNjlDNWVWQtLp+Mn6YaI=,tag:zTBP/IFdum6T5zITk+WU9A==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYlpjUjk4NzNuRXFLT1dS\nbW1EQXBVQ2NIUys3UVR0UE1mZGI4WVJpTVg4CkZqMlRZbS9vSFBpWXNrVXQ2MGVu\nNjhxMEx4dGZRcjBBdmFxcC9yaHN1ZlkKLS0tIHNSSUJVYUVaVU5ocmpZbVd0R2g3\nMnRzcTc5dXRTS1FvRGYwaWVKK29ZRnMKGRVM6m9Rela5ccZkxpEVtNkO/mC+D5kv\n6Yu8tR9BNY9EOyFGze/gNiQfam10vWZz/z9O0RCiE87TgVo7BUZk2g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bVl2anFPYW1ud2I0bk1K\nU3h1WjcvcWwzUzhJbUdYbWpWMzZ1RUplcFFvClkvZVZrNXpUTjBhNVkrcFZLVldZ\ncitveEtOZCtRRWViRUp2TDBjYXlCMncKLS0tIFZqNE1HR3ArNG9sRDJrOEl1QW15\nVUxpVzFOakR1elo1Z0J1cmpkRVFQNlkKegq9LtnVoD88SKCP13taMAZGQ4uZU+eQ\nZQ//y4E5MZxcz6cl0x91khMqIgXsZ92Qs0gNreC69NB4yt8Gp42oYQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-13T15:46:42Z", + "mac": "ENC[AES256_GCM,data:TYlJZLdIvaWD96RQg5RnUJyNAR69bze0f0+Ai37BfA0G6VEWDZqvc537vRFk7dj4R8kYCe4q79w7yWmSt30UUZ+SXHSjVcUU9WijO4QprrUz/q4r9ezVZfQLe6disaUDdgsqhQvkQSh0AJ5eJtcr1uVChOViVfH/nk/FfJgUc7s=,iv:ulkInzkkD2ZG8uSQW3vrkAjVD1gWExtultU8zhs2+aU=,tag:bxNP152hKrLBh2zKeGM8KA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/targets/web01-new/secrets.yaml b/targets/web01-new/secrets.yaml new file mode 100644 index 0000000..3e38529 --- /dev/null +++ b/targets/web01-new/secrets.yaml @@ -0,0 +1,43 @@ +ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str] +harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str] +matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str] +registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str] +gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVTJrY2hIdis5eGJYQkdM + MUdGTmVkc2pxN1NjbkR2NVF6Uk11SnBSSUNrCnY0dXlTMnpTbnNJdjNJZHZtYWE4 + YmlUWFpkUXdtbFh6R1BvTjd1UEZTRFUKLS0tIEdTMEozMFltVWJ0Q1BZS201eE50 + UHcwNW5nNkdHL0w2d3g0RzBQZ1RrY3MKCDNdsobZ7wZOjBWOy0FmBR0i0afpHM/x + uDax1cdEXnh710TTI0Ck99KGthFRWBIeJH1xioC6TTsgmrgE4VPkNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eq0e6uhjj2tja8v338tkdz8ema2aw5anpuyaq2uru7rt4lq7msyqqut6m2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRWp6R3B2T3N0aE1GaU8r + cUppT0ZrNGJTTXhsZi9EU3dRZTNTR09tYVdvCmVBUFRVWkFTeHZVMDFhSDNQY1dL + T09zMjN4ZkZpNFRqZjVqWVRZOGdIaGcKLS0tIGNJbnBFNDAvMS9pdndVRklTNHZ2 + UjRPRXB5RkxYUDN2TVE2ZTlzV0I5NGsK8tIxBNl0UFkAw1u8Jn7QjnDJ6dcr4+6P + iHXTDyxadZAljV5ZXlmzM1dm5p+v86jJ/KvYbA0dkga+CBEOUDt3Yw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZRDh2OWxJdjcwK0o1M3Nt + RXV4UTlnbFphR0JISG9ZcGorb1ppMzd4SVR3CnZTOW9YeHBKR3drTHdGb3pEZVI3 + S3NtbDFHL2dlZlRKK3FIc0lwMGt1SzQKLS0tIEZrMWNLOEtuTXB5eE93Uy9nalhD + Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix + KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-13T14:38:59Z" + mac: ENC[AES256_GCM,data:jUKdCKb0Lw2+C+P5GfTt8zBw/LcAsBiyw/ShsJcpBmuokYgnkREJVokbeiVCql06a5IGnV3GBEzZvd+SnhRzKD9cgsu+ekwSzLGdVSv2j8B7il2M+L7IpBbUe/SnBKkQezKHaQ+mN2nJiCNtyjvPJKX16jmHVUx9yGee8tTi2sg=,iv:DwrfwR8BZDfBnG8CVPXZPSCMlBJbT1WFslGm6MM/j5E=,tag:Hqjp+qdhxXfM7O+ASQAcOw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/targets/web01-new/terraform.tf b/targets/web01-new/terraform.tf new file mode 100644 index 0000000..4b31147 --- /dev/null +++ b/targets/web01-new/terraform.tf @@ -0,0 +1,17 @@ +terraform { + backend "local" {} +} + +variable "hetznerdns_token" {} + +module "web01" { + source = "../../terraform/web01" + domain = "clan.lol" + nixos_flake_attr = "web01" + nixos_vars_file = "${path.module}/nixos-vars.json" + hetznerdns_token = var.hetznerdns_token + tags = { + Terraform = "true" + Target = "web01" + } +} diff --git a/targets/web01-new/tf.sh b/targets/web01-new/tf.sh new file mode 120000 index 0000000..14d1657 --- /dev/null +++ b/targets/web01-new/tf.sh @@ -0,0 +1 @@ +../admins/tf.sh \ No newline at end of file