From 49c21fe740cb46609c50483e5d3691595dd52f14 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 02:58:37 +0200 Subject: [PATCH 01/14] dns: add trinkgenossin, delite, blue-shell --- terraform/dns.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index e20c284e..f30dee1b 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -59,6 +59,36 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "49.13.236.167" } + record { + hostname = "trinkgenossin" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "trinkgenossin" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "delite" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "delite" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "blue-shell" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "blue-shell" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } record { hostname = "auth" type = "CNAME" From ca8e578b118f8b441918e45f192d799532ffb066 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:00:01 +0200 Subject: [PATCH 02/14] hosts: init trinkgenossin --- hosts/default.nix | 15 +++++ hosts/trinkgenossin/configuration.nix | 37 ++++++++++++ hosts/trinkgenossin/default.nix | 12 ++++ .../trinkgenossin/hardware-configuration.nix | 56 +++++++++++++++++++ hosts/trinkgenossin/networking.nix | 15 +++++ 5 files changed, 135 insertions(+) create mode 100644 hosts/trinkgenossin/configuration.nix create mode 100644 hosts/trinkgenossin/default.nix create mode 100644 hosts/trinkgenossin/hardware-configuration.nix create mode 100644 hosts/trinkgenossin/networking.nix diff --git a/hosts/default.nix b/hosts/default.nix index af64b843..903a532b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -87,6 +87,21 @@ self.nixosModules.promtail ]; }; + + trinkgenossin = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./trinkgenossin + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix new file mode 100644 index 00000000..ca20c940 --- /dev/null +++ b/hosts/trinkgenossin/configuration.nix @@ -0,0 +1,37 @@ +{ + flake, + config, + lib, + pkgs, + ... +}: +{ + boot.loader.grub.enable = true; + boot.loader.grub.devices = ["/dev/vda"]; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/trinkgenossin/default.nix b/hosts/trinkgenossin/default.nix new file mode 100644 index 00000000..845d466c --- /dev/null +++ b/hosts/trinkgenossin/default.nix @@ -0,0 +1,12 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/trinkgenossin/hardware-configuration.nix b/hosts/trinkgenossin/hardware-configuration.nix new file mode 100644 index 00000000..c4ee45e4 --- /dev/null +++ b/hosts/trinkgenossin/hardware-configuration.nix @@ -0,0 +1,56 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + + fileSystems."/var/lib/garage/data" = { + device = "/dev/disk/by-label/data"; + fsType = "xfs"; + }; + + fileSystems."/var/lib/garage/meta" = { + device = "/dev/disk/by-label/metadata"; + fsType = "btrfs"; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + virtualisation.hypervGuest.enable = true; +} diff --git a/hosts/trinkgenossin/networking.nix b/hosts/trinkgenossin/networking.nix new file mode 100644 index 00000000..aa9a3780 --- /dev/null +++ b/hosts/trinkgenossin/networking.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a01:239:35d:f500::1]:3901"; + + networking.hostName = "trinkgenossin"; + networking.hostId = "00000003"; + + networking.enableIPv6 = true; + networking.useDHCP = true; +} From 4ef9781d10ae6def4901ed2158ba5d7c5b4d651f Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:01:11 +0200 Subject: [PATCH 03/14] hosts: init delite --- hosts/default.nix | 16 +++++ hosts/delite/configuration.nix | 35 ++++++++++ hosts/delite/default.nix | 13 ++++ hosts/delite/disk-config.nix | 92 +++++++++++++++++++++++++ hosts/delite/hardware-configuration.nix | 18 +++++ hosts/delite/networking.nix | 26 +++++++ 6 files changed, 200 insertions(+) create mode 100644 hosts/delite/configuration.nix create mode 100644 hosts/delite/default.nix create mode 100644 hosts/delite/disk-config.nix create mode 100644 hosts/delite/hardware-configuration.nix create mode 100644 hosts/delite/networking.nix diff --git a/hosts/default.nix b/hosts/default.nix index 903a532b..9a9b7e42 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -102,6 +102,22 @@ self.nixosModules.garage ]; }; + + delite = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.inputs.disko.nixosModules.disko + self.nixosModules.home-manager + ./delite + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } diff --git a/hosts/delite/configuration.nix b/hosts/delite/configuration.nix new file mode 100644 index 00000000..1cfa0aee --- /dev/null +++ b/hosts/delite/configuration.nix @@ -0,0 +1,35 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + boot.loader.grub.enable = true; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/delite/default.nix b/hosts/delite/default.nix new file mode 100644 index 00000000..3ac09fd5 --- /dev/null +++ b/hosts/delite/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./disk-config.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/delite/disk-config.nix b/hosts/delite/disk-config.nix new file mode 100644 index 00000000..e478b7fb --- /dev/null +++ b/hosts/delite/disk-config.nix @@ -0,0 +1,92 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + bios = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + boot = { + size = "1G"; + type = "8300"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "lvm_pv"; + vg = "vg0"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + vg0 = { + type = "lvm_vg"; + lvs = { + root = { + size = "40G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + swap = { + size = "8G"; + content = { + type = "swap"; + }; + }; + data = { + size = "800G"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/var/lib/garage/data"; + mountOptions = [ + "defaults" + ]; + }; + }; + metadata = { + size = "50G"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/var/lib/garage/meta"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/delite/hardware-configuration.nix b/hosts/delite/hardware-configuration.nix new file mode 100644 index 00000000..bfdede70 --- /dev/null +++ b/hosts/delite/hardware-configuration.nix @@ -0,0 +1,18 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/delite/networking.nix b/hosts/delite/networking.nix new file mode 100644 index 00000000..357e3b0e --- /dev/null +++ b/hosts/delite/networking.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a04:52c0:124:9d8c::2]:3901"; + + networking.hostName = "delite"; + networking.hostId = "00000004"; + + networking.useDHCP = false; + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "ens3"; + address = [ + "5.255.119.132/24" + "2a04:52c0:124:9d8c::2/48" + ]; + gateway = [ + "5.255.119.1" + "2a04:52c0:124::1" + ]; + }; +} From 83b7e3e11e9b713e2fa98b246cdfee0b89b4c917 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:02:15 +0200 Subject: [PATCH 04/14] hosts: init blue-shell --- hosts/blue-shell/configuration.nix | 30 ++++++ hosts/blue-shell/default.nix | 13 +++ hosts/blue-shell/disk-config.nix | 109 ++++++++++++++++++++ hosts/blue-shell/hardware-configuration.nix | 17 +++ hosts/blue-shell/networking.nix | 26 +++++ hosts/default.nix | 16 +++ 6 files changed, 211 insertions(+) create mode 100644 hosts/blue-shell/configuration.nix create mode 100644 hosts/blue-shell/default.nix create mode 100644 hosts/blue-shell/disk-config.nix create mode 100644 hosts/blue-shell/hardware-configuration.nix create mode 100644 hosts/blue-shell/networking.nix diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix new file mode 100644 index 00000000..07364e55 --- /dev/null +++ b/hosts/blue-shell/configuration.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: +{ + boot.loader.grub.enable = true; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/blue-shell/default.nix b/hosts/blue-shell/default.nix new file mode 100644 index 00000000..3ac09fd5 --- /dev/null +++ b/hosts/blue-shell/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./disk-config.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/blue-shell/disk-config.nix b/hosts/blue-shell/disk-config.nix new file mode 100644 index 00000000..9be1ff5a --- /dev/null +++ b/hosts/blue-shell/disk-config.nix @@ -0,0 +1,109 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vdb"; + content = { + type = "gpt"; + partitions = { + bios = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + boot = { + size = "1G"; + type = "8300"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "lvm_pv"; + vg = "vg0"; + }; + }; + }; + }; + }; + }; + data = { + type = "disk"; + device = "/dev/vdc"; + content = { + type = "gpt"; + partitions = { + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptdata"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/var/lib/garage/data"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + vg0 = { + type = "lvm_vg"; + lvs = { + root = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + swap = { + size = "16G"; + content = { + type = "swap"; + }; + }; + metadata = { + size = "50G"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/var/lib/garage/meta"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/blue-shell/hardware-configuration.nix b/hosts/blue-shell/hardware-configuration.nix new file mode 100644 index 00000000..d6d2835e --- /dev/null +++ b/hosts/blue-shell/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/blue-shell/networking.nix b/hosts/blue-shell/networking.nix new file mode 100644 index 00000000..8aea3d99 --- /dev/null +++ b/hosts/blue-shell/networking.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a03:4000:43:24e::1]:3901"; + + networking.hostName = "blue-shell"; + networking.hostId = "00000005"; + + networking.useDHCP = false; + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "ens3"; + address = [ + "194.13.83.205/22" + "2a03:4000:43:24e::1/64" + ]; + gateway = [ + "194.13.80.1" + "fe80::1" + ]; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 9a9b7e42..0d7fa471 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -118,6 +118,22 @@ self.nixosModules.garage ]; }; + + blue-shell = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.inputs.disko.nixosModules.disko + self.nixosModules.home-manager + ./blue-shell + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } From 9eb746313e2b02916532e407724d6533c1d48b45 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:03:55 +0200 Subject: [PATCH 05/14] flake: add disko https://github.com/nix-community/disko And add hosts to deploy-rs --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 15 +++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/flake.lock b/flake.lock index fd62f673..e2e51fbc 100644 --- a/flake.lock +++ b/flake.lock @@ -87,6 +87,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724349583, + "narHash": "sha256-zgB1Cfk46irIsto8666yLdKjqKdBrjR48Dd3lhQ0CnQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "435737144be0259559ca3b43f7d72252b1fdcc1b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "element-stickers": { "inputs": { "maunium-stickerpicker": [ @@ -376,6 +396,7 @@ "inputs": { "agenix": "agenix", "deploy-rs": "deploy-rs", + "disko": "disko", "element-stickers": "element-stickers", "element-themes": "element-themes", "flake-parts": "flake-parts", diff --git a/flake.nix b/flake.nix index b5473e13..6f84843c 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,9 @@ deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.darwin.follows = "nix-darwin"; @@ -135,6 +138,18 @@ hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; + trinkgenossin = { + #hostname = "trinkgenossin.wg.pub.solar"; + sshUser = username; + }; + delite = { + #hostname = "delite.wg.pub.solar"; + sshUser = username; + }; + blue-shell = { + #hostname = "delite.wg.pub.solar"; + sshUser = username; + }; }; }; }; From 4a3d3ce84b7060b590227d9ed90077ce854725e5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:05:16 +0200 Subject: [PATCH 06/14] garage: init module --- modules/garage/default.nix | 75 +++++++++++++++++++++++++++++++++ secrets/garage-admin-token.age | 47 +++++++++++++++++++++ secrets/garage-rpc-secret.age | Bin 0 -> 2686 bytes secrets/secrets.nix | 9 ++++ 4 files changed, 131 insertions(+) create mode 100644 modules/garage/default.nix create mode 100644 secrets/garage-admin-token.age create mode 100644 secrets/garage-rpc-secret.age diff --git a/modules/garage/default.nix b/modules/garage/default.nix new file mode 100644 index 00000000..0ee39d42 --- /dev/null +++ b/modules/garage/default.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + age.secrets."garage-rpc-secret" = { + file = "${flake.self}/secrets/garage-rpc-secret.age"; + mode = "400"; + }; + + age.secrets."garage-admin-token" = { + file = "${flake.self}/secrets/garage-admin-token.age"; + mode = "400"; + }; + + networking.firewall.allowedTCPPorts = [ + 3900 + 3901 + 3902 + ]; + + services.garage = { + enable = true; + package = pkgs.garage_1_0_0; + settings = { + data_dir = "/var/lib/garage/data"; + metadata_dir = "/var/lib/garage/meta"; + db_engine = "lmdb"; + replication_factor = 3; + compression_level = 2; + rpc_bind_addr = "[::]:3901"; + s3_api = { + s3_region = "eu-central"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.${config.pub-solar-os.networking.domain}"; + }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.${config.pub-solar-os.networking.domain}"; + index = "index.html"; + }; + }; + }; + + users.users.garage = { + isSystemUser = true; + home = "/var/lib/garage"; + group = "garage"; + }; + + users.groups.garage = { }; + + # Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix + # Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix + # for mounts + permissions to work + systemd.services.garage = { + serviceConfig = { + user = "garage"; + group = "garage"; + DynamicUser = false; + LoadCredential = [ + "rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}" + "admin_token_path:${config.age.secrets.garage-admin-token.path}" + ]; + Environment = [ + "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true" + "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path" + "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path" + ]; + }; + }; +} diff --git a/secrets/garage-admin-token.age b/secrets/garage-admin-token.age new file mode 100644 index 00000000..a8ed9e99 --- /dev/null +++ b/secrets/garage-admin-token.age @@ -0,0 +1,47 @@ +age-encryption.org/v1 +-> ssh-ed25519 NID4eA MqbdKdPSNLU32j+ZFTT1bmSFk4ZQowSuYcuP/FRtKgs +m0UaJclORGOrQDLIvdIv4Aq4U3XNOet9CzU8pX/pGsI +-> ssh-ed25519 9RQHxg WyTt2Lqd2mRtwsx2PLajmk68IB1yP0DkgXR/xfIMERM +4JaJ+DB97XxOuI2G/qnk+NX8Xv1ruY28NPRl7aUPWEc +-> ssh-ed25519 eP5MMw HUf/aXRbaIEjQFdWpo8vWtNSqzYcQKaNKJ7y+ewMVz0 +6IcRiPufkMLjOV5mSaOBclPmFDVKII/8mqGN7jmfkYk +-> ssh-ed25519 uYcDNw gHg0z1q+4AGZtuMzbV1dZjWojmYNE0JO1ZhMnGqAbR0 +sFE6mIV3ZgRMlsuHFltkC4M+aAhEDzVQQ3rkgiR5GSY +-> ssh-rsa f5THog +BFJZWIMurARpA6XJMlxnDYFUTGCX5gEb6IycqUQbIdu9+91mpDR3WxlJYLLZC3vD +j7e5xFvr4bOXQg56N59k4AD5CnC7CoZld/PqGtP5JqUcoXPFHgq95GzfiuTLedkZ +esPsPvXfdeyqfzcdMhxTz8pO0RRPUk9Xc2wnvHrDyeNO0vS5N+bMsNMvFfRaMZTi +xV2Xl98VFl90+gzuPACN0zpfoEqajcJhPtMqoaOjOzD7sGaAz5UYLAIyOHdh3t9w +DwVorUheXKLqq1kxZRZ5QCC7N+TCbi7x6B5xCezz9hF2vXkzunDh/d7maQG34AXJ +x1sQ4R9dXn778j14RqBBNbsFPDg8WIS4Zs+ypdqev8w+aOhZkcDf5unKQJLdeu3N +W+IUJTN5zFObMX0TXtj0yI7xUSkZKSLuZs43MhdVkNo1YewHalMpKetctnw2Lz+z +ZcDCRLmD91U5BL7xp9KYQQ9EBjEn8dyw9hn8RmCaRKsvi71cIStv4OtuGxzIvTOJ +phqDJdjz53E6L/0NDmhgN7bxolYZJsPC2o/ca0lG1rx3SZdfI18WaTsQrOO2NaeZ +i4u9vkw/k7xT65mPxPsN7s67niE6lVGyTOLMwjvfO1sAHABbtto2GL0zRc454b9v +gObMCi/ZbOUo6wndMMPnrQh9SsSGKB6EIOEzmg+8M+Y +-> ssh-rsa kFDS0A +h9TH7j+1hquLDwCIRDvQiN7UJaO6rJ/NtWdeWTuqTqTGSS+aVvm9gDZBZiLzWyqb +GLd2guhepOCuSQkxocD7KAz1hp5pqf++XI8/yqepnHuU+CmInsOBmSZsG8QGktbk +wjY3ZqZdcfCorgAxjIaw4aNW3zeoq7ATC3rC3aDeOsZC6jImdgEeCvd8BczWSqOa +9acfRqd+QNDjqq3MIGIepVBlQ0nNniRtQoh4XtUey8jVb6kjow4TqBo9V33UhO7x +r3WMgk5q1onECAhaAlYFxQ3DzLjUxAVdulnkIoSBqdE1b6Njyc70CI9oYwZcGmbD +gC3qdQWmcoeOQ95YkdJAxaFIl3VNOTyn9rSXtn3a1PsVygaT+98qd1zwGPY+3ZDk +B1chqWp3IJ4y2oPqt1mO4j0am2NAChpcWlEhgeldD0HoUixoXvp2Gu0igD5ENfyH +BopesdhSoIxw8PbjKvnuwPFNSa9ysS6mpdmChTdBGpOCSpwMEcEE/m3pLo4FkzJf +nhQaxav7VmvZ2jxnmEgP/NUgxmZPHKOzlI3vqWfTsIwz/chHDwekhb6dB0O5nrjO +LzmKVrkVH0EEa3R1/BIfF674RSPXOmW89NNU7tCax3IOuPWC0QYv+2r/zjmAEq+Q +LJMPf1fUjLlsCmkOlxDYK4E/EyiG5dcjxdyXk8J+l6s +-> piv-p256 vRzPNw AzRQKtxg/bXdDoLXM4IBQaPXZ7Tg/6GSg0LeQQ3GNUnw +xf8jnJPg8nqUt26lvtemwdvV8h0nT8k/H4iGO8fBa1k +-> piv-p256 zqq/iw AtpFzxs9a5N87BOsagEIMnJFxyBv8PZwsF4orrWS7dlP +8w3nDD2dIXKRKtnz/xnFW3it99ZmfY9X4ZiQhjXnaPM +-> ssh-ed25519 YFSOsg E3q3wZk2o3+Gmv0xMuokFWqhckCEZxVomrj61M2U21w +CUlB8ynJwO5JmHND3+x/NN/PyV0HJXfoxI3TgPjOD/4 +-> ssh-ed25519 iHV63A 4tjRDQ0kSZZYda0V3pEs6teT7n8r0WFQ1iHj90XIP1c +OMGjdTkZo8LOojtNDhIw5OXaWpC21f8hIOcnv1suLA4 +-> ssh-ed25519 BVsyTA 5BzUJ7kmv/3ZwxRGOq6QNohlWn5nuHgCBTjbcGtA1jU +vaN4i/JBvrDtdb9IX+F4uLG8v6wiaF0zjTyBXJ7B0Ts +-> ssh-ed25519 +3V2lQ eS/DpYwsqIkwm1JENRu1kIHqe+qAcMssglt/DHIAuBk +JYdv3kTgpF+3b4a9eycCzl3FWyLSkunas4IYqfw9z48 +--- iffZKXnN9jbIrfnm0NrUmqfNhsBtd0FCBEc9Zp0YSj8 +[4aϓ ܥG( \)YQ '~@LKTw;j~,*q?o}' ? ׿ diff --git a/secrets/garage-rpc-secret.age b/secrets/garage-rpc-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..e8ad9873aacd2faef45d3d51bec8592f5be944a3 GIT binary patch literal 2686 zcmZXWyUYAo9fuWBmNYJw+PtmA*Gz7c1VPMoGRfqA9}#wPzfJC$TpByETN_IkY!+SZ zU93cHEd&u23vI+gY{bUO5&Vg+f517<;d?&k`J7vpye3UFY~56}%@^AtgB~#O`sJ5# z%wLlj!Eu;+QO_Kf&@VB$fxgNLj9Ge^bDJa`LR~WLjheCww8eduXNE>P`Thc6(WBIq zP83eVS&|xJG{#hwm0@%f~f5e3V9+hPY-g(>=&7gWXon3b9T&z`3(; zIYlKybGI%mrc~Ez5G+eE&%mY~uA(m4!?buai0gF>77?VEZGAzV3f&DwH#%k|ZbI}? zTB75Mvb?AJnn50BR&_$X}-B2HaiPO-E2+Q@0H1H*bbROF;+N|6U^E+hh6 zq%D{d0wt^Y86cMd)0^@l+PJNv=xA*lg~N)`cc7P5w?k?t%?LdV{&}*0-`gvQfs`Pd`q~gLgB`XG!HI3_~kj#5TAXGQ*CeWlB zt3yeDvE6l(#e;LEw>>FUwenlpVqvyGf>yg2N@k_tpvT=1C=w`*VV+RFcT|8~x_c(; zVF8wn6s3snNtg!$hs2&@%~;Q=B`zo@z$hwMuSzN@BwK#kFvc zm{1p5{9sBs$8`#maVkPIz!x6$i3>`RSTC39MkBW{Iv16SPlX(Ix-c;vPvD~u>TN-S z#G`9nIN~ZU0lnO!ZZQym<1x9F84)Ejih}r3dC{R(W-8Hc5s&5D^+278*)a2Q^Q<*k z&Xk84ZOX2((vAZG7>5gNbrzRj>-CXcdn0o%giW)u>MfKx_9t(&;roWAR^>lDO+T7W zrup@~RO^5~gAs6uh`Ea^Jr~#ZQHC7Iq6}u}&TyFvq5^X>N%JdzK$*iDKVKA&Ne^%e zYQBBYN6oTqAa;UIleqZ+Uh~{jhUcOor7rf$I;V?ssqq61V;;JgwO=0TiFO4g@-li z6QIKK&`b1D=1w$nx!?n``;2jKLx^lwWxpj6pDt0_sW6o*ITGd4A;qn})z`xqU0DQp zU_9akqVL>Nd162kub~uDn(a=tBMrgrEI@)@cDxW^>d0JA_anWO(%75uyh_930mmEZ zo)Er5TA_O|$Xr-9v7)C#X{FqB#6_c-(~EGa4|evi9CyXzwL|dZ%fsCDr~2t^p;!u| z={ro|`MC(3Iv6x=x@Wj#=QTrI3i}R0mi#~(0NqU88x-V-R;*6D9Avb}qHgio$6(0~1rxH7=v-C~An02$4rIJUQwCba9@Kxp5Z)j8QwV6J^ z!K-cEml8?g&(ZyiVXI1yjzt3bStfDNHLc)KAp+t_Yv)U*Twz$O^AVnQyz0o5rfJvz zn^xgHi_a-MnM)zqxw)vhysuq#6)9$t!6z@!Js1ZCEhD|svJ z8F40?%Mz%x-Uznztjs1?bB*3*O95VAUtfG0S%pxJdV_pwI=-oGb2T7&r2Y zt4|4ZDJmX-uYUMb>^Hw4wzuhz-QI%W`Th3qpS$GPC!6p7 Date: Sat, 24 Aug 2024 03:05:28 +0200 Subject: [PATCH 07/14] modules: add unlock-luks-on-boot --- modules/unlock-luks-on-boot/default.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 modules/unlock-luks-on-boot/default.nix diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix new file mode 100644 index 00000000..09521880 --- /dev/null +++ b/modules/unlock-luks-on-boot/default.nix @@ -0,0 +1,20 @@ +{ flake, config, ... }: +{ + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + # To prevent ssh clients from freaking out because a different host key is used, + # a different port for ssh is useful (assuming the same host has also a regular sshd running) + port = 2222; + + # Please create this manually the first time. + hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + }; + postCommands = '' + # Automatically ask for the password on SSH login + echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + ''; + }; +} From b6070d0f7589d6ae0cad246ca28178952acc045b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:06:17 +0200 Subject: [PATCH 08/14] docs: initial docs for nixos-anywhere and garage setup --- docs/garage.md | 19 +++++++++++++++++++ docs/nixos-anywhere.md | 13 +++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 docs/garage.md create mode 100644 docs/nixos-anywhere.md diff --git a/docs/garage.md b/docs/garage.md new file mode 100644 index 00000000..de40b051 --- /dev/null +++ b/docs/garage.md @@ -0,0 +1,19 @@ +``` +export GARAGE_RPC_SECRET= + +garage node id + +garage node connect +garage node connect + +garage status + +#Zones +#DE-1 DE-2 NL-1 + +garage layout assign fdaa -z DE-1 -c 800G -t trinkgenossin +garage layout assign 8835 -z DE-2 -c 800G -t blue-shell +garage layout assign 73da -z NL-1 -c 800G -t delite +garage layout show +garage layout apply --version 1 +``` diff --git a/docs/nixos-anywhere.md b/docs/nixos-anywhere.md new file mode 100644 index 00000000..a8f7925e --- /dev/null +++ b/docs/nixos-anywhere.md @@ -0,0 +1,13 @@ +``` +curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root +/root/kexec/run +``` + +``` +mkdir -p /etc/secrets/initrd +ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key +``` + +``` +nix run github:nix-community/nixos-anywhere -- --flake .#blue-shell root@194.13.83.205 +``` From b0790876ec1f9841010e071d374eebc41fb1d621 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 17:39:49 +0200 Subject: [PATCH 09/14] style: format using nixfmt-rfc-style --- hosts/blue-shell/configuration.nix | 7 ++++++- hosts/blue-shell/disk-config.nix | 16 ++++----------- hosts/blue-shell/hardware-configuration.nix | 20 ++++++++++++++----- hosts/delite/disk-config.nix | 16 ++++----------- hosts/delite/hardware-configuration.nix | 20 +++++++++++++------ hosts/trinkgenossin/configuration.nix | 2 +- .../trinkgenossin/hardware-configuration.nix | 6 ++---- secrets/secrets.nix | 6 +++++- 8 files changed, 51 insertions(+), 42 deletions(-) diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix index 07364e55..20ad2910 100644 --- a/hosts/blue-shell/configuration.nix +++ b/hosts/blue-shell/configuration.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { boot.loader.grub.enable = true; diff --git a/hosts/blue-shell/disk-config.nix b/hosts/blue-shell/disk-config.nix index 9be1ff5a..2903130d 100644 --- a/hosts/blue-shell/disk-config.nix +++ b/hosts/blue-shell/disk-config.nix @@ -18,9 +18,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -60,9 +58,7 @@ type = "filesystem"; format = "xfs"; mountpoint = "/var/lib/garage/data"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; @@ -80,9 +76,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; swap = { @@ -97,9 +91,7 @@ type = "filesystem"; format = "btrfs"; mountpoint = "/var/lib/garage/meta"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; diff --git a/hosts/blue-shell/hardware-configuration.nix b/hosts/blue-shell/hardware-configuration.nix index d6d2835e..86e1e30f 100644 --- a/hosts/blue-shell/hardware-configuration.nix +++ b/hosts/blue-shell/hardware-configuration.nix @@ -1,14 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/hosts/delite/disk-config.nix b/hosts/delite/disk-config.nix index e478b7fb..dea45f44 100644 --- a/hosts/delite/disk-config.nix +++ b/hosts/delite/disk-config.nix @@ -18,9 +18,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -52,9 +50,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; swap = { @@ -69,9 +65,7 @@ type = "filesystem"; format = "xfs"; mountpoint = "/var/lib/garage/data"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; metadata = { @@ -80,9 +74,7 @@ type = "filesystem"; format = "btrfs"; mountpoint = "/var/lib/garage/meta"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; diff --git a/hosts/delite/hardware-configuration.nix b/hosts/delite/hardware-configuration.nix index bfdede70..5fff3303 100644 --- a/hosts/delite/hardware-configuration.nix +++ b/hosts/delite/hardware-configuration.nix @@ -1,18 +1,26 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_blk" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix index ca20c940..c5e0016e 100644 --- a/hosts/trinkgenossin/configuration.nix +++ b/hosts/trinkgenossin/configuration.nix @@ -7,7 +7,7 @@ }: { boot.loader.grub.enable = true; - boot.loader.grub.devices = ["/dev/vda"]; + boot.loader.grub.devices = [ "/dev/vda" ]; boot.kernelParams = [ "boot.shell_on_fail=1" diff --git a/hosts/trinkgenossin/hardware-configuration.nix b/hosts/trinkgenossin/hardware-configuration.nix index c4ee45e4..a1432c97 100644 --- a/hosts/trinkgenossin/hardware-configuration.nix +++ b/hosts/trinkgenossin/hardware-configuration.nix @@ -24,7 +24,7 @@ boot.extraModulePackages = [ ]; boot.initrd.luks.devices."cryptroot" = { - device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; + device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; }; fileSystems."/" = { @@ -47,9 +47,7 @@ fsType = "btrfs"; }; - swapDevices = [ - { device = "/dev/disk/by-label/swap"; } - ]; + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; virtualisation.hypervGuest.enable = true; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6661e182..686345a9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,7 +21,11 @@ let metronomKeys = [ metronom-host ]; - garageKeys = [ trinkgenossin-host delite-host blue-shell-host ]; + garageKeys = [ + trinkgenossin-host + delite-host + blue-shell-host + ]; in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall From 15b507904fb24a0b3f37e6e6ebd4da7ea1e62de2 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 21:48:48 +0200 Subject: [PATCH 10/14] garage: init buckets.pub.solar, use nginx as reverse proxy https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/ --- hosts/default.nix | 3 ++ modules/garage/default.nix | 61 +++++++++++++++++++++++++++++++++ secrets/acme-namecheap-env.age | Bin 0 -> 2700 bytes secrets/secrets.nix | 2 ++ terraform/dns.tf | 45 ++++++++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 secrets/acme-namecheap-env.age diff --git a/hosts/default.nix b/hosts/default.nix index 0d7fa471..a9e0b5ac 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -100,6 +100,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -116,6 +117,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -132,6 +134,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; }; diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 0ee39d42..21c7ca7b 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -16,12 +16,73 @@ mode = "400"; }; + age.secrets."acme-namecheap-env" = { + file = "${flake.self}/secrets/acme-namecheap-env.age"; + mode = "400"; + }; + networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ]; + security.acme = { + defaults = { + environmentFile = config.age.secrets.acme-namecheap-env.path; + }; + certs = { + # Wildcard certificate gets created automatically + "buckets.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + # Wildcard certificate gets created automatically + "web.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + }; + }; + + services.nginx = { + upstreams.s3_backend.servers = { + "[::1]:3900" = { }; + }; + upstreams.web_backend.servers = { + "[::1]:3902" = { }; + }; + virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://s3_backend"; + extraConfig = '' + proxy_max_temp_file_size 0; + ''; + }; + }; + virtualHosts."web.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://web_backend"; + }; + }; + }; + services.garage = { enable = true; package = pkgs.garage_1_0_0; diff --git a/secrets/acme-namecheap-env.age b/secrets/acme-namecheap-env.age new file mode 100644 index 0000000000000000000000000000000000000000..a09e587497125f91dbbfc33c4194b0f2351f286d GIT binary patch literal 2700 zcmZXW$?N=f8OQY+z34>`B3~4t8h&Qqz=ce<$v)W^5lk|Z%w#gzGg%Hj2zpWQAbL{t z9}p?tL&_L5JDP^bAVQ4Ib99`N zGczQ%$39Ox9SB{YpUymmYUgu%O3f=Xi26aE(cxTJhc2<;$VbMjB1V#iu9gKHYm9^S zs*yU1vqdB0+m&9Z5Nx8hA!)sA%sjv`3&KJ8dD;|ZyfHs%Q0!fq)1fnD&x&sj?_8$X zy!8`IiM1mcs0{Bo$PB1`0q7bY6ir{-FnL3+^AJMk;zGk31tn-p8EkP=)QKs}C>GwQ z^+WQM6Yjn#fHtrUblac7@KT65v*|2uQwWP8I74j51Z;y7e?HrOPDJ_SQ->=fIjcJ8 z#$!y6BNC9hR)keex^<1ZHfN_tPiaASt2UfkyQoxN4G+t7onUAgFg5TL2A()Pa|SJz z1u@+KwQ+2F@GiMc4H&AD$)IX%EQX_g%3E|&d#jaCdJ)`@VK=%-(4S9Xr@E zy0%kK)~jq7*FyC5y*e^1or|uEiA5iPZggaAY-~45OcTdHMp|l+A--&M2+TR?9>?=G zS0}#Ac?Lx-q8=swBqV|ZLb+Ys_?ko(+e#;=zMGdA!LGI;%7$`BFrD+poX`(^PHIXh>Eyn;FCErWlSjk3C;>k22CZ4oDK4L{_d24E zw7^t{`cQ1*QBJ5R@Q;CO?KeU_+AE$4P{ZcV;aV#;uYy7YZ0&LrWX^2hFr3@C0#Ceo zo$eKdMRCt2PP{*KWgjyw^FboKr{k;0J1`66Y2J$cXmofoGgy7N`BnM!R;oGIqjFQO~!j0Rd%L?cNkVO z$JV^$1$2pG9HRgn|7LDbaySCRzZCs zjij)T9F+mY6=|ULGJ>Yt!K5f-l8Ul019SVJOzso7Zb4thC*+iro!G;ijmj_12vO$ndI<^Od2*y>q}66Dj}-VTrG zXM5_f2Up$<>M15dzSOl|`%qc&$MxWHL%GP=$} zds*n&J1;}l6|r=dGg*9iFZ(}WZCwXl9<26wV?`vi9eN%zxYt13gI73Rh=}!xEz)W$ zQ0Y@FGhql+RR=x_5AJ*=_L_|q=GlVuWhSS1+K)LyGCpw>EJJ1H_j~63|3M@==1@G{ z`XC?=M^=%U#I+s{%N+>ZVh77)L8^CTwI3F=hqVp%fJ2ozAj$}66dxOtu}U9AXE%%0 zhcje}i4?IR?j6)!dHH$TW$%+1`^4PYd2KX5kr2MzS^nTl9JvgLa@&T7h}C-E#s}R@ z@NxjW*@uiswwhIhS3@Bh&kt#(CvRcHI5V#C)`}o`yT7X(&pIq-#KMRtgT6Z%8^eaod85+xoE%mz)jW)(l81g}D(N z#Da+pn@X_Jaj#N>N8?~#SP;!^;EHmpVGla+?Afy?g>$!+%#%s2aPe-Sr!(21SZ(7C zOK~Ls=;~|XY;+`%5%A&H-=JRm=)Ye0$cx`n_1FKbena2C{K8wW{&@b!PhWcb#m{_4 z|Nc8)`s?@J`Rc#l{9*a`x4!u`{?+KWANt29|MY9;wNL!urFTEy{`{4{eT@6(ACX^u x_ZPnjm%qIE_Ag)Qzx}h9Z-4#rPrmT(f9}WMf9lg;|HJ1#{>G2s*FO8Z{{oXdeO>?n literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 686345a9..94073752 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -100,4 +100,6 @@ in # garage "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys; "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys; + + "acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index f30dee1b..70d9f156 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "buckets" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "buckets" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "buckets" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } + record { + hostname = "*.buckets" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "web" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "*.web" + type = "CNAME" + address = "buckets.pub.solar." + } record { hostname = "tankstelle" type = "A" From d32abd7a7f1eb35eb555bebc961b600d83473c9a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 00:13:53 +0200 Subject: [PATCH 11/14] wireguard: add trinkgenossin, delite, blue-shell --- flake.nix | 6 +-- hosts/blue-shell/configuration.nix | 2 - hosts/blue-shell/default.nix | 2 +- hosts/blue-shell/wireguard.nix | 49 +++++++++++++++++++++++ hosts/delite/configuration.nix | 2 - hosts/delite/default.nix | 2 +- hosts/delite/wireguard.nix | 49 +++++++++++++++++++++++ hosts/flora-6/wireguard.nix | 27 +++++++++++++ hosts/trinkgenossin/configuration.nix | 2 - hosts/trinkgenossin/default.nix | 2 +- hosts/trinkgenossin/wireguard.nix | 49 +++++++++++++++++++++++ secrets/blue-shell-wg-private-key.age | 43 ++++++++++++++++++++ secrets/delite-wg-private-key.age | Bin 0 -> 2446 bytes secrets/secrets.nix | 9 +++++ secrets/trinkgenossin-wg-private-key.age | 43 ++++++++++++++++++++ terraform/dns.tf | 30 ++++++++++++++ 16 files changed, 305 insertions(+), 12 deletions(-) create mode 100644 hosts/blue-shell/wireguard.nix create mode 100644 hosts/delite/wireguard.nix create mode 100644 hosts/trinkgenossin/wireguard.nix create mode 100644 secrets/blue-shell-wg-private-key.age create mode 100644 secrets/delite-wg-private-key.age create mode 100644 secrets/trinkgenossin-wg-private-key.age diff --git a/flake.nix b/flake.nix index 6f84843c..ae5cc8eb 100644 --- a/flake.nix +++ b/flake.nix @@ -139,15 +139,15 @@ sshUser = username; }; trinkgenossin = { - #hostname = "trinkgenossin.wg.pub.solar"; + hostname = "trinkgenossin.wg.pub.solar"; sshUser = username; }; delite = { - #hostname = "delite.wg.pub.solar"; + hostname = "delite.wg.pub.solar"; sshUser = username; }; blue-shell = { - #hostname = "delite.wg.pub.solar"; + hostname = "blue-shell.wg.pub.solar"; sshUser = username; }; }; diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix index 20ad2910..df9424b4 100644 --- a/hosts/blue-shell/configuration.nix +++ b/hosts/blue-shell/configuration.nix @@ -12,8 +12,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/blue-shell/default.nix b/hosts/blue-shell/default.nix index 3ac09fd5..ff8c0cc0 100644 --- a/hosts/blue-shell/default.nix +++ b/hosts/blue-shell/default.nix @@ -7,7 +7,7 @@ ./disk-config.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/blue-shell/wireguard.nix b/hosts/blue-shell/wireguard.nix new file mode 100644 index 00000000..ad37918c --- /dev/null +++ b/hosts/blue-shell/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.7"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:7::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/hosts/delite/configuration.nix b/hosts/delite/configuration.nix index 1cfa0aee..3ba7d50a 100644 --- a/hosts/delite/configuration.nix +++ b/hosts/delite/configuration.nix @@ -12,8 +12,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/delite/default.nix b/hosts/delite/default.nix index 3ac09fd5..ff8c0cc0 100644 --- a/hosts/delite/default.nix +++ b/hosts/delite/default.nix @@ -7,7 +7,7 @@ ./disk-config.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/delite/wireguard.nix b/hosts/delite/wireguard.nix new file mode 100644 index 00000000..17eba5ac --- /dev/null +++ b/hosts/delite/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.6"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:6::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index 3da4e16b..d825e383 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -47,6 +47,33 @@ "fd00:fae:fae:fae:fae:4::/96" ]; } + { + # trinkgenossin.pub.solar + endpoint = "85.215.152.22:51820"; + publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; + allowedIPs = [ + "10.7.6.5/32" + "fd00:fae:fae:fae:fae:5::/96" + ]; + } + { + # delite.pub.solar + endpoint = "5.255.119.132:51820"; + publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k="; + allowedIPs = [ + "10.7.6.6/32" + "fd00:fae:fae:fae:fae:6::/96" + ]; + } + { + # blue-shell.pub.solar + endpoint = "194.13.83.205:51820"; + publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8="; + allowedIPs = [ + "10.7.6.7/32" + "fd00:fae:fae:fae:fae:7::/96" + ]; + } ]; }; }; diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix index c5e0016e..f6cf06f8 100644 --- a/hosts/trinkgenossin/configuration.nix +++ b/hosts/trinkgenossin/configuration.nix @@ -14,8 +14,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/trinkgenossin/default.nix b/hosts/trinkgenossin/default.nix index 845d466c..a1699f15 100644 --- a/hosts/trinkgenossin/default.nix +++ b/hosts/trinkgenossin/default.nix @@ -6,7 +6,7 @@ ./configuration.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/trinkgenossin/wireguard.nix b/hosts/trinkgenossin/wireguard.nix new file mode 100644 index 00000000..f56b6a14 --- /dev/null +++ b/hosts/trinkgenossin/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.5"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:5::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/secrets/blue-shell-wg-private-key.age b/secrets/blue-shell-wg-private-key.age new file mode 100644 index 00000000..3e1c3cf2 --- /dev/null +++ b/secrets/blue-shell-wg-private-key.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 eP5MMw xAObv9OBtCMHWnbnO9b9w5fiG3tkJJTvjFNWmYmGfhQ +sXmgq1drzY3rap8aD8/iMbMgjGkajfENkBQDdK/2TKQ +-> ssh-ed25519 uYcDNw sxw3K1xYG+OZQy+4U2UfX//ZElPaCieANzFHanJxfxw +VyhqjYppfHVb2jTceXLL/yYwEJE2uD9TY4PliHu7c0E +-> ssh-rsa f5THog +hRIMIg4P7SOOS3IGr2vF/TAdvgAXjJ8CbjKQt+Bd8MUjxf769rD3bln3lF3DlfIU +RMkicdnwRdWTnqp+HyV0/UsD4ZzVb0YY+ntK6wujqgEwhpef9NOE2Hsiyvv228l5 +pu6eUTrosmb0ysnw8zRmr4RYdv1+MsD9gbnLOnnuHkA+i28jAE6o4gXIdnKfDcIk +ptJISTFwyzz+q8UvdfO4YGRBL4zSoWM5VEQS0IPjrt4+qBlOyC2IlXz1/aaGZk41 +ODgPUO68USpzFsLqsmRJJQOMxxkdnYWy4DoeHKUyZI4YO0t94zVEHIS3x6w2l+/Q +9r7TdKXxniLFYW9t5+28ez5XfLruapXroA8kp2hy3S7ybuOyB2MIfCXVvK0kiOfw +2kZnv7LvL4BLUMtgPKoAxj8Pzpi8HzFGxQudqNwSkjb4bvFg8eej0oP/WhvFalsY +MGSdlFJkKKeLWh8MzmD2WXHJ5yVcRFHydyWGMHlZJ4soi0I3gTSQaNSPUxWtFSd3 +Trk3Jz4Qrd7EA6y6wn2Jc4xCX+cWb8Q3nrXVZJL/FSxss+zstQit5O3BwWupJQLt +ubyqLxQI/PKP/gIU8sGhwKDWGjZUlwvjPBG+EdWJAxoI7S7+4UxkGgsNvx67VKgi +xxz3ANlHPbGLgAZTtEk5AqHWLWE6ZRn/7i3Qv1HWZJ4 +-> ssh-rsa kFDS0A +OqNv7KThlRd0aD1gixsI2LVb+Zj2r7OVm4lUD/UJ0WVe/ihlcBAeEj8noqNA3zgH +djO53WpAkGrbt8CejuQcPYLyw8Bdk++cBu9Po+X0dAp2cCPqakgIpEI6qG1uiEty +LOOF13TivCB802UrJmX/8HLDV3yv7IWIr2XV0V8s5UvasYlgCt1eg4suhXIngnJG +wd7WFnXwtNtR/UcnWtpE8c6p5kaAn4wSAtx6hFqnkN5ANjKXHy29NkFR1Lgu55OU +qoJPpcZpvEESYMQfPvfuCUSZgcSvJE8B1MJZzxdKBHFiaWa7BkkWOL2KNIARFji5 +nBrGzGLV9IaHWsS0UfIWixvM3OPl4wgwpdLtVJsnLX/ggFZrZmj+iR5DdqurfW7E +0a8Ie1NKK7FU+HnzEk6+8aiDb0QozEhrmaE5olc8dBOKK13e1idDTCsquaQcSOEh +DBP8r0LhqU7YwnNF6UpQiYs3Zs2HyPegfz2GwB3yeaHqc7+MnXm/j4B5qUcX5naz +llQoNfddAtoXGeK3G0yjugkSluValw6o2hQ+4iRx4n1f3dVcurXkBr9fjCKMmjC4 +qbOHhsBU4dHCvFIOXY27Xvq5qZ4/ceNb6fq/NXvkD87eePMLg9R9hmtTaCDlEN2d +a350/FxlWOZXEox+mRZhE+mE5qSIg+LbnFZ+zjWq+yc +-> piv-p256 vRzPNw AzwIBCtS5Tx/zuFHRYsYSOffxAE79O5foV+ndpw0hR1t +HDmWtvUS9wSnlNjbkD0Rc0jQ4tNhqpcqpeztW1GXC3g +-> piv-p256 zqq/iw Av5ZYxbCJrjUImhX7hoO8nxtWEtd7mPWhofwCxtW5GNI +tB/mFmw4U2NbeDKdasi/Z99VggQYhnv6+n9+VJekq/k +-> ssh-ed25519 YFSOsg nl0SHBFBylYgoy4qrZ851AQ6NLuDpXtIQ5WffqQPckU +/yk/gT3enujLcjHkYuE0XGUDrYUEEzvyPvIlKhHtf5c +-> ssh-ed25519 iHV63A 2Gq6dIvLDJQmwgQwxhqrPpubkToiseczLkobeCZiOSA +IXddfsh84BrA0v6X/SjqoFbUfJfw3v+zD3Dk5RdsfAE +-> ssh-ed25519 BVsyTA 9oRVFqCqPoQ35/u+Cg4dPkG4eXw7vSRaPwhel430TGE +C54Ofc94lPFMGLljqY4Ag0AhM/MHWeZjZ6x1fmyMmqI +-> ssh-ed25519 +3V2lQ 2g1xRrQZy30nCaDq6RtfXQfUchtD8oOnmGYX+A2venQ +oop5rNpGKvTUOLGN2HGc7B63H/8XYrhO+XsCjsKfPgA +--- cMgwwO4kfMX17njkjYczc4R6FVRwC+cpK37g2cFAapc + `сXӓ;RV]tbM"N4a/IpB7QeM npʱ2}z-R4E(N \ No newline at end of file diff --git a/secrets/delite-wg-private-key.age b/secrets/delite-wg-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..48d0fe1c279a9347db302d5a61c39a977f75c119 GIT binary patch literal 2446 zcmZXWIm`WM8HYu&31U0#3l<{bHTy|Uqh!y?zHeZWoRjrrIoXp_X)}ZHSFjMLwbd_R zV{J3wfHpFfAlSMv2!i0NFffi^;JJ8ie)sRXlOlV~y6bp6=Bn?$-H!#dBEai+UZ$yh z&2A_`Am^8}ZAp9a;uC5oipNN*AY`5@hYwv7_fJv};l0umARD?fO%0}iX@Eo%(xbOx z!YL`8t`>Ccq!%CO1nITcKHqi z2$e9#EjSBVXH27jPU}qIiW|Q@(S<=9*Pb7!AvP8!#uR#xg%jWEBRrIPqB%`m0YMfN z7~9tK3OZisnSl^UicwsysA94z+wevx<@n;{By9scc)+XrW z@unqB3z-Bm39L?R3L*UXOAFm=dSIU(uFf@CSog7 z;SOz_3pzKdxaes+DERdG9Nz`bfob4!n9if_f|B*k%|+ZCikOlmW}0tK%D;_m~P_k1dng&dv9vjlRf-IG0DE&HWwrcoS=`pz`n z5GbC5rFaw5B|tsxsW2a7a(z%^Aat%U@zvUSPXhhKsD4 zI1h|&56l4`jGh+x1x!xAxpM0$-Fxib(mf3GUD( zBz1Y7j?knH>GD6U=P*Fk8;e>j+HrhcH*fdl$;Ow!!`fTQ-qz;>uJ&^V5imJU!svkj z!@LE}hVDGtQM0-+`bN-N6}1vEpu){H9BNfz|BkZufB*G)hem>9OvQ^4Na6|hsE1*$ zxn?I>kKtMhf(u>wTTGv->3GA~xkD*34_A7}YVA{Fm4HVUyMXKUUUX^cM|F8!i9-arsLeqFPs4l=8V z?j9Q(urN?n>mU1gTQJu#NTRp{WsHPKc-qIzfuW{|JJ6ZBImBFH&F-Y+8_6A>9-+9=_sJ7>`T0+7cxV{FS<9QXH>1eVTEgb9v zWju6=&WchqSKy!D{PYih{pcH9_oH7MfBMRAe))?Jvp@gk(@%c)rLX?%kJQ(2{e$;w z^&Ro`AOCCp ssh-ed25519 NID4eA Q3E8hBMDQRxoJx6UGzECMZmkffdgyYlhGaloKFNmxw0 +37DKT5sgmAEritSoPuW+O5dvjCH23pOAdFyJG0TnY6w +-> ssh-ed25519 uYcDNw zgfSabCBntiTnc0fdfDzpkq/AwUXSpyvsA14gkatP3w +tLbZDE6UB/xvC153mSGcGSSWKH+Ph1Ek5D+JTrWjzdk +-> ssh-rsa f5THog +0THw5q/Aa/wCzfqO/9YFBOvSfISS/O2cMHBlQ7NXzF2hlj+hzGjJeL2USmL8iZ7X +YToH0oy8lreVRYxfi/LUMyg14hQf11hTekT/sKc8m5eBm+8WiHbWJsQJKdRg6WVO +B2Ju+3QIZXBk7ajCIcVjgoJQy1JydXm5YQkZnI69icdtAEnYSEoVEpaPHkT7Et65 +UUC/eegltWFSeJl4bzgceVXO3VtszoG/KkL7ToT2WX2Hbnb4R3U8cWLOTr4I6hzM +90h6mNaorm3bd5fysOoU3G531/eAqcC7QZQQGyCOEBBHgx0w32ZKpjqu8q8c/f0M +VMOgE0JfK4/iB5E3dwGqRZ2G8iXu/cx0CQY98YAFCDOYExMsQzFXzqKq8KecVd+g +vaj598KJFxYskwrkGNXwIds2lPCte3HIa9XcGeQ4svaLYdQw5zsSIF32zOwAbxRn +1ABzp/T7V3BYyykJbeJi3UMoHUo3nsq75xClmXRnlTvQ7I0x62DrXdMNE9tJtqAF +lVUeD7gKlDPmYMK0QKbxFHYTVbdJ3d7UbJUgb2SxHpm5I8J7Wx29p6gLN7+swdIg ++y0Z8+qcABkeVHQ9OWwV0XYdMdLFovnc0pDAEvHL4rxv3E8W2Nv2mm0xW7I4HcG0 +h9uJ2lU4mn60YqBtso/cu+LzUHIPcHji5sRK8/qu+Tg +-> ssh-rsa kFDS0A +kXXvKZebwQLFofayT/0SFzdFl0e8xQbUJf+q47YHmPMlJY7nsQBs1fvmQsp7fsfW +TRdh14uVImErEQsuqNYgYDR/jBUVtRkySOXde8Q9QM/CZwwR7NMu8P2vBzZ6uXKL +amlZS8iYXWJKRgmxsgiONFZwfcB9TWhaDYsmeqFxV6ui2LGgtCBllttYzvyVNWZI +NXMg0bbkLd+I2svBSBX/p8rECxq5gUmr8PB2k+yrHuXJvnR8Hop7YjvbrC2qSy5r +6OOTButBV7cILTf03DPvd3f61uUqm/NapxN4UdEZDTmOYud2dF8Eqw+BCNIT2wZr +/KD49ElPlcWM8cCxBGaSTTT66mP3FWwIcCZVfdVrhf//TN/SAo+lcoN7m/p9Uj0i +Y5nM3JR7ZuiLHfXu+fTHBiWnWBtLkPYUDlGIGlFGinMQwi4CMqoUY7jROdjHuPkt +S0VK2ViRxBB5Z5tQSnL02+TNsDd+CDURRiBgWfdmk1kkh9o2SrSiGcxCV03UVEaE +4Q07ZjKJF9HeC6goK+QjSOvLHS2qHyJznUty7nAiAS+yPDlq6m13/dFTvFii7H2h +UJ+5MJcVHLd6VQhzjmwTQXCrbTn/FI2LkZgR4HPRFDElkmnMUV1NU/2gkwm7Z0gu +RaEAuYMoKZNBQ6eQgANst+LFA7ctwpz/d0PB8Gvjf6g +-> piv-p256 vRzPNw AmCpZNeI8ggIr211niro2CalG6ELXYubjXj2J01eSwL+ +IPXLB01UKFj7tptbB7FmNbbjDGrqbEoizjNzzJvNsXs +-> piv-p256 zqq/iw Auwb+rr9JfTX9VoTKaDobEGFPIwJZUFAMolG8SvZ5ix6 ++e5IWW7Sxy1T2F0Ykm1tKQIvGGJFODIrNdvrCKREvrI +-> ssh-ed25519 YFSOsg 5Eeo3PIUgfRgPrY/eR6aps8UB2NNNr9YJswZ5mPj5Fk +cN4Dwp+ZFN8UCptfVsAp3iGesYhry7umwGc77jom2Vo +-> ssh-ed25519 iHV63A RMH4ezLwPxlf9cLgFlWSrGMDdlySpIr22O3Nr4ESgkg +8Ll31aL8PCOFp5+TIhv7qYVzjnBMepWJSlT6PGBMtdM +-> ssh-ed25519 BVsyTA 9yQZMVRpIitqx4ggP9pswC2VBmtKHR8FqIiLAq6wdCs +g/dA5SXBUNyLFGuOEVwsPIu2sEyAS4y+5RlccymLfL0 +-> ssh-ed25519 +3V2lQ unqrENNB2tJvICc/nAi31TZ8c7ilbFreww51f/Mi4nQ +y7QWtFtEUq8elK+Q2HxpGav3nx3dxDQd5ikn9DpIJ20 +--- SJo44grQsKFl8WMnva4kMp88kMZ9D3EWnm3mN0Oe15c +~ڌx̆Il`u@'B#Ra ٣;(厳&G3<QsH~G ) \ No newline at end of file diff --git a/terraform/dns.tf b/terraform/dns.tf index 70d9f156..89674d84 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -24,6 +24,21 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "10.7.6.4" } + record { + hostname = "trinkgenossin.wg" + type = "A" + address = "10.7.6.5" + } + record { + hostname = "delite.wg" + type = "A" + address = "10.7.6.6" + } + record { + hostname = "blue-shell.wg" + type = "A" + address = "10.7.6.7" + } record { hostname = "nachtigall.wg" type = "AAAA" @@ -44,6 +59,21 @@ resource "namecheap_domain_records" "pub-solar" { type = "AAAA" address = "fd00:fae:fae:fae:fae:4::" } + record { + hostname = "trinkgenossin.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:5::" + } + record { + hostname = "delite.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:6::" + } + record { + hostname = "blue-shell.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:7::" + } record { hostname = "flora-6" type = "A" From f236962e17235fb9e401f14e180374a3c3ee2b82 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 00:15:06 +0200 Subject: [PATCH 12/14] garage: add monitoring, connect to grafana + loki https://garagehq.deuxfleurs.fr/documentation/reference-manual/monitoring/ --- hosts/default.nix | 4 +- modules/garage/default.nix | 9 +- modules/grafana/default.nix | 5 + .../grafana-garage-dashboard-prometheus.json | 1048 +++++++++++++++++ modules/prometheus/default.nix | 20 + 5 files changed, 1082 insertions(+), 4 deletions(-) create mode 100644 modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json diff --git a/hosts/default.nix b/hosts/default.nix index a9e0b5ac..d523bda3 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -96,8 +96,8 @@ self.nixosModules.overlays self.nixosModules.unlock-luks-on-boot self.nixosModules.core - #self.nixosModules.prometheus-exporters - #self.nixosModules.promtail + self.nixosModules.prometheus-exporters + self.nixosModules.promtail self.nixosModules.garage self.nixosModules.nginx diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 21c7ca7b..f2e538ce 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -27,6 +27,8 @@ 3902 ]; + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ]; + security.acme = { defaults = { environmentFile = config.age.secrets.acme-namecheap-env.path; @@ -59,7 +61,7 @@ "[::1]:3902" = { }; }; virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { - serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; @@ -72,7 +74,7 @@ }; }; virtualHosts."web.${config.pub-solar-os.networking.domain}" = { - serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; @@ -103,6 +105,9 @@ root_domain = ".web.${config.pub-solar-os.networking.domain}"; index = "index.html"; }; + admin = { + api_bind_addr = "[::]:3903"; + }; }; }; diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index b62789e6..952661b1 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -33,6 +33,11 @@ group = "grafana"; user = "grafana"; }; + "grafana-dashboards/grafana-garage-dashboard-prometheus.json" = { + source = ./grafana-dashboards/grafana-garage-dashboard-prometheus.json; + group = "grafana"; + user = "grafana"; + }; }; services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = { diff --git a/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json b/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json new file mode 100644 index 00000000..33ee1635 --- /dev/null +++ b/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json @@ -0,0 +1,1048 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "DS_PROMETHEUS", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.2.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 24, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "Bps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum(rate(block_bytes_read{job=\"garage\"}[$__rate_interval]) )", + "hide": false, + "interval": "", + "legendFormat": "Disk bytes read", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "-sum(rate(block_bytes_written{job=\"garage\"}[$__rate_interval]) )", + "hide": false, + "interval": "", + "legendFormat": "Disk bytes written", + "refId": "B" + } + ], + "title": "Disk I/O", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 8, + "y": 0 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum by (api_endpoint) (rate(api_s3_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{api_endpoint}}", + "range": true, + "refId": "A" + } + ], + "title": "API requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 16, + "y": 0 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum(rate(web_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "Web request rate", + "refId": "A" + } + ], + "title": "Web requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 9 + }, + "id": 2, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by (rpc_endpoint) (rate(rpc_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{rpc_endpoint}}", + "refId": "A" + } + ], + "title": "RPC requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 9 + }, + "id": 4, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum by (api_endpoint, status_code) (rate(api_s3_error_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{api_endpoint}} {{status_code}}", + "range": true, + "refId": "A" + } + ], + "title": "API errors", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 9 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(status_code) (rate(web_error_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{status_code}}", + "refId": "A" + } + ], + "title": "Web errors", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 17 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "block_resync_queue_length{job=\"garage\"}", + "interval": "", + "legendFormat": "{{instance}}", + "refId": "A" + } + ], + "title": "Resync queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 17 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(table_name) (table_gc_todo_queue_length{job=\"garage\"})", + "interval": "", + "legendFormat": "{{ table_name}}", + "refId": "A" + } + ], + "title": "Table GC queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 17 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(table_name) (table_merkle_updater_todo_queue_length{job=\"garage\"})", + "interval": "", + "legendFormat": "{{ table_name}}", + "refId": "A" + } + ], + "title": "Table Merkle updater queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 25 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "block_resync_errored_blocks{job=\"garage\"}", + "interval": "", + "legendFormat": "{{instance}}", + "refId": "A" + } + ], + "title": "Resync errored blocks", + "type": "timeseries" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "label": "Datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Garage", + "uid": "ys3pnpZ4k", + "version": 26, + "weekStart": "" +} diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 709f6a25..5834ee25 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -69,6 +69,14 @@ instance = "tankstelle"; }; } + { + targets = [ + "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; + labels = { + instance = "trinkgenossin"; + }; + } ]; } { @@ -83,6 +91,18 @@ } ]; } + { + job_name = "garage"; + static_configs = [ + { + targets = [ + "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:3903" + "delite.wg.${config.pub-solar-os.networking.domain}:3903" + "blue-shell.wg.${config.pub-solar-os.networking.domain}:3903" + ]; + } + ]; + } ]; ruleFiles = [ From 13bf3f5beb9676972b5836bf8f3feebebc3974a7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 03:27:42 +0200 Subject: [PATCH 13/14] docs: SSH to trinkgenossin for garage command --- docs/garage.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/garage.md b/docs/garage.md index de40b051..65171233 100644 --- a/docs/garage.md +++ b/docs/garage.md @@ -1,6 +1,9 @@ ``` +ssh barkeeper@trinkgenossin.wg.pub.solar + export GARAGE_RPC_SECRET= +# Uses the default config /etc/garage.toml garage node id garage node connect @@ -17,3 +20,5 @@ garage layout assign 73da -z NL-1 -c 800G -t delite garage layout show garage layout apply --version 1 ``` + +Source: https://garagehq.deuxfleurs.fr/documentation/cookbook/real-world/#creating-a-cluster-layout From 711347abe68b690497d8fc9fc84f45b1f41e609b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 26 Aug 2024 11:00:42 +0200 Subject: [PATCH 14/14] docs: add how-to create garage bucket + key add new hosts to WireGuard example config --- docs/administrative-access.md | 33 +++++++++++++++++++++++++++++++++ docs/garage.md | 25 +++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 5c58e791..169f087e 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -85,6 +85,39 @@ Example NixOS snippet for WireGuard client config #endpoint = "80.244.242.5:51820"; persistentKeepalive = 15; } + { + # trinkgenossin.pub.solar + publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; + allowedIPs = [ + "10.7.6.5/32" + "fd00:fae:fae:fae:fae:5::/96" + ]; + #endpoint = "85.215.152.22:51820"; + endpoint = "[2a01:239:35d:f500::1]:51820"; + persistentKeepalive = 15; + } + { + # delite.pub.solar + publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k="; + allowedIPs = [ + "10.7.6.6/32" + "fd00:fae:fae:fae:fae:6::/96" + ]; + #endpoint = "5.255.119.132:51820"; + endpoint = "[2a04:52c0:124:9d8c::2]:51820"; + persistentKeepalive = 15; + } + { + # blue-shell.pub.solar + publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8="; + allowedIPs = [ + "10.7.6.7/32" + "fd00:fae:fae:fae:fae:7::/96" + ]; + #endpoint = "194.13.83.205:51820"; + endpoint = "[2a03:4000:43:24e::1]:51820"; + persistentKeepalive = 15; + } ]; }; }; diff --git a/docs/garage.md b/docs/garage.md index 65171233..e1e82fb2 100644 --- a/docs/garage.md +++ b/docs/garage.md @@ -1,3 +1,28 @@ +# Garage + +### How-To create a new bucket + keys + +Requirements: + +- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell` + +``` +ssh barkeeper@trinkgenossin.wg.pub.solar + +export GARAGE_RPC_SECRET= + +garage bucket create +garage key create -key +garage bucket allow --read --write --key -key +``` + +Docs: https://garagehq.deuxfleurs.fr/documentation/quick-start/#creating-buckets-and-keys + +Then [setup your favourite S3 client](https://garagehq.deuxfleurs.fr/documentation/connect/cli/) +or use the bucket with any [S3 compatible software](https://garagehq.deuxfleurs.fr/documentation/connect/). + +### Notes on manual setup steps + ``` ssh barkeeper@trinkgenossin.wg.pub.solar