From 946585d1caab9a2f7e3c52e9845b3080b5ccec45 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Wed, 29 May 2024 14:08:59 +0200 Subject: [PATCH 1/8] initial commit of tankstelle --- flake.nix | 4 ++ hosts/default.nix | 10 ++++ hosts/tankstelle/backups.nix | 13 +++++ hosts/tankstelle/configuration.nix | 17 +++++++ hosts/tankstelle/default.nix | 12 +++++ hosts/tankstelle/hardware-configuration.nix | 39 +++++++++++++++ hosts/tankstelle/networking.nix | 39 +++++++++++++++ hosts/tankstelle/wireguard.nix | 54 +++++++++++++++++++++ 8 files changed, 188 insertions(+) create mode 100644 hosts/tankstelle/backups.nix create mode 100644 hosts/tankstelle/configuration.nix create mode 100644 hosts/tankstelle/default.nix create mode 100644 hosts/tankstelle/hardware-configuration.nix create mode 100644 hosts/tankstelle/networking.nix create mode 100644 hosts/tankstelle/wireguard.nix diff --git a/flake.nix b/flake.nix index d97687a..0f6d830 100644 --- a/flake.nix +++ b/flake.nix @@ -122,6 +122,10 @@ hostname = "10.7.6.2"; sshUser = username; }; + tankstelle = { + hostname = "80.244.242.5"; + sshUser = username; + }; }; }; }; diff --git a/hosts/default.nix b/hosts/default.nix index c17b5cc..429730c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -58,6 +58,16 @@ self.nixosModules.loki ]; }; + + tankstelle = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./tankstelle + self.nixosModules.overlays + self.nixosModules.core + ]; + }; }; }; } diff --git a/hosts/tankstelle/backups.nix b/hosts/tankstelle/backups.nix new file mode 100644 index 0000000..c5bf79b --- /dev/null +++ b/hosts/tankstelle/backups.nix @@ -0,0 +1,13 @@ +{ flake, ... }: +{ + age.secrets."restic-repo-droppie" = { + file = "${flake.self}/secrets/restic-repo-droppie.age"; + mode = "400"; + owner = "root"; + }; + age.secrets."restic-repo-storagebox" = { + file = "${flake.self}/secrets/restic-repo-storagebox.age"; + mode = "400"; + owner = "root"; + }; +} diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix new file mode 100644 index 0000000..73f3b90 --- /dev/null +++ b/hosts/tankstelle/configuration.nix @@ -0,0 +1,17 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + imports = + [ + ./hardware-configuration.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + system.stateVersion = "23.11"; +} diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix new file mode 100644 index 0000000..845d466 --- /dev/null +++ b/hosts/tankstelle/default.nix @@ -0,0 +1,12 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/tankstelle/hardware-configuration.nix b/hosts/tankstelle/hardware-configuration.nix new file mode 100644 index 0000000..b1e302a --- /dev/null +++ b/hosts/tankstelle/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AF98-AA5C"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/tankstelle/networking.nix b/hosts/tankstelle/networking.nix new file mode 100644 index 0000000..83d60e1 --- /dev/null +++ b/hosts/tankstelle/networking.