diff --git a/modules/hetzner-ex101.nix b/modules/hetzner-ex101.nix index cdbf850..1021dee 100644 --- a/modules/hetzner-ex101.nix +++ b/modules/hetzner-ex101.nix @@ -1,8 +1,32 @@ -{ +{ pkgs, ... }: { # Enable raid support specifically, this will disable srvos's # systemd-initrd as well, which currently is not compatible with mdraid. boot.initrd.services.swraid.enable = true; systemd.services.mdmonitor.enable = false; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + # We are not limited by zfs, so we can use the latest kernel + boot.kernelPackages = pkgs.linuxPackages_latest; + + # looks like the Intel i9-13900 draws too much power and crashes the system + systemd.services.limit-cpu-freq = { + description = "Limit CPU frequency to 4.2GHz"; + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-modules-load.service" ]; + # Some cores do have a scaling max freq less than 5GHz, so we need to + # check for that or else all cores will run at 800MHz + script = '' + #!/bin/sh + for f in /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq; do + old_val="$(<"$f")" + if [[ "$old_val" -gt 4200000 ]]; then + echo 4200000 > "$f" + fi + done + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; } diff --git a/modules/web01/borgbackup.nix b/modules/web01/borgbackup.nix new file mode 100644 index 0000000..d298076 --- /dev/null +++ b/modules/web01/borgbackup.nix @@ -0,0 +1,64 @@ +{ config, ... }: { + # 100GB storagebox is under the nix-community hetzner account + + # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@" + sops.secrets.hetzner-borgbackup-ssh = { }; + # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key + sops.secrets.hetzner-borgbackup-passphrase = { }; + + systemd.services.borgbackup-job-nixpkgs-update.serviceConfig.ReadWritePaths = [ + "/var/log/telegraf" + ]; + + services.borgbackup.jobs.clan-lol = { + paths = [ + "/home" + "/var" + "/root" + ]; + exclude = [ + "*.pyc" + "/home/*/.direnv" + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.npm" + "/home/*/.m2" + "/home/*/.gradle" + "/home/*/.opam" + "/home/*/.clangd" + "/var/lib/containerd" + # already included in database backup + "/var/lib/postgresql" + # not so important + "/var/lib/docker/" + "/var/log/journal" + "/var/cache" + "/var/tmp" + "/var/log" + ]; + repo = "u359378@u359378.your-storagebox.de:/./borgbackup"; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}"; + }; + compression = "auto,zstd"; + startAt = "daily"; + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-clan-lol <" - exit 1 -fi - -HOST=$1 +HOST=clan.lol temp=$(mktemp -d) trap 'rm -rf $temp' EXIT sops --extract '["cryptsetup_key"]' -d secrets.yaml > "$temp/secret.key" diff --git a/targets/web01/deploy.sh b/targets/web01/deploy.sh new file mode 100755 index 0000000..4181cfc --- /dev/null +++ b/targets/web01/deploy.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p nix jq bash rsync + +set -euo pipefail + +path=$(nix flake metadata --json '.#' | jq -r .path) +ip=clan.lol +rsync --checksum -vaF --delete -e ssh "${path}/" "root@${ip}:/etc/nixos" + +ssh "root@$ip" nixos-rebuild switch \ + --fast \ + --option keep-going true \ + --option accept-flake-config true \ + --flake '/etc/nixos#web01' diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml index 63bb4a0..0e03b57 100644 --- a/targets/web01/secrets.yaml +++ b/targets/web01/secrets.yaml @@ -1,4 +1,6 @@ cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str] +hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str] +hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str] initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str] ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str] ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:k5T5CX56wSm1DADOH47sGb1h65aPk3NSvQR6Rgu7ZzRrq4pF84ofaRMEJU5d9MHnb+Eg92jnibRNwKUH36e5c9PJXtU14aY2f7HzOCyVk7WXd8H0eOuOfzG5ICQ=,iv:CcqwTYnk1NkJpn9q1Rnz4ERxhhnn60h3sXqMd3ILTk4=,tag:LhAIzkeozvT4L7+vJ9ojnQ==,type:str] @@ -41,8 +43,8 @@ sops: Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-18T12:55:47Z" - mac: ENC[AES256_GCM,data:suFEE3xr2EZtidjH2Qpp1TvcYIn7dBorWcRUqef82TCf0o8/zQmd02g4eqSXKSl+SQ8/cUm72EuEVqZtvzo+pqw6cJht1pkeRMHJGPMjlz7MelUZwQpb0PoUy5he6neA9BfLi455DTuFIpi7fQi/c9E0B9IfR3ocsDdOQzf8Le0=,iv:wh8MeQbQ/Azf1eSQk/XWT3vv0KNh+QBL++ob5aKZaC0=,tag:U/lQvBtvuZKqgm5bVdqAxQ==,type:str] + lastmodified: "2023-07-19T12:39:56Z" + mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3