From 025888c4501e668b5ea4cde02b0d536e960dab2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 19 Jul 2023 11:29:29 +0200
Subject: [PATCH 1/4] add deploy.sh script

---
 targets/web01/deploy.sh | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100755 targets/web01/deploy.sh

diff --git a/targets/web01/deploy.sh b/targets/web01/deploy.sh
new file mode 100755
index 0000000..3f47464
--- /dev/null
+++ b/targets/web01/deploy.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix jq bash rsync
+
+set -euo pipefail
+
+path=$(nix flake metadata --json '.#' | jq -r .path)
+ip=65.109.103.5
+rsync --checksum -vaF --delete -e ssh "${path}/" "root@${ip}:/etc/nixos"
+
+ssh "root@$ip" nixos-rebuild switch \
+    --fast \
+    --option keep-going true \
+    --option accept-flake-config true \
+    --flake '/etc/nixos#web01'

From 689ea867dcdfb3ac5b0db6623feb22c65bc4bbb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 19 Jul 2023 14:40:08 +0200
Subject: [PATCH 2/4] add borgbackup

---
 modules/web01/borgbackup.nix | 64 ++++++++++++++++++++++++++++++++++++
 modules/web01/default.nix    |  1 +
 targets/web01/secrets.yaml   |  6 ++--
 3 files changed, 69 insertions(+), 2 deletions(-)
 create mode 100644 modules/web01/borgbackup.nix