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking = { + hostName = "tankstelle"; + domain = "pub.solar"; + enableIPv6 = true; + defaultGateway = { + address = "80.244.242.1"; + interface = "enp1s0"; + }; + defaultGateway6 = { + address = "2001:4d88:1ffa:26::1"; + interface = "enp1s0"; + }; + nameservers = [ "95.129.51.51" "80.244.244.244" ]; + interfaces."enp1s0" = { + ipv4.addresses = [ + { + address = "80.244.242.5"; + prefixLength = 29; + } + ]; + ipv6.addresses = [ + { + address = "2001:4d88:1ffa:26::5"; + prefixLength = 64; + } + ]; + }; + }; + + # TODO: ssh via wireguard only + services.openssh.openFirewall = true; +} diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix new file mode 100644 index 0000000..0eef697 --- /dev/null +++ b/hosts/tankstelle/wireguard.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + { + # nachtigall.pub.solar + endpoint = "138.201.80.102:51820"; + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = "10.7.6.3"; + port = 22; + } + { + addr = "[fd00:fae:fae:fae:fae:3::]"; + port = 22; + } + ]; +} -- 2.44.1 From e71cbfc461be25732f0f32fd5aa724753303b478 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 17:45:23 +0200 Subject: [PATCH 2/8] ci: add self-hosted forgejo-actions-runner wip: add git.pub.solar to /etc/hosts ci: add devshell with Node.js for forgejo actions ci: add PATH ci: add HOME --- .forgejo/workflows/check.yml | 38 +++------------- flake.nix | 5 +++ hosts/tankstelle/configuration.nix | 2 + hosts/tankstelle/default.nix | 1 + hosts/tankstelle/forgejo-actions-runner.nix | 33 ++++++++++++++ modules/core/networking.nix | 1 + secrets/secrets.nix | 4 ++ ...ankstelle-forgejo-actions-runner-token.age | 43 +++++++++++++++++++ 8 files changed, 96 insertions(+), 31 deletions(-) create mode 100644 hosts/tankstelle/forgejo-actions-runner.nix create mode 100644 secrets/tankstelle-forgejo-actions-runner-token.age diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index fc6ec37..e4dcbb1 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,44 +1,20 @@ name: Flake checks on: [pull_request] env: - USER: ci + PATH: /run/current-system/sw/bin + HOME: /var/lib/gitea-runner/tankstelle jobs: Check: - runs-on: ubuntu-latest + runs-on: self-hosted steps: + - name: Enter ci devshell + run: | + nix --accept-flake-config --access-tokens '' develop .#ci + - name: Check out repository code uses: https://code.forgejo.org/actions/checkout@v4 - - uses: https://github.com/nixbuild/nix-quick-install-action@v27 - with: - load_nixConfig: false - nix_conf: | - substituters = https://cache.nixos.org/ https://nix-community.cachix.org - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= - keep-outputs = true - - - name: Calculate flake.lock hash - id: flake-lock-hash - run: | - echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT - - - name: Restore and cache Nix store - uses: https://github.com/nix-community/cache-nix-action@v4.0.3 - id: nix-store-cache - with: - key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }} - restore-keys: | - cache-${{ runner.os }}-nix-store- - - gc-linux: true - gc-max-store-size-linux: 10000000000 - - purge-caches: true - purge-key: cache-${{ runner.os }}-nix-store- - purge-created: true - purge-created-max-age: 42 - - name: Prepare cachix uses: https://github.com/cachix/cachix-action@v14 with: diff --git a/flake.nix b/flake.nix index 0f6d830..44b3474 100644 --- a/flake.nix +++ b/flake.nix @@ -91,6 +91,11 @@ jq ]; }; + devShells.ci = pkgs.mkShell { + buildInputs = with pkgs; [ + nodejs + ]; + }; }; flake = diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix index 73f3b90..c207fdb 100644 --- a/hosts/tankstelle/configuration.nix +++ b/hosts/tankstelle/configuration.nix @@ -13,5 +13,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + boot.binfmt.emulatedSystems = ["aarch64-linux"]; + system.stateVersion = "23.11"; } diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix index 845d466..724a1fc 100644 --- a/hosts/tankstelle/default.nix +++ b/hosts/tankstelle/default.nix @@ -6,6 +6,7 @@ ./configuration.nix ./networking.nix + ./forgejo-actions-runner.nix #./wireguard.nix #./backups.nix ]; diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix new file mode 100644 index 0000000..501e42a --- /dev/null +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + age.secrets.tankstelle-forgejo-actions-runner-token = { + file = "${flake.self}/secrets/tankstelle-forgejo-actions-runner-token.age"; + mode = "440"; + }; + + # Trust docker bridge interface traffic + # Needed for the docker runner to communicate with the act_runner cache + networking.firewall.trustedInterfaces = [ "br-+" ]; + + # forgejo actions runner + # https://forgejo.org/docs/latest/admin/actions/ + # https://docs.gitea.com/usage/actions/quickstart + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances."tankstelle" = { + enable = true; + name = config.networking.hostName; + url = "https://git.pub.solar"; + tokenFile = config.age.secrets.tankstelle-forgejo-actions-runner-token.path; + labels = [ + "self-hosted:host://-self-hosted" + ]; + }; + }; +} diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 765fdd4..7354897 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -28,6 +28,7 @@ networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.hosts = { + "138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 36202b5..6ed622d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; + tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle"; adminKeys = builtins.foldl' ( keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys) @@ -10,6 +11,8 @@ let nachtigallKeys = [ nachtigall-host ]; + tankstelleKeys = [ tankstelle-host ]; + flora6Keys = [ flora-6-host ]; in { @@ -29,6 +32,7 @@ in "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys; + "tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys; "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys; "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/tankstelle-forgejo-actions-runner-token.age b/secrets/tankstelle-forgejo-actions-runner-token.age new file mode 100644 index 0000000..915b0d7 --- /dev/null +++ b/secrets/tankstelle-forgejo-actions-runner-token.