From 8287257e29b2c7782311b00ba1630370ef13f6bb Mon Sep 17 00:00:00 2001 From: 0xTux <0xtux@pm.me> Date: Fri, 13 Sep 2024 20:06:54 +0530 Subject: [PATCH] move monitoring services to a new host --- .sops.yaml | 7 ++ flake.nix | 19 +++++ hosts/alpha/default.nix | 103 +++++++++++++++++++++++++ hosts/alpha/hardware-configuration.nix | 33 ++++++++ hosts/alpha/home.nix | 5 ++ hosts/alpha/secrets.yaml | 33 ++++++++ hosts/common/secrets.yaml | 55 +++++++------ hosts/controller/default.nix | 2 - 8 files changed, 232 insertions(+), 25 deletions(-) create mode 100644 hosts/alpha/default.nix create mode 100644 hosts/alpha/hardware-configuration.nix create mode 100644 hosts/alpha/home.nix create mode 100644 hosts/alpha/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index a13c470..2749e90 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &hosts - &canopus age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4 - &controller age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 + - &alpha age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx - &wsl age1lyvzg4ud96trsuv6gsvjw0p3rtd6qjpyl9uleq8hcrzwekuhpfesnlqauf creation_rules: @@ -14,6 +15,7 @@ creation_rules: - *tux - *canopus - *controller + - *alpha - *wsl - path_regex: hosts/canopus/secrets.yaml$ key_groups: @@ -25,6 +27,11 @@ creation_rules: - age: - *tux - *controller + - path_regex: hosts/alpha/secrets.yaml$ + key_groups: + - age: + - *tux + - *alpha - path_regex: hosts/wsl/secrets.yaml$ key_groups: - age: diff --git a/flake.nix b/flake.nix index f1285cb..5f7c8d0 100755 --- a/flake.nix +++ b/flake.nix @@ -84,6 +84,25 @@ ]; }; + alpha = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs outputs username;}; + modules = [ + ./hosts/alpha + + home-manager.nixosModules.home-manager + { + home-manager.backupFileExtension = "backup"; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = {inherit inputs outputs username;}; + home-manager.users.${username} = { + imports = [ + ./hosts/alpha/home.nix + ]; + }; + } + ]; + }; + wsl = nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs outputs username;}; modules = [ diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix new file mode 100644 index 0000000..e465066 --- /dev/null +++ b/hosts/alpha/default.nix @@ -0,0 +1,103 @@ +{ + pkgs, + username, + config, + ... +}: { + imports = [ + ./hardware-configuration.nix + ../common + ../../modules/nixos/uptime-kuma.nix + ]; + + sops.secrets = { + borg_encryption_key = { + sopsFile = ./secrets.yaml; + }; + + "cloudflare_credentials/email" = { + sopsFile = ./secrets.yaml; + }; + + "cloudflare_credentials/dns_api_token" = { + sopsFile = ./secrets.yaml; + }; + }; + + boot = { + kernelPackages = pkgs.linuxPackages_zen; + initrd.systemd.enable = true; + + loader = { + grub.device = "/dev/sda"; + timeout = 1; + }; + }; + + networking = { + hostName = "alpha"; + + firewall = { + enable = true; + allowedTCPPorts = [80 443 22]; + }; + }; + + security = { + sudo.wheelNeedsPassword = false; + + acme = { + acceptTerms = true; + defaults.email = "0xtux@pm.me"; + certs = { + "tux.rs" = { + domain = "*.tux.rs"; + extraDomainNames = ["tux.rs"]; + dnsProvider = "cloudflare"; + credentialFiles = { + CLOUDFLARE_EMAIL_FILE = config.sops.secrets."cloudflare_credentials/email".path; + CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets."cloudflare_credentials/dns_api_token".path; + }; + }; + }; + }; + }; + + users.users.nginx.extraGroups = ["acme"]; + + services = { + nginx = { + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + borgbackup.jobs.alpha-backup = { + paths = [ + "/var/lib/private/uptime-kuma" + ]; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.borg_encryption_key.path}"; + }; + environment.BORG_RSH = "ssh -i /home/${username}/.ssh/storagebox"; + repo = "ssh://u416910@u416910.your-storagebox.de:23/./alpha-backups"; + compression = "auto,zstd"; + startAt = "daily"; + }; + }; + + programs = { + zsh.enable = true; + nix-ld = { + enable = true; + package = pkgs.nix-ld-rs; + }; + dconf.enable = true; + }; + + fonts.packages = with pkgs; [(nerdfonts.override {fonts = ["FiraCode" "JetBrainsMono"];})]; + + system.stateVersion = "23.11"; +} diff --git a/hosts/alpha/hardware-configuration.nix b/hosts/alpha/hardware-configuration.nix new file mode 100644 index 0000000..81dbdd3 --- /dev/null +++ b/hosts/alpha/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/471d0988-e57c-4767-a2b4-c93797a8c16f"; + fsType = "ext4"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/alpha/home.nix b/hosts/alpha/home.nix new file mode 100644 index 0000000..cec38ed --- /dev/null +++ b/hosts/alpha/home.nix @@ -0,0 +1,5 @@ +{...}: { + imports = [ + ../common/home.nix + ]; +} diff --git a/hosts/alpha/secrets.yaml b/hosts/alpha/secrets.yaml new file mode 100644 index 0000000..9880b41 --- /dev/null +++ b/hosts/alpha/secrets.yaml @@ -0,0 +1,33 @@ +borg_encryption_key: ENC[AES256_GCM,data:4rS4RVUbSErLEVJuUluYOrw0m2LlYP7zEeYTL4yTmc4=,iv:epNhm2nSDF4Lp+Iu/vZuDiTna+1q59lY7Ztmpcpmb5o=,tag:7o0MwZBdiDSPaL07qVOfWg==,type:str] +cloudflare_credentials: + email: ENC[AES256_GCM,data:Re656wFjQWWNO/k=,iv:NsRdtzMbkOPS9kN/y/IYzRrBr+xmDXp87DTiNwHKesc=,tag:4hGnmto08H2MKxk/7QkI5w==,type:str] + dns_api_token: ENC[AES256_GCM,data:703Nk1PaePWYuKNVJkSVTplAvsSTLrYrWdhZlTqlMNRa6m2j5neahg==,iv:RHpz1O1TgFsooYGIJiI8Owwmk5hzd+x+DFADvt+k9C0=,tag:zlDnKbLbSBVXMaHOnk0AuQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTnRhZVg3MmNiOFpoeTE3 + SXdtRXN1VS82S3AveDFMRjFYQVJpMDdyQWowCjJrQlIwN2VHQUlUazNaMERnRDJR + dFQ2VUpDMlJENVU5cWtIY3pZZU9wSmcKLS0tIEF1NzRkSHJ5cTQrM3RWdUtrYzkw + VXI3QzE5UlBhS2g1RUl0TEtaS0NPTW8KAQ+9Hk3HNMhwm33T3mzgkavs6mx4zKqZ + xjfB5d5W5UI+7uYC+RQNNA/cVxAgkMiW4OL4HAt2hXD6lrsjNzxzpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OHkvTk5JaWxLbmZ5VEtV + S2VkMVl0WGZOYk5WRTJISWMxU0tja0x6alFrCnJISFNTbDhNRXJjUDJDS1JmWmRK + aGhyaFBjNTlhanE3UGdQb0JFUWFCTWcKLS0tIDhVZ1JxcGJUcWsvWVFSWFZWYjdx + K2syUkFRb3F3aFFFeis3OFR4ZENielEKGrUQCi7xaPzJKypvy4tyoSG1a2/l5Le0 + dVcheJcRJvoo89WWrciMhZ/MCs5kffI464RVW7q9BxbJRDO2Obm2dw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-13T09:10:11Z" + mac: ENC[AES256_GCM,data:GTzDXeEzRFmrX0PU0GKPF5JwscZUrzUmB90ThHPZ7oqflOPpZBrotOo4MZCcU37HEPAXVeFUzVnsjN5bOp5RFqs70r9upj2jXiIsbx/yskcPOML3GAFmVc9HbjOK9TLyie2bJWaFhT+b7CgiJvyIu0QEh43dqSI4d3H1T8Hqn1o=,iv:kcV3Xz276+PKrztSIDB2SiJjDV2iqCn2A90AjEO326M=,tag:3xu3sQeRB15Os06i484GFw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/hosts/common/secrets.yaml b/hosts/common/secrets.yaml index 2f4979f..3b39a17 100644 --- a/hosts/common/secrets.yaml +++ b/hosts/common/secrets.yaml @@ -1,4 +1,4 @@ -tux-password: ENC[AES256_GCM,data:a8htpUD+eFsOl2Wc9N+tILZADazS15pfOhtAFRrdmoZNn0ZtXeAeVkb/edKYVihlG4g6ONIvOKARfvAof6sR85WrVJJgkbFO9A==,iv:jm73an3+1mEJQjbfiOps90JHfwk329n60EsjfUe/t/w=,tag:U5BwAw+BSZavBFseGetLSg==,type:str] +tux-password: ENC[AES256_GCM,data:YWhOZdgSMR0ukCFD8yj4vVQ0MJXv1IuecqlRCbBc0/LfJS5n9baffujrOwIEETtFuu7/g+vWmP5DeH08ebwol6MlXRIckpwugw==,iv:UN50Ri2/WGZBTs8Io6U3oJcqmiHPhZc4gGFeecVDW5k=,tag:5ROCGD89ONmbSxFJSYV/sg==,type:str] sops: kms: [] gcp_kms: [] @@ -8,41 +8,50 @@ sops: - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMHg5SW1HOGVScHc3Mm1h - V0p0Si9WNHFRamt0ZFU4M2VvSG5LSlZob1dnCkc0RjBTVnMxOFpjQjR1VU44WDZz - RVVLTG5DRHo2bnlvK01RZXJQRFpZc1EKLS0tIExTVlpCaEtYeXJ5bmJTQndQSDZi - MERJYjYyYk9TcGtwb2xEK3R4b0xrNlUKFlqLVVEUdPyFB3LKTg8OKdNtDpNB68ds - ffpR0Iq8eGv1eZKHCBivIZzO/9GmzapQIjVz7prYg8OPBdAHcC+BAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzLzB3L1NNV0REZzJVL21L + VkJlaGM4WlY2RzRDUXJIdEdpQytTTXd3eFVrCjUzTWRMK3lCbzl5R2ZDcm9Cc2h0 + dWQ4VW01Sk5ORUVyZWNxMmpuRElBaU0KLS0tIEV2TUNCNmRKRjE5bXArSlN5a1N0 + SkhuSFV2RDc4VXJhVm9aV29JdjFtWE0KbM+7ZLnPcJjglbdI2JjKl3quqJutQ+rc + xQyiNy03cwXZLQIAZ+5BBm+2JvOwHGn3nT7c2zlLxf2QJM21FuQb9A== -----END AGE ENCRYPTED FILE----- - recipient: age1cc9phftkzcwaey2rw63m74tyxdjxxzanxphsdrhy6vwlwhgehfzq9rh6e4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSVzBEWXd2bHVsUWhHSUVB - QTMzTjNzOU9zeHhLVTZNVno1eHRoVUVrTUFvClhNRmtvWFpPTk95c25JNk42dGhE - M2lQS2dNc1N0eTRQdGdseGxFemFianMKLS0tIE5CT0xja1pQazFlcm12b3JrWUFK - eGttaGh4S0pCUGFBYlFFYU5IWlVWSm8KXISSh2xmGZXYeWbEpcaW9m0G+cDYC8Mh - M320U7+cwvc9BVSqoZBj7SI0YoSw3LXubzuqRHmEGHOI+v6CZAfrUw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyblhEOGpzcVpvemsyRWll + SVhGNGZqSmF5dUdZaklmUk9UZHpzM3pRRlZnCmJ1a1Fldy9oOFRCMGF5LzY1YUQy + cTU2WjNpeGl6QzN0UENCS2xYdmhpVDAKLS0tIFVvR29NUE9Ha3JFVFN0K3ArM2F2 + OVB2T21RcG51Qnkxa0szUjFlZFozNUkKezIEMfE9uAH3ndx4IRgp9QyWm/SSn5Y8 + aomvI9bEQJLE0oieeDjdGZvms7Z6Yw9jg8eDufjee/XfPSRLQCl6iw== -----END AGE ENCRYPTED FILE----- - recipient: age1zsl5d4vj6gl3h96y5p53sq5y4vr4vtlwp727h7rp9a4xfkxm53lqrh6r50 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd2Q2OXVkRGxBc01wQm5C - cCtzNDNrTXlpRVBWcDdHNVRtY2dPa3RxUlIwCnBKUnZ3RUxnZ0U3OEtiUjByMno2 - azVXb0VuN0poTTlsMWtqQStLSUZmU28KLS0tIDl5SzBvY1ZWYW1zNTBUUWJ6bHFk - VDI3enY0L1kxeWVlQ3RBSUFhYW96M2MK05BP3eU6NSr/N02fNnB2VGx2qSradk3j - mpRGONAH21LvMLRcqsp6MTWqbAtOM1YXudWWNgZUZYgaJsn2iApKig== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDJhRUo1VUEzMUJZSzNv + bmNOcXh0UFUyRUt1Y3dsWTBKTHJleFc3VHhNCmQ5cFF0S0J1L1BUT2VSdEhDYVZv + dW90Y1BaWW96enVDaHQwYWNkNE5YSWsKLS0tIGdxYnVXT29aNlMvYmlkWDI5SktN + a0E1RVVhQ0p1d2g0cFExZGZZWForbGMKNY/p3jHTMsodszx3ouRnSCvOSWCg+uRt + mzy2cknlE9Do30RClbRKbFPKvF3gqAp+FjK7VYs1/dn4LAOhcFsraw== + -----END AGE ENCRYPTED FILE----- + - recipient: age145uq9emlxqzm3wqauy9zqj78wqx9e6h09xag6wust7jjgn4upfzsaemcvx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRk8wc1VEa3drWTJHQXRs + cFgzM1dOdHJvcTZ6VWI5WHJBWjZyalUvTEZRClQ0TkVMNGpTYUdFVkZwRC9tcnJN + SWFsS1FHd0tGN0NETXlwb0VaTUlEOW8KLS0tIEtnZVR3SmJIUXg4OHV4Z0RkTVZp + MjVxc0F4b0FsRHg0LzRsbWg0SFFQeGsKwlipfbrTdWkfsvvk03fQz5xHHdwNj5Ce + PzUOgaQzK6ufkjQ/TAghv397YzqOhzcQ7B6LGQ/AVozDdYem3wl9Pg== -----END AGE ENCRYPTED FILE----- - recipient: age1lyvzg4ud96trsuv6gsvjw0p3rtd6qjpyl9uleq8hcrzwekuhpfesnlqauf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZUk0eExSTFRRU2VST2k1 - Q3VtYTNpRHM1U0gvQkhReUUwWWc1RmMxVmo0Ckd4d0lGdWg3L0JHak9aOG14T0or - Y3JUOGpWaWh6Zm16VlA0MlZIQXJqKzAKLS0tIHRac2lSOW44WEswLzN5L3ZzbTd4 - WkhjakVMVHIvbC9ZUk5QYU9NYUw3azgKAC2Am3/1mCx5O/XCf01PFlEsN/iVxgf1 - OQfyTsX6GzDEIj9fnd/9q66Wkee/FNdL25hAnOdlFo6+ujscH8eeVg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Q0xPL2dBZFFwUitxQlpM + S1dHVkQvb0szWFE4bFdaUXgvaThkYnVUZVNrCkw1WUR5S0w2eUlxQm4wdGVMQ3VK + NDJxbGt3ejEvanM3V3FOaHd2dDNaRW8KLS0tIHYxY2I2dXVhcGpJZDFBSDhuNWV0 + dzFIL2cwb29TTlZuWTNSZnBaU3VlSjQK9jXjslY75C7UtArlAZ2rIK4+bLd+eYKd + lJiSD0YByMUPDFgCGksmMMyUIuvsxNt+eIxzUCN4kjGl+3GNA1ZBRQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-29T06:25:18Z" - mac: ENC[AES256_GCM,data:tgFPeIUKzi1EntpVd8dZmGpxIofm65zZi3WZIpNTzE8fkqHpddMx/qUpRE2KLhpW+H9cOUi66ZFeNOLNu6mTHmQvq3Mcho5KxYODokJOL7i046DMq9FD/rY/5hNzDDVB5xehNDyRblbD7f0GCobxeO/NgO+GCzsqNGply6hW6NM=,iv:bOVFwX55zERg28qc0e0VrBatYMZsr21Ob2yXNgGZtb4=,tag:sfpUgmcJxrnqHmYYwCIGxQ==,type:str] + lastmodified: "2024-09-13T09:14:50Z" + mac: ENC[AES256_GCM,data:Zg0vvFo+HwCpRZuitHSbRMIIrHt62Tr4tlW6xirzPaDGrADKZsLTg+NbTLWEamwrYHReYlO3xDZ6t10g0dXKPPC1nGWN8K+qm+0dHqyEcfDzi0sXOxfXvETKZVQiGFdH/SUKzgjtUehwHwmSpLhGZzwifOwNZ6+c620Loi8kJZs=,iv:kjYa8JbZw0+FOQ6OxTpjkiFBCpJOxZz1p8sAemMuvKw=,tag:96yQTsSfizX3GEJWt9lMog==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/hosts/controller/default.nix b/hosts/controller/default.nix index 54818eb..1ac92df 100644 --- a/hosts/controller/default.nix +++ b/hosts/controller/default.nix @@ -9,7 +9,6 @@ ../common ../../modules/nixos/headscale.nix ../../modules/nixos/vaultwarden.nix - ../../modules/nixos/uptime-kuma.nix ../../modules/nixos/gitea.nix ../../modules/nixos/monitoring/grafana.nix ../../modules/nixos/monitoring/loki.nix @@ -88,7 +87,6 @@ "/var/lib/grafana" "/var/lib/loki" "/var/lib/private/ntfy-sh" - "/var/lib/private/uptime-kuma" ]; encryption = { mode = "repokey-blake2";