dump-dvb/nix-config
dump-dvb
/
nix-config
mirror of https://github.com/dump-dvb/nix-config.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

add borken-data-hoarder

This commit is contained in:
oxapentane - 2023-05-01 05:51:43 +02:00
parent f8cd7d1684
commit c9c829d037
Signed by: oxapentane
GPG Key ID: 91FA5E5BF9AA901C
5 changed files with 213 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.sops.yaml
View File

@ -3,13 +3,15 @@ keys:
- &admin_revol-xut 91EBE87016391323642A6803B966009D57E69CC6
- &admin_marenz-1 069836A578F7939612DB4934F77D0F7E247A1EE4
- &admin_marenz-2 ED06986DFAAE6A61B751DC2F537F97DFB394C433
# test key
- &test age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh
- &data-hoarder age1djp5hk6vpm5glzqy9h2e2cgam5xydx888glgs85kvs57spaf8v0sfm0pa2
- &data-hoarder-staging age1m4g4y5ga2m8xdvs7rarda3tyk4gtkyta6pfyq2n3xmy47z20kfxq73m8r8
- &data-hoarder-borken age1rps5wanz2dvme5nfkyzq5rtesxdl3p2gku2vsj2s745mr9gqf5rsufv5fr
- &notice-me-senpai age1t8ktl8tkkpa7s5f2a4crhgpr8c72c942vqht9l8m9y35fhppv4ks8gjqnn
# turmlabor
- &traffic-stop-box-0 age1yxtur968m4xe0m3kj0waqpm2kuuywpp9f6t0rxl4f0262ze9n9jqehw0k5
# zw
@ -72,6 +74,16 @@ creation_rules:
age:
- *data-hoarder
- *data-hoarder-staging
- path_regex: secrets/data-hoarder-borken/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
- *admin_revol-xut
- *admin_marenz-1
- *admin_marenz-2
age:
- *data-hoarder
- *data-hoarder-borken
- path_regex: secrets/notice-me-senpai/[^/]+\.yaml$
key_groups:
- pgp:

10
flake.nix
View File

@ -264,6 +264,7 @@
packages = {
staging-microvm = self.nixosConfigurations.staging-data-hoarder.config.microvm.declaredRunner;
borken-microvm = self.nixosConfigurations.borken-data-hoarder.config.microvm.declaredRunner;
data-hoarder-microvm = self.nixosConfigurations.data-hoarder.config.microvm.declaredRunner;
fuck-microvm = self.nixosConfigurations.fuck.config.system.build.vm;
docs = pkgs.callPackage ./pkgs/documentation.nix {
@ -322,6 +323,15 @@
] ++ data-hoarder-modules;
};
borken-data-hoarder = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };
modules = [
./hosts/borken-data-hoarder
microvm.nixosModules.microvm
] ++ data-hoarder-modules;
};
fuck = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs self; };

86
hosts/borken-data-hoarder/default.nix Normal file
View File

@ -0,0 +1,86 @@
{ config, self, ... }:
let
mac_addr = "00:de:5b:f9:e2:3e";
in
{
microvm = {
vcpu = 4;
mem = 4096;
hypervisor = "cloud-hypervisor";
socket = "${config.networking.hostName}.socket";
interfaces = [{
type = "tap";
id = "serv-dvb-bork";
mac = mac_addr;
}];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}
{
source = "/var/lib/microvms/borken-data-hoarder/etc";
mountPoint = "/etc";
tag = "etc";
proto = "virtiofs";
socket = "etc.socket";
}
{
source = "/var/lib/microvms/borken-data-hoarder/var";
mountPoint = "/var";
tag = "var";
proto = "virtiofs";
socket = "var.socket";
}];
};
networking.hostName = "borken-data-hoarder";
time.timeZone = "Europe/Berlin";
networking.useNetworkd = true;
sops.defaultSopsFile = self + /secrets/data-hoarder-borken/secrets.yaml;
deployment-TLMS.net = {
iface.uplink = {
name = "ens3";
mac = mac_addr;
matchOn = "mac";
useDHCP = false;
# FIXME
dns = [ "172.20.73.8" "9.9.9.9" ];
routes = [
{
routeConfig = {
Gateway = "172.20.73.1";
GatewayOnLink = true;
Destination = "0.0.0.0/0";
};
}
];
};
wg = {
addr4 = "10.13.37.7";
prefix4 = 24;
privateKeyFile = config.sops.secrets.wg-seckey.path;
publicKey = "jUQxEav0M5pmkcdCri7R4mryB5Q3ksnn276FYeGCHQ0=";
};
};
deployment-TLMS.domain = "borken.tlm.solutions";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

2
modules/data-hoarder/kindergarten.nix
View File

@ -29,7 +29,7 @@
if ($accept_language ~ "^$") {
set $accept_language "en";
}
rewrite ^/$ /$accept_language last;
'';
};