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 1X0eLA g7MuhjaILdtN30lT0abiBuT2i2SxE4wzwHffPMbPaxA +5iZOxlFLUaKUhqvGSiyyVy7jrbGcN8Q4DX4xXImDDZM +-> ssh-ed25519 uYcDNw NUtdv3ykepvWklorbni0lMPb31hpHDhVktV6AkqY0Fs +anEK08Yr7WY6xmovVJjxXqy/Z47CU6sUFs/1tZHqHos +-> ssh-rsa f5THog +nCjbVlM7V+AT20HSV7Z9miLlFzVRruxIrPavIrDNLRLnjDn8dkgu2ZnymnXHf9El +GA/tmjF86OKCCOS7AjdSZ0RZIjgOfU/EseWdmaaS5iR6PjDJmuJuGtCwDKloddwO +wS2VeU3tQzF6ayGPFirWYQVOwMCVahe6DB3d+ataXSprhb9DtMxAb7FQ07zl3rrO +VXE82wA4qnwWyLAvZ96XdXYGBpO2vzxEgYzXa1gbHEY38BMUgELyhJJX0c2hEVwv +jT7h4ex4NUK3f3t2JXw/Waz5hHpRYFuzF7u4rZjXZbiW0sgcXHZKF11AEUxASsUl +yul5EEaPI34ISnwpWWuPAuDBskQzgJooeKGi9bQDed8otLy33NxyYgtR1Av4x1cC +PjtkDxuvIooGp1uKgMFdoyWMB+pyd5MOeyqKXl0drTzILBET1quLBDuyAntvGriS +c8Cj05YpLEh/gmPZ3KzLyGaKcELL8YYco+NkUwr1LNe/OEMbHcLc9q5fVfsN5BYz +w1hQ24c8JGW1/1DFG+R0+MfcF4jFVyiqk9ctRlKqoA8dnFmkMDlK6ETj191y8baZ +DtMNPTOeLDmxFc3O0vjAWFV3Is5X3EupcS4hlLpeNCW1DXF4R2+cmBQOewfeafI4 +uVaMuNqTW60B+9j7c6asvSHcAVP8S6BTcrJiaLETiSU +-> ssh-rsa kFDS0A +ZBLNf1RAI2+dXsXR8ns3taqHIM2yqslWOvSUM93droVVN6fkq/O9QUx0f6iljQW6 +wRY2iqqjzBYs6kysf21jsryGGhhVNB70QAeGDZWoeB2YmpnlvMRumqqG6S77K6kc +D0oKXkuYx9J62BBI6gJk3+yJgEK3WHBvgBzD5rqgW2kJVWFLyU7C/rJH78UKvX2r +r4PDQCEeJ4wnRyV0ox4z3f0XfLoHiwXE2oWGgrfs6/+Pw3AKdENbbNVRIyrzJci4 +nhxDd1miMChsQylKnfB8C60J9rhVFfP0/G8EXqhi2KbHfPeC4fHPjUxVbi2v74Ag +NaRgxZOMpVPgGxlnHCz4ELuGn1LsMuBJCic/Z0PNMr86SC9hFnCyaWqXxKaYLj38 +USJq+F9RC7529En7XT+jOifDB29DS4GL8gCvwizd8j8wfeFm4w6qXS8rS5+9BbcD +Ghf1Zzmbdm0R2lO4aV/APyCyK5NW0k068T7V710x+KvyRREvChkYEN87VvK5kYcC +uYZvbcGJgMQrEiwVN11H2oxHPpj4oB7NiSb3mpDkaniXS5ijhEl10C6OzuEk1Hm2 +ybYXLspzlOZujVoGqrscoKTTzirvnO0B1YirPieTX6ym51rvnO6SPiT5bYGL5DNQ +E6PDUz5kOwD9IQyF/a88CxBg/BFqSrSlvli+bdgfM7c +-> piv-p256 vRzPNw AgAstuXfEQ+zPDSJmDRlieeY7h93S7AOX1LmWNZq8SOA +umkx7AnExb+OuxVtTnJsr0Vymhlt9PBYkRt+5FxgLA0 +-> piv-p256 zqq/iw A8mFVtYM8mpj1iBqeQfvGavOahp0oNsT3j1i5YDYDfD2 +dZrDkvAHopEFTQgCdUkDNHPjLVhMAO4YJJE+cLuaxd4 +-> ssh-ed25519 YFSOsg 4h3HGQqPiwWUJkgZP9eMuiKxoZq9+YCDqj5L28mdIBE +ppHBGJJzaf0fJZ24MZBRQ3v561f3J+CuDX7tatfD3G4 +-> ssh-ed25519 iHV63A rikUwY2DW9GQLopMcdPK8eZ1YjeKTp9z5cRqzDOs4mU +kYn3dNGNhIDr3KIPEFZZj9zsqHZn7JDT67jtdljOVyo +-> ssh-ed25519 BVsyTA 3GMMwNFuwx7ECwKWqS9GnIV5MuZY1jxi5KDKY1j3tSs +gWEkAMLnOI/7gKKfuJE3vU6+e6XpnNwQfIJQ0UFoC6w +-> ssh-ed25519 +3V2lQ YemOcrH319bbQJp+LnugOh2ed/Pwgfla+C3BU6cIaUQ +gFTDAi8TFTRCmGkcSN8lFJPQctHLUC75xl7oJOdsYuw +--- jd2QVeVcxn06ET1m3jMx8encjGlV51Vz7UO2MQq9weI +/LB$&q-]He\niT-zǵv2Nl^+Wj6 gieUk!mxW \ No newline at end of file -- 2.44.1 From 692c1524061b998e051a535d65439fd4c1352e8d Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 18:39:45 +0200 Subject: [PATCH 3/8] gitea-actions-runner: fix PATH in systemd --- .forgejo/workflows/check.yml | 7 ------- hosts/tankstelle/forgejo-actions-runner.nix | 12 ++++++++++++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index e4dcbb1..0b9c405 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -1,17 +1,10 @@ name: Flake checks on: [pull_request] -env: - PATH: /run/current-system/sw/bin - HOME: /var/lib/gitea-runner/tankstelle jobs: Check: runs-on: self-hosted steps: - - name: Enter ci devshell - run: | - nix --accept-flake-config --access-tokens '' develop .#ci - - name: Check out repository code uses: https://code.forgejo.org/actions/checkout@v4 diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix index 501e42a..3f7e0fe 100644 --- a/hosts/tankstelle/forgejo-actions-runner.nix +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -15,6 +15,18 @@ # Needed for the docker runner to communicate with the act_runner cache networking.firewall.trustedInterfaces = [ "br-+" ]; + systemd.services."gitea-runner-tankstelle".path = with pkgs; [ + coreutils + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + ]; + # forgejo actions runner # https://forgejo.org/docs/latest/admin/actions/ # https://docs.gitea.com/usage/actions/quickstart -- 2.44.1 From 866785ef47f959de372aaaea8ce879785db052ab Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 15:21:44 +0200 Subject: [PATCH 4/8] style: format using treefmt --- flake.nix | 6 +--- hosts/tankstelle/configuration.nix | 7 ++--- hosts/tankstelle/forgejo-actions-runner.nix | 4 +-- hosts/tankstelle/hardware-configuration.nix | 32 +++++++++++---------- hosts/tankstelle/networking.nix | 5 +++- 5 files changed, 25 insertions(+), 29 deletions(-) diff --git a/flake.nix b/flake.nix index 44b3474..f66a4b7 100644 --- a/flake.nix +++ b/flake.nix @@ -91,11 +91,7 @@ jq ]; }; - devShells.ci = pkgs.mkShell { - buildInputs = with pkgs; [ - nodejs - ]; - }; + devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; }; }; flake = diff --git a/hosts/tankstelle/configuration.nix b/hosts/tankstelle/configuration.nix index c207fdb..2b1a177 100644 --- a/hosts/tankstelle/configuration.nix +++ b/hosts/tankstelle/configuration.nix @@ -5,15 +5,12 @@ ... }: { - imports = - [ - ./hardware-configuration.nix - ]; + imports = [ ./hardware-configuration.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; system.stateVersion = "23.11"; } diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix index 3f7e0fe..7ea8b86 100644 --- a/hosts/tankstelle/forgejo-actions-runner.nix +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -37,9 +37,7 @@ name = config.networking.hostName; url = "https://git.pub.solar"; tokenFile = config.age.secrets.tankstelle-forgejo-actions-runner-token.path; - labels = [ - "self-hosted:host://-self-hosted" - ]; + labels = [ "self-hosted:host://-self-hosted" ]; }; }; } diff --git a/hosts/tankstelle/hardware-configuration.nix b/hosts/tankstelle/hardware-configuration.nix index b1e302a..ec9b465 100644 --- a/hosts/tankstelle/hardware-configuration.nix +++ b/hosts/tankstelle/hardware-configuration.nix @@ -10,28 +10,30 @@ }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/17531ffc-46bd-4259-8287-2dea73804b5b"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/AF98-AA5C"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/AF98-AA5C"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; } - ]; + swapDevices = [ { device = "/dev/disk/by-uuid/7aee04b5-1ef9-43de-acb4-70ac1238b58a"; } ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; diff --git a/hosts/tankstelle/networking.nix b/hosts/tankstelle/networking.nix index 83d60e1..2c8f760 100644 --- a/hosts/tankstelle/networking.nix +++ b/hosts/tankstelle/networking.nix @@ -17,7 +17,10 @@ address = "2001:4d88:1ffa:26::1"; interface = "enp1s0"; }; - nameservers = [ "95.129.51.51" "80.244.244.244" ]; + nameservers = [ + "95.129.51.51" + "80.244.244.244" + ]; interfaces."enp1s0" = { ipv4.addresses = [ { -- 2.44.1 From cc70a740a16687a2bd802f09e33a2e0783038f56 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 15:49:56 +0200 Subject: [PATCH 5/8] ci: run actions runner as normal user --- .forgejo/workflows/check.yml | 7 ---- hosts/tankstelle/forgejo-actions-runner.nix | 42 +++++++++++++++------ 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 0b9c405..12a5ddc 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -8,13 +8,6 @@ jobs: - name: Check out repository code uses: https://code.forgejo.org/actions/checkout@v4 - - name: Prepare cachix - uses: https://github.com/cachix/cachix-action@v14 - with: - name: pub-solar - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - useDaemon: false - - name: Check formatting run: | nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix index 7ea8b86..3869de9 100644 --- a/hosts/tankstelle/forgejo-actions-runner.nix +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -15,17 +15,37 @@ # Needed for the docker runner to communicate with the act_runner cache networking.firewall.trustedInterfaces = [ "br-+" ]; - systemd.services."gitea-runner-tankstelle".path = with pkgs; [ - coreutils - bash - coreutils - curl - gawk - gitMinimal - gnused - nodejs - wget - ]; + users.users.gitea-runner = { + home = "/var/lib/gitea-runner/tankstelle"; + useDefaultShell = true; + group = "gitea-runner"; + # Required to interact with nix daemon + extraGroups = [ + "wheel" + ]; + isSystemUser = true; + }; + + users.groups.gitea-runner = { }; + + systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ]; + + systemd.services."gitea-runner-tankstelle" = { + serviceConfig.DynamicUser = lib.mkForce false; + path = with pkgs; [ + coreutils + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + cachix + jq + ]; + }; # forgejo actions runner # https://forgejo.org/docs/latest/admin/actions/ -- 2.44.1 From 5aa1276e85018ff01ecdca2034fd5423ff39c2b6 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 16:06:23 +0200 Subject: [PATCH 6/8] ci: add nix to PATH --- hosts/tankstelle/forgejo-actions-runner.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/tankstelle/forgejo-actions-runner.nix b/hosts/tankstelle/forgejo-actions-runner.nix index 3869de9..294db44 100644 --- a/hosts/tankstelle/forgejo-actions-runner.nix +++ b/hosts/tankstelle/forgejo-actions-runner.nix @@ -20,9 +20,7 @@ useDefaultShell = true; group = "gitea-runner"; # Required to interact with nix daemon - extraGroups = [ - "wheel" - ]; + extraGroups = [ "wheel" ]; isSystemUser = true; }; @@ -44,6 +42,7 @@ wget cachix jq + nix ]; }; -- 2.44.1 From b039dec11154e05a8c2a9b43fae789aee1a5ea9c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 16:29:32 +0200 Subject: [PATCH 7/8] ci: update results path to prevent garbage collection --- .forgejo/workflows/check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index 12a5ddc..fe6890e 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -16,6 +16,8 @@ jobs: run: | set -exuo pipefail # Prevent cache garbage collection by creating GC roots + mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results + for target in $(nix flake show --json --all-systems | jq ' .["nixosConfigurations"] | to_entries[] | @@ -23,7 +25,7 @@ jobs: ' | tr -d '"' ); do nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \ - build --out-link ./result-"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel" + build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel" done nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check -- 2.44.1 From 941eff6d8735d6e89bef9bdeaa8fa043975d09b1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 19:17:21 +0200 Subject: [PATCH 8/8] tankstelle: configure wireguard --- hosts/nachtigall/wireguard.nix | 9 ++++++ hosts/tankstelle/default.nix | 2 +- hosts/tankstelle/wireguard.nix | 35 ++++++++------------- modules/core/networking.nix | 1 - secrets/secrets.nix | 1 + secrets/tankstelle-wg-private-key.age | 45 +++++++++++++++++++++++++++ terraform/dns.tf | 5 +++ 7 files changed, 74 insertions(+), 24 deletions(-) create mode 100644 secrets/tankstelle-wg-private-key.age diff --git a/hosts/nachtigall/wireguard.nix b/hosts/nachtigall/wireguard.nix index 3008ef3..ff47d92 100644 --- a/hosts/nachtigall/wireguard.nix +++ b/hosts/nachtigall/wireguard.nix @@ -28,6 +28,15 @@ "fd00:fae:fae:fae:fae:2::/96" ]; } + { + # tankstelle.pub.solar + endpoint = "80.244.242.5:51820"; + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" + ]; + } ]; }; }; diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix index 724a1fc..a379466 100644 --- a/hosts/tankstelle/default.nix +++ b/hosts/tankstelle/default.nix @@ -7,7 +7,7 @@ ./networking.nix ./forgejo-actions-runner.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index 0eef697..2100d43 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -7,27 +7,18 @@ { networking.firewall.allowedUDPPorts = [ 51820 ]; - age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + age.secrets.wg-private-key.file = "${flake.self}/secrets/tankstelle-wg-private-key.age"; networking.wireguard.interfaces = { wg-ssh = { listenPort = 51820; mtu = 1300; ips = [ - "10.7.6.3/32" - "fd00:fae:fae:fae:fae:3::/96" + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; peers = flake.self.logins.admins.wireguardDevices ++ [ - { - # flora-6.pub.solar - endpoint = "80.71.153.210:51820"; - publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; - allowedIPs = [ - "10.7.6.2/32" - "fd00:fae:fae:fae:fae:2::/96" - ]; - } { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; @@ -41,14 +32,14 @@ }; }; - services.openssh.listenAddresses = [ - { - addr = "10.7.6.3"; - port = 22; - } - { - addr = "[fd00:fae:fae:fae:fae:3::]"; - port = 22; - } - ]; + #services.openssh.listenAddresses = [ + # { + # addr = "10.7.6.4"; + # port = 22; + # } + # { + # addr = "[fd00:fae:fae:fae:fae:4::]"; + # port = 22; + # } + #]; } diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 7354897..765fdd4 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -28,7 +28,6 @@ networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.hosts = { - "138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6ed622d..2f19b43 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,7 @@ in "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/tankstelle-wg-private-key.age b/secrets/tankstelle-wg-private-key.age new file mode 100644 index 0000000..e668044 --- /dev/null +++ b/secrets/tankstelle-wg-private-key.age @@ -0,0 +1,45 @@ +age-encryption.org/v1 +-> ssh-ed25519 1X0eLA MwsWZb3girtAXvxgr3IBZhSthg5xzC2z88WIkG2GTDk +4yKFoIU/SbKcpSXYShUwEY6KV9o59bgIsDCJ0POOmZU +-> ssh-ed25519 uYcDNw 4CPU+vcJcXt+sVSD60ThkWWu87wEzo/TkFAfkJ7lAxU +K5ubfpowb/mBjRS9AaoEuPJEAy3jZQF9vBVK6+StrEE +-> ssh-rsa f5THog +GVZN3/Yl8OX+j8GuAp5ixsmz59HS+0z9OeGMoUl3m4S0kjpl39vY5+Fd5SXTtNLB +O5itG/nbo4lK/PVtH/s3UuzRlEvGzASkxTVGZAXBUgXlPf6hsUdxUhLn8G1DRTj9 +qmZyk5ERH/uqA8LIH8kBWPE8OJ9qf5oVwttOuJLlkrmiojEvbK4Egf4pBAKxv1Vu +JUwoO2W5QxB9lOkOiGOfq6e++pWL+PN1URpGFxbvmM7N6OKNhix+HV9lBdTbS4tl +uP8n0nrM5h5yh7Waz+aAVb7Wu4YgsFCEmGlhEksM/tiHFun+9kFI3xUNTTO3PbYP +KH6KAV8mOA8tL/6PNbbLmaHp5v7//5Abgjmy1BCwNe/WfZiTVLmGDaOpW7qE0pcq +h+ooOk81MenF84FRQGEEMMBVHgckxxCGYYve7bEsWMJP+ua1BmZjQu/I2LpXN6OA +KtoPcnmCGyrZMWKLVdSjzeeEqKk7wtG6BISeLdguF4pEUN2Qoqppx33UQ0ztACf1 +PHAsKbABkCG0yZz13M0bKSCP1O3HWzy2Cmw0EU+WbP6GEGCWmzZRDmjI9+CgtowH +9jz16+1k0PgO5EjV2s1Hijt0gEizl2Q07c2/BYx97951BOR9/LGVRKGtduXixf4a +qFt0Qw0JPZwP2XaXJmJ9x+4e1go5ydJFNnhcvTMUx3I +-> ssh-rsa kFDS0A +mM/LqZJl+5sDjDRhUZlPiFH43+BKkawgiPkQ6eNQmvS7fGjS6FWyGteiRdzxHax3 +y2YE0GC0EmllMfXpjidHQHd4IBP82LrAlry2if9QYOdxtPg3577EZT1XFsR4Eegx +9xuG0+UYIYoEi4wUnnc58z/lV/iCJ4hTBsSMD69ciPdUVzeaA7RoFKImuLx3zhu4 +Gc5ggAFKL9CYwMaJATB3e6+kTu3jkSUSa6vc4D0z7x7Sd2LjRN/THHlpvQQyMi4e +XREkhSNbOHp3mADLv7taFnjwUS/MltFDV8bPsemKmg+He0cVWc4JZynxaRXgdo4p +I3zkYcuWuUzWLgr6l8Aj4B7vd9tk9D0YyPmyMFWhq/IYjx62o/qTUSmBsluj2cqg +pg+45m/WTEAI7vnZXPcSlgbXyll1QE5TISqd7ugRyL3QhzR0h6TkRbMn5iCb15xy +zAgDCaN7z9Xhz9Y4zZG1zrKiF2qCNuZa6ZrgKRZLiFaVmhPvizCeYaZpRI2BfWwH +mo957eHh1//DIAbqWwRfblGZJUbuMK/vyvPoRsum3Pgft2LZLYF0U4vd8b0W5wBW +GBH3+zJBz5hhZVY96b5e70a6Uuwzub51RJlSJ07kNA/n5F1dN+8BFZlp52vCCSXQ +yzNnGZVnVF451CrsLtotzScO4r5KULpJaLK7Vkx20RE +-> piv-p256 vRzPNw AoFeX/N95u7AJHk3CEuFIf7tr0vYaGD+vFeh03kOmj2+ +qBrMOjlgPdY9hDUeMBZ/oWkduTr2fyHkQWPzjU8wsKE +-> piv-p256 zqq/iw A6134rkgfZQCqdSsE4PtaAq8QfJP5h/+L9WxfvQ6nFSg +kz/3tibowB2x7akq8slScl3XW9OcOFqUaVMA5hP03CQ +-> ssh-ed25519 YFSOsg TjpLEHbKVX8eT5FJyj5OjoczjlbfE1QxrSQV7nmK3z8 ++60JLcmaQEwEHkwRSD8ZxOVKfPfp+oCIxNz26h4EW4Q +-> ssh-ed25519 iHV63A /EMk1Hj4P0+VDBWneswmBE6rKRLuTBkcR42Y3NAGCxs +gFK/5AZAGptQ2GNbT25oiM1jENs70UYJVmBsH/9FRBE +-> ssh-ed25519 BVsyTA LwsnNWko4BLTMYIsW+iaagyTq1amhYfB+p0HUikzwT4 +7rZengSXZzlTFh/FFVS8Jt+LMJZQ2wE7F3al1+DFe9Y +-> ssh-ed25519 +3V2lQ JGc07grd52VZSARjFBckyoA7D6686kSP/rhW6B8CiCg +R77Oha9dKKYX7YxHbeiVRwpSgxNeUQcQIld1v30xwaE +--- 8J1Hx/Cb3bTUm4llIEeQx+YUwHkX9XzTIAZm+YdJxVQ +}Kuwe[Q +s^pxɡi9a;Hݲ yn +Qqek;j7\ \ No newline at end of file diff --git a/terraform/dns.tf b/terraform/dns.tf index 039dd86..4fd25b1 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -19,6 +19,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "tankstelle" + type = "A" + address = "80.244.242.5" + } record { hostname = "alerts" type = "A" -- 2.44.1