diff --git a/modules/web01/borgbackup.nix b/modules/web01/borgbackup.nix
new file mode 100644
index 0000000..d298076
--- /dev/null
+++ b/modules/web01/borgbackup.nix
@@ -0,0 +1,64 @@
+{ config, ... }: {
+  # 100GB storagebox is under the nix-community hetzner account
+
+  # $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
+  sops.secrets.hetzner-borgbackup-ssh = { };
+  # $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
+  sops.secrets.hetzner-borgbackup-passphrase = { };
+
+  systemd.services.borgbackup-job-nixpkgs-update.serviceConfig.ReadWritePaths = [
+    "/var/log/telegraf"
+  ];
+
+  services.borgbackup.jobs.clan-lol = {
+    paths = [
+      "/home"
+      "/var"
+      "/root"
+    ];
+    exclude = [
+      "*.pyc"
+      "/home/*/.direnv"
+      "/home/*/.cache"
+      "/home/*/.cargo"
+      "/home/*/.npm"
+      "/home/*/.m2"
+      "/home/*/.gradle"
+      "/home/*/.opam"
+      "/home/*/.clangd"
+      "/var/lib/containerd"
+      # already included in database backup
+      "/var/lib/postgresql"
+      # not so important
+      "/var/lib/docker/"
+      "/var/log/journal"
+      "/var/cache"
+      "/var/tmp"
+      "/var/log"
+    ];
+    repo = "u359378@u359378.your-storagebox.de:/./borgbackup";
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
+    };
+    compression = "auto,zstd";
+    startAt = "daily";
+    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+    preHook = ''
+      set -x
+    '';
+
+    postHook = ''
+      cat > /var/log/telegraf/borgbackup-clan-lol <<EOF
+      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+      EOF
+    '';
+
+    prune.keep = {
+      within = "1d"; # Keep all archives from the last day
+      daily = 7;
+      weekly = 4;
+      monthly = 0;
+    };
+  };
+}
diff --git a/modules/web01/default.nix b/modules/web01/default.nix
index e672be4..59ee238 100644
--- a/modules/web01/default.nix
+++ b/modules/web01/default.nix
@@ -5,6 +5,7 @@
     ./postfix.nix
     ./harmonia.nix
     ./dendrite.nix
+    ./borgbackup.nix
     ../zerotier
     ../zerotier/ctrl.nix
   ];
diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml
index 63bb4a0..0e03b57 100644
--- a/targets/web01/secrets.yaml
+++ b/targets/web01/secrets.yaml
@@ -1,4 +1,6 @@
 cryptsetup_key: ENC[AES256_GCM,data:79qOTOi4ftTmIWuc/7bFf3NXaa2Fs6mTUfji,iv:xq9HM2uB4rr75qeZEAh2pFvEDAtXdFhsrT/manI7RqM=,tag:iELo+UHSplsQWIK9aQ+uMw==,type:str]
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:/x2bRdkv6Q7ymBmiedK0eV+FxKAS3R192KjReIvixLvPLOZFr9ajFy0mHSZiDjjzPn7vaP2/PI9/PWzGrkWeXv4MAbU9S8QvgUFPYbfUSQV2srSh1/UTl7rv0o2tw/LuCIbBivSu5d4xMWtHE4e/x50eWImG6e20q4+5ZF4hSXPGLmSayCGptbSq7JlgtcVNmTHFSdxPesGx7t50553nzU2ZoJxn9GDnhuVbSOmvhDpwaUYCDY/bGhmMpk32inzUxtPFacgz2JSygo3JCyWxervaE2OMd69fGI24F6cbqPV4ORWNymOnGGsFmMiTCyfKZjOVxhnBXAyeP444PE7MeNf6s2fFhAyV1M/mToa/ElYPHeJbY9t4bK0UPBXtral3vqMVNP6sYMzIPl0DBYsPeY71uEo5ctGJMum+AIhSulYzfTPq7IdPqo1NZGIXQbPb+8P+FZxUOEBm6imLdhG1DmL4Ji80yAPJ7w6Qgs7VoJPHdYTOOE+Z/s/1o52VUtGsSVergP8macRGHR432UIZjRvIxjdu7wvs7GLM,iv:af8J70mGekRpNCT15NjrYkgmoBQyTzBR866fRyrSmos=,tag:ZWLvsFQCFz72ih6UCDP2uA==,type:str]
+hetzner-borgbackup-passphrase: ENC[AES256_GCM,data:Stu8kYR+jP9aOjWz16/DhUTpxf4xwK8e7kJo,iv:rU6Gi0yoe7EBxQJ4wczDEjZG4GrB2mPmB1dD143HyeA=,tag:sSR3Do4vepb0vaMRhkj1Vw==,type:str]
 initrd_ssh_key: ENC[AES256_GCM,data:SpSX6RgnpgVkd3sL+mJx0Lk6RnagfxwO1cUKtbj4wxlJHpSsBnI6+tGJjssoCp38jHOPYZ4U0IE960ojjtXyBL/sF37Sw0E8uDGr0rL/wuuQmzhF3AC9VfuDOQNbe0pYTr7HldzIvbDRowIShxqbKfBVizkR1bxZkmHfDpMKE1gGivFLYeHC+gSVgTBtPEgDCx361+I103K2kCczu2VGnfmfc9ExrTO6/7ruj2DRjFLOaVmkXe896KjN+YpTTjT85gjEZJ75AGEUNKCNppQRkM0RpJBJyRunHmKqxh5VnFnlbiklsX2S5ev07G9oqIu0kZI6XduQjj/okB/4SeoY9QE6FOj6dRi2WSBNGpT9fBnV4i6bv2Z612ISXwO0GGfXQeWE4mA8QSaJ9oa/fnVFb7WolU9DISq8sYPc85VXVJGCFZ17DDVGK/capjveGErXnk6lJieBwArN5xEZfr/tPL15Q1DNdyYOJwiL1bODQwxYExpFu32XJ/ZMDiucWDXnEwJJf7WpThh0FiAZFzGAJ0b3SeJpuQvK6xXD,iv:w+YuoZMUswV9sw31PXFLKHbinRit9twPDqofeojVdZo=,tag:eCYSUX5EA/NTD3yIdTC7PA==,type:str]
 ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
 ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:k5T5CX56wSm1DADOH47sGb1h65aPk3NSvQR6Rgu7ZzRrq4pF84ofaRMEJU5d9MHnb+Eg92jnibRNwKUH36e5c9PJXtU14aY2f7HzOCyVk7WXd8H0eOuOfzG5ICQ=,iv:CcqwTYnk1NkJpn9q1Rnz4ERxhhnn60h3sXqMd3ILTk4=,tag:LhAIzkeozvT4L7+vJ9ojnQ==,type:str]
@@ -41,8 +43,8 @@ sops:
             Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
             KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-18T12:55:47Z"
-    mac: ENC[AES256_GCM,data:suFEE3xr2EZtidjH2Qpp1TvcYIn7dBorWcRUqef82TCf0o8/zQmd02g4eqSXKSl+SQ8/cUm72EuEVqZtvzo+pqw6cJht1pkeRMHJGPMjlz7MelUZwQpb0PoUy5he6neA9BfLi455DTuFIpi7fQi/c9E0B9IfR3ocsDdOQzf8Le0=,iv:wh8MeQbQ/Azf1eSQk/XWT3vv0KNh+QBL++ob5aKZaC0=,tag:U/lQvBtvuZKqgm5bVdqAxQ==,type:str]
+    lastmodified: "2023-07-19T12:39:56Z"
+    mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