103
secrets/data-hoarder-borken/secrets.yaml Normal file
View File

@ -0,0 +1,103 @@
wg-seckey: ENC[AES256_GCM,data:b0QcY/9TKPG8lyxUrIHU3Re8r4X9PM+hewPTEvVteKQq2t71zrR49OlYoO4=,iv:ufxvGhjk01FcgERZtp8C2U351LOoSrIiH8LmiQLdFuU=,tag:XnOHL2um0C14OmNL32di7A==,type:str]
postgres_password: ENC[AES256_GCM,data:7lEBJLa1BQ7Y,iv:keUinQS68xGcKb10jjQDSDcbVsagoVJhJ9//AC8enBI=,tag:+h8ltz+PMZMhl6O0SxFlhw==,type:str]
postgres_password_grafana: ENC[AES256_GCM,data:7UmDdje0/guR,iv:bvAt/6mnPS4q663teBzJn7+TLxZVbKmHIJKK4TX7BGY=,tag:+GSZy4OWMHp5WqATle5VEQ==,type:str]
postgres_password_hash_salt: ENC[AES256_GCM,data:WALvYBu6UwaP3kk=,iv:m5G08JoBy3IPzJzZL/OxE3nmDlVuCP755Am2nojTl4Q=,tag:TvQDSDafcHgSwtQPyEZEMg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1djp5hk6vpm5glzqy9h2e2cgam5xydx888glgs85kvs57spaf8v0sfm0pa2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MDBGL1Y2NXJyYmcwSDFE
cUQ0cTl4dGJQYWVzOTdRWXRJaHRwd3BKRlFnCkdqWitMa0hZMTRFOXYwUHJyTzRU
a3FYdjV2SndVNmNQSHpuTjU0Tk01cXcKLS0tIGdHNnNRRVRKR2Q4d2doZGFheXNX
cVpkZy9nZDdUNmVmUS91OTJ3TjhXNVEKEjSt+A3WSVV8mCRuvPm4fNOkdslyCqxQ
gqm+Bf1Kg4qH463FzB1xSDdn/d6N68kDzFK6PmMH2nBkcJj4E/ZTHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rps5wanz2dvme5nfkyzq5rtesxdl3p2gku2vsj2s745mr9gqf5rsufv5fr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBabEpvSDU5YUZwRTJrL1lh
Zjhoeld6UjRyUDNhQ0ZZdXJRZ0s5YXZuRGg0ClJENXZTWUNIOHVBcERCU3AzbWll
NUw2elVSNERFZWxBRFFWS2JVVi9zRFkKLS0tIGljTXRVM2taZytOT1cyUkxob2px
Nm1iNjNHMWYwck9mMDhhZmNaSWpxSkEKK6WmPp3kvuWrLCTPiT/CiysqQKErLevn
IbtYw/SNLUGMd5YPyymZcAz6ONv+VEydad0WgaVntZW/59LCw/IAHQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-01T02:15:23Z"
mac: ENC[AES256_GCM,data:z7/83Sch5rrtdy/b1gTxhRFLnZtNsJYtAOGjPVxbk07btKnwz24gflkoYcyDYzNLsAfxBI8ht4S7ZBTHbi/6PkF7QCvWFR8WuHDc9pKYLf4UmkKA+98sGsoIe0y9oDamb7Bh1a3J4SW4/7wPiCzMQHqeohDTzwQ5OxX14GSKQoU=,iv:+ujuMkU1pzP3oop6JlCkLbpWSUr7HK7oEw4/4+PIw04=,tag:DOcGlEV2qFgFjMWS/5ACoQ==,type:str]
pgp:
- created_at: "2023-05-01T03:51:07Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7ARAAhplhurD6jfPeXcxexXXTA0tGdYy0OR82vy1ODYR8wS3r
N+G8dySSLJp5uJS7sO1IcW9ZX7x6WqiO57+mNg6U9lIDBmiiMwpBEZwqUi4CDe66
7aexlo1GE8woUmH+pgEnZw9gtKb8gTNcsBfMgL6R8dr3Hj8sxNtpCZcwCKIh0gFx
Z64STh7yKMRJmD6NSPVf+2fBUKXKSi1Dtuk+O/V30rtztsjT7wM3k0OQE+SwVDN4
JldA+1et1eDKLRlRKWcjRDQecK6jeITprgifEL7bsES35wue8VPE/QRVsjLXRTS7
/R89RKPgbvM9EIowtxZwSRPueYVByFFxWHmjzwzs3sqktOiLzv6jF9JHdoGoKEsi
VK9HItubWQ7RYiR8JqbjHZCHVsQ9GR6NGKqzEUQaQr8axpOViq/l46iU2omThV7D
jrsGCiQ7k7B0z2zNSgS8TrXYo8HPVbC2QGo2TcR9B/7JfP/WnReXd4TBaXhBhu6E
YQs55YGTBeYqgfdwKsfvX05aOsaA8bODKHvH8c9Zi1+p2twWk8FFZnUtuXrjgjgs
Ci8yCf04uYt2me6FORDBPj5kNL0phCjc6c6V6KBQqTEYQrm2+0RdmCzVIM9dvCvw
