diff --git a/.sops.yaml b/.sops.yaml index 8be98aa..57c50e4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,7 +8,7 @@ keys: - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7 - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x - - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 + - &vaultwarden age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y - &wg-rpi age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6 creation_rules: - path_regex: ^secrets/helium/.*\.yaml$ diff --git a/hosts/cert-store/configuration.nix b/hosts/cert-store/configuration.nix index 3a738e5..45c3045 100644 --- a/hosts/cert-store/configuration.nix +++ b/hosts/cert-store/configuration.nix @@ -1,14 +1,12 @@ { ... }: { - environment.persistence."/persist".enable = true; imports = [ ../../shared/base.nix + ../../shared/disko/zfs-impermanence.nix ../../shared/hardware/impermanence.nix ../../shared/hardware/vm.nix - ../../shared/disko/zfs-impermanence.nix - ../../servers/acme-cert-store.nix ]; } diff --git a/hosts/siit-dc/configuration.nix b/hosts/siit-dc/configuration.nix index 51f8f3f..ace787b 100644 --- a/hosts/siit-dc/configuration.nix +++ b/hosts/siit-dc/configuration.nix @@ -1,15 +1,12 @@ -{ lib, ... }: +{ ... }: { - environment.persistence."/persist".enable = true; - swapDevices = lib.mkForce [ ]; imports = [ ../../shared/base.nix + ../../shared/disko/hetzner-zfs-impermanence.nix ../../shared/hardware/impermanence.nix ../../shared/hardware/vm.nix - ../../shared/disko/hetzner-zfs-impermanence.nix - ../../servers/siit-dc.nix ]; } diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix index 7a52774..e438f3a 100644 --- a/hosts/vaultwarden/configuration.nix +++ b/hosts/vaultwarden/configuration.nix @@ -1,15 +1,12 @@ { ... }: { - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 2 * 1024; - } - ]; - imports = [ ../../shared/base.nix + + ../../shared/disko/zfs-impermanence.nix + ../../shared/hardware/impermanence.nix ../../shared/hardware/vm.nix + ../../servers/vaultwarden.nix ]; } diff --git a/hosts/vaultwarden/state.nix b/hosts/vaultwarden/state.nix index e66c6e8..f4e7524 100644 --- a/hosts/vaultwarden/state.nix +++ b/hosts/vaultwarden/state.nix @@ -1,14 +1,5 @@ { ... }: { - system.stateVersion = "23.11"; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/A604-6A7B"; - fsType = "vfat"; - }; + networking.hostId = "2842298f"; + system.stateVersion = "25.05"; } diff --git a/secrets/cert.yaml b/secrets/cert.yaml index a136553..3bea4e4 100644 --- a/secrets/cert.yaml +++ b/secrets/cert.yaml @@ -5,47 +5,47 @@ sops: - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ0huSVlESFN6dk00YnRq - Y2tnZWY5ckhhQm50ZkR4bVFhMm40K1RiSjIwCmpZdW8yd25DdExKdkxpSXIxenhX - RDF3U1V0cGtyRnZyaUVENXBCb240M3cKLS0tIHJHVW1lVlphSkRUZUtDa01aazZy - SlExRXo1SFQ5aEhMYTRpRHVOaFpaQUkKdACxrioEcvctW5aeln8moVaN+ZS0nVl/ - hB1yp+O1e1vIaafITck4+2eby1Nwrq5eowQkjaz5QyO0M12wbxCg3A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTM09sR3h5Q0ZpajdYMnRl + d0tQM09MYm1NcDdTajkzZFlNNTNnYlZuQlhVCjQzbHNHWWQ1azlVWXh5STNGRFo2 + cFp2SStGMEJVazFkVkNiL1NoOVVyWk0KLS0tIC81aU5ybTgvN0pEUGZNVE8xdjkv + OVlKOXJmbCtWa0NpcmtLNE41b0YrZWcKