commit 941d48e40abf0bb8bf03b1d2b19fb7f87bd149cd
parent d04357d570dfa9da492ce9fd5f9e15c2d8fa417b
Author: Leah (ctucx) <git@ctu.cx>
Date: Sat, 26 Nov 2022 21:51:15 +0100
parent d04357d570dfa9da492ce9fd5f9e15c2d8fa417b
Author: Leah (ctucx) <git@ctu.cx>
Date: Sat, 26 Nov 2022 21:51:15 +0100
machines: remove `osterei`
7 files changed, 10 insertions(+), 186 deletions(-)
D
|
81
-------------------------------------------------------------------------------
D
|
62
--------------------------------------------------------------
diff --git a/configurations/common/syncthing-config.nix b/configurations/common/syncthing-config.nix @@ -55,7 +55,7 @@ let else false; - appendDataDirHosts = [ "desastro" "lollo" "taurus" "osterei" ]; + appendDataDirHosts = [ "desastro" "lollo" "taurus" ]; homeDir = if pkgs.stdenv.isLinux then "/home" else "/Users"; dataDir = "${homeDir}/leah" + (if builtins.elem config.networking.hostName appendDataDirHosts then "/syncthing" else "");
diff --git a/configurations/linux/services/dns.nix b/configurations/linux/services/dns.nix @@ -12,7 +12,7 @@ SOA = { nameServer = "ns1.ctu.cx."; adminEmail = "dns@ctu.cx"; # Email address with a real `@`! - serial = lib.toInt ("2022" + "11" + "04" + "01"); + serial = lib.toInt ("2022" + "11" + "26" + "10"); }; MXApple = with mx; [ (mx 10 "mx01.mail.icloud.com.") @@ -31,8 +31,8 @@ subdomains = { blechkasten = (host "195.39.246.42" "2a0f:4ac0:acab:1234::42"); - ns1 = (host "185.232.70.80" "2a03:4000:4e:af1::1"); - ns2 = (host "46.38.253.139" "2a03:4000:1:45d::1"); + ns1 = (host "89.58.62.171" "2a0a:4cc0:1:2d7::1"); + ns2 = (host "46.38.253.139" "2a03:4000:1:45d::1"); # "sig1._domainkey".CNAME = [ "sig1.dkim.ctu.cx.at.icloudmailadmin.com." ];
diff --git a/hive.nix b/hive.nix @@ -16,11 +16,10 @@ inputs: defaults = import ./configurations/common; lollo = import ./machines/lollo/configuration.nix; - osterei = import ./machines/osterei/configuration.nix; desastro = import ./machines/desastro/configuration.nix; - hector = import ./machines/hector/configuration.nix; - wanderduene = import ./machines/wanderduene/configuration.nix; trabbi = import ./machines/trabbi/configuration.nix; + wanderduene = import ./machines/wanderduene/configuration.nix; + hector = import ./machines/hector/configuration.nix; }
diff --git a/machines/osterei/configuration.nix b/machines/osterei/configuration.nix @@ -1,81 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - imports = [ - ./hardware-configuration.nix - - ../../configurations/common/programs/gpg.nix - ../../configurations/common/programs/password-store.nix - - # dns server - ../../configurations/linux/services/dns.nix - - # monitoring - ../../configurations/linux/services/prometheus-node-exporter.nix - ]; - - services.pcscd.enable = lib.mkForce false; - home-manager.users.leah.services.gpg-agent.enable = lib.mkForce false; - - age.secrets.restic-server-lollo.file = ../../secrets/restic-server/lollo.age; - age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age; - age.secrets.restic-server-hector.file = ../../secrets/restic-server/hector.age; - - boot = { - loader.grub = { - enable = true; - version = 2; - device = "/dev/vda"; - }; - - initrd.network = { - enable = true; - ssh = { - enable = true; - port = 22; - hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; - authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); - }; - - postCommands = '' - ip link set dev ens3 up - ip addr add 2a03:4000:4e:af1::1/128 dev ens3 - ip route add default via fe80::1 dev ens3 onlink - - ip addr add 185.232.70.80/22 dev ens3 - ip route add default via 185.232.68.1 dev ens3 onlink - echo 'cryptsetup-askpass' >> /root/.profile - ''; - }; - }; - - services.email-notify.enable = true; - - dns.zones."ctu.cx".subdomains.osterei = (pkgs.dns.lib.combinators.host "185.232.70.80" "2a03:4000:4e:af1::1"); - - networking = { - useDHCP = false; - - defaultGateway6 = { - interface = "ens3"; - address = "fe80::1"; - }; - - interfaces.ens3 = { - useDHCP = true; - - ipv6.addresses = [{ - address = "2a03:4000:4e:af1::1"; - prefixLength = 64; - }]; - }; - - firewall.enable = true; - }; - - system.stateVersion = "21.11"; - home-manager.users.leah.home.stateVersion = "21.11"; - -} -
diff --git a/machines/osterei/fritzbox-exporter.nix b/machines/osterei/fritzbox-exporter.nix @@ -1,62 +0,0 @@ -{ pkgs, ... }: - -let - fritzbox-exporter = pkgs.nimPackages.buildNimPackage { - name = "fritzbox-exporter"; - - nimBinOnly = true; - nimRelease = true; - - src = pkgs.fetchgit { - url = "https://cgit.ctu.cx/fritzbox-exporter"; - rev = "2e4762465179097b028bfa695389392415c7d112"; - sha256 = "0i02cd43d1qjs6ajy29y8vygmkqgvn6y2gxjxg0wk04ib2g7dgpa"; - }; - }; - -in { - - systemd.services.fritzbox-exporter = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - serviceConfig = { - DynamicUser = true; - - PrivateTmp = true; - ProtectHome = true; - ProtectSystem = "strict"; - ProtectKernelTunables = true; - ProtectHostname = true; - ProtectClock = true; - ProtectControlGroups = true; - RestrictAddressFamilies = "AF_INET"; - - NoNewPrivileges = true; - PrivateDevices = true; - RestrictSUIDSGID = true; - ProtectKernelModules = true; - MemoryDenyWriteExecute = true; - RestrictNamespaces = true; - RestrictRealtime = true; - LockPersonality = true; - - ExecStart = "${fritzbox-exporter}/bin/fb_exporter"; - - Restart = "on-failure"; - RestartSec = "5"; - }; - }; - - services.nginx = { - enable = true; - virtualHosts."fbexporter.ctu.cx" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:1234"; - }; - }; - - networking.firewall.allowedTCPPorts = [ 1234 ]; - -}
diff --git a/machines/osterei/hardware-configuration.nix b/machines/osterei/hardware-configuration.nix @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/4090ea85-78b1-4dea-ac9c-5aff5b74de90"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/a3670ecb-97fe-419f-959c-e9a06527b5c9"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/45EE-A9E1"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -4,19 +4,18 @@ let #servers lollo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNCdn6aHCgxG1tq5f0XPvQ+lIgsQ/3gzT6FNvokOIgX"; - osterei = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrsl0Ele8PvhVrLj0OnpP8GCuwNCZ0e8+P4FQnoGnmQ"; desastro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEniZFbgj9w7fQ+MhTnE83MatgcuDI7c7qqx05DTQcun"; taurus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICV+KOqhtBmT5/I6mGvzk4oOdcxdlHazxkDbSXWrVTjk"; hector = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWH8uGtxkYfv3CA5Q3qqOvbaTvp9KItrdSiKXZdDUsx"; trabbi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLBBZJ9/644d71E8A7IFU7dvDHI+OR/7q79KvqmI/i/"; in { - "passwords/leah-at-f2k1-de.age".publicKeys = [ leah osterei taurus desastro lollo hector trabbi ]; + "passwords/leah-at-f2k1-de.age".publicKeys = [ leah trabbi taurus desastro lollo hector ]; - "restic-server/lollo.age".publicKeys = [ leah trabbi osterei taurus hector lollo ]; - "restic-server/desastro.age".publicKeys = [ leah trabbi osterei taurus hector lollo ]; - "restic-server/hector.age".publicKeys = [ leah trabbi osterei taurus hector lollo desastro ]; + "restic-server/lollo.age".publicKeys = [ leah trabbi taurus hector lollo ]; + "restic-server/desastro.age".publicKeys = [ leah trabbi taurus hector lollo ]; + "restic-server/hector.age".publicKeys = [ leah trabbi taurus hector lollo desastro ]; "coladose/syncthing/key.age".publicKeys = [ leah coladose ];