jHSQzXkWpmiOtN/+07VBomMXOLMJLS28dntbjYzvpqWWeFq16Iee9T07gH2xtnLS
UQFy9gXIKn3BGxZzatlbNG2B/Tao0PXCTpNUg4O/taab7Qoma6iq7x/z0tJisDaD
cEHJvz+1TbPpZ8Fz9lHzZ9lqECgXTXqNHWPiPGtyU91mUQ==
=CaLH
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
- created_at: "2023-05-01T03:51:07Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA/YLzOYaRIJJARAAsrGlnko5tlfKw6dvBCOPGIMienPcit90A0wc785wB3Yi
pv3lsfZRRMf/muCjlrpVSvmEP+hd8EnTihFcYKtJqJRtCHQcDX8FCXBCEQ6k80Al
rfLLFdtsglUuRMlF6HbvNbCPuQemZBh4Ox0F42uZTfRIlXSDv/jNJmug5BwYkgTR
x9oiKtaoSlyvTihiBPkt/4PwtbUw15NDfwfg/4xngka+Ep3BGUzUcqu/UTGL39Nv
0vJUBGU9L5TqrK4UP5z9n8pzkyLbdbmx8UDifICZ0U1awvR7AxnNgRgwoFQbz1Ca
LXoyiNs92kld5Gfqcbo2m2ZkbCGympmQgE1ZvJOwlKwIznfXga4xg8fHH6zkGHiu
70/N146vb+OynD1XA3+jNEF7Z6f6WNrzvi2jkUSKR7hSOQgJcwC6AKzHMrJ1NVLE
hKTp5RhPZ74CJqoOv/wnCfEUeFkpKykb2KaEOoEauWxunDN6E1jNmBg5YbKRXWDD
64sPRQ+lAQwoQEGMWzpTzxTWdY8oWOt3nQqQHVyppnHquuM0LxhZedjpLls9obgF
kLrZI9DuvVXCCki5M62cwur3l+EZWwJ86eHqjiGgJUKeDblYOnKCLLQUwEvW75N9
9uDUVYAO9o3vyD1J8yUQ8J/8AUcL9765oi00rqhYIKTjXh0kJ0nYmrzlk+JsCmPS
XgFdYj5Tfak4GM4NOEx1NDMONLk2RdC7HU0nOkqwb5tT9RxP4UqCrSgzaGfx4CVP
H+S6Te5txy47P3hFzzR98jShmnjCs/jPbzkEqgd+ikT3oEmbQTbt4jy9Lrn99DI=
=HCIG
-----END PGP MESSAGE-----
fp: 91EBE87016391323642A6803B966009D57E69CC6
- created_at: "2023-05-01T03:51:07Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQf/cYg2GBlrdvofmT0upN+A2BCdBqEGzMckUMrkC3HhAov9
0wjGiO3LsWjg49UVhzf+rRhukhck4id2NDQGOFz6B3mzw4gh8GoFn4ouIXL8i30z
gU76kasXJeft9u5XqFqVX7H2h8ElUUX0AaQt3EE5lT1HTQRgD2ME6Gh5OvHUZ0Wv
dwWVb/EjkdIaRZzuGdFGPyoa5PcLY2H/Fb1V74JSif+4X2iCfU8xunXSy+arHjAO
PLI84EJyZGsS/EFmM21gWdbEozVozPE+ZpCaaiy97RAZ8rfLzRTGbjtgsG9jw+gz
vKlhFTv1E9uXkvO6D8FPkuaXtaopAIioA9mH2Bjd6NJeAeVMYgYE5ZbppZvn0y5E
VJSQoav1ogMG0ImUVkbkvy2UYzMUb/2N1AFrdxZMJLVokm6lvuxXnsje7QH6mkk5
jGu9QLhuEsKVXrcPBVP0T/wb3NoJLEW3S2RGZUxKTA==
=INdk
-----END PGP MESSAGE-----
fp: 069836A578F7939612DB4934F77D0F7E247A1EE4
- created_at: "2023-05-01T03:51:07Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA1N/l9+zlMQzAQgAls3FXxw2QDDxZB+OM9VvdTRTjlnX9yLu2gR6sD7+2Wbx
ccI/G8OUasQTKLmx+oakd/afrC6UvQjjcrIFM5B6u7IKhOlS+62b9XJsI/2e6bRt
rBp3DuEvP/QjvYiOZYcUdLtvMb+VAMXjgOeItF/yX9FmNVpoJikEyFglIsemW1R3
W6ngrQnc6G9O0qkfzWp5m1kliQIacWsQnqQdUSyesCDP3AEr7+ic3ujX4qOCaIPA
Yn5mMlWmQ3jIcvAtbeAQ5jazWi2720ocaDqsv6iBW4EEHRK+uekEaNVv5y8Iq2UN
TiXPoNadVAbgjEZ/G+fg7RtdAb7NRsC0Z8041eAqStJeAXliaFDf5vp16UxsfBU1
xqSvnJfUJnSir3hFo0+6bQXWo0KHsEo23ISYOFyuvPmxAj8CB2eKQ5H2KoZe89cR
+zImCKbF51L6x5RH5UFFF3qVwruUAy6IIAi1jjJ7sw==
=Oec7
-----END PGP MESSAGE-----
fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433
unencrypted_suffix: _unencrypted
version: 3.7.3