From 39ee5d7f4e9f2880deaf3ca5e65cbb9df9ef3fb8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 19 Jul 2023 14:43:30 +0200
Subject: [PATCH 3/4] scripts: hardcode target

---
 targets/web01/decrypt.sh | 7 +------
 targets/web01/deploy.sh  | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/targets/web01/decrypt.sh b/targets/web01/decrypt.sh
index 10d805c..727a0ae 100755
--- a/targets/web01/decrypt.sh
+++ b/targets/web01/decrypt.sh
@@ -3,12 +3,7 @@
 
 set -euox pipefail
 
-if [ $# -ne 1 ]; then
-  echo "Usage: $0 <host>"
-  exit 1
-fi
-
-HOST=$1
+HOST=clan.lol
 temp=$(mktemp -d)
 trap 'rm -rf $temp' EXIT
 sops --extract '["cryptsetup_key"]' -d secrets.yaml > "$temp/secret.key"
diff --git a/targets/web01/deploy.sh b/targets/web01/deploy.sh
index 3f47464..4181cfc 100755
--- a/targets/web01/deploy.sh
+++ b/targets/web01/deploy.sh
@@ -4,7 +4,7 @@
 set -euo pipefail
 
 path=$(nix flake metadata --json '.#' | jq -r .path)
-ip=65.109.103.5
+ip=clan.lol
 rsync --checksum -vaF --delete -e ssh "${path}/" "root@${ip}:/etc/nixos"
 
 ssh "root@$ip" nixos-rebuild switch \

From f5d1b35345b4fc0805bc5112415b2e1923e17276 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 19 Jul 2023 14:45:39 +0200
Subject: [PATCH 4/4] hetzner-ex101: limit maximum frequency

hetzner-ex101: limit to 4.5Ghz
---
 modules/hetzner-ex101.nix | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/modules/hetzner-ex101.nix b/modules/hetzner-ex101.nix
index cdbf850..1021dee 100644
--- a/modules/hetzner-ex101.nix
+++ b/modules/hetzner-ex101.nix
@@ -1,8 +1,32 @@
-{
+{ pkgs, ... }: {
   # Enable raid support specifically, this will disable srvos's
   # systemd-initrd as well, which currently is not compatible with mdraid.
   boot.initrd.services.swraid.enable = true;
   systemd.services.mdmonitor.enable = false;
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+
+  # We are not limited by zfs, so we can use the latest kernel
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # looks like the Intel i9-13900 draws too much power and crashes the system
+  systemd.services.limit-cpu-freq = {
+    description = "Limit CPU frequency to 4.2GHz";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "systemd-modules-load.service" ];
+    # Some cores do have a scaling max freq less than 5GHz, so we need to
+    # check for that or else all cores will run at 800MHz
+    script = ''
+      #!/bin/sh
+      for f in /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq; do
+        old_val="$(<"$f")"
+        if [[ "$old_val" -gt 4200000 ]]; then
+          echo 4200000 > "$f"
+        fi
+      done
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+    };
+  };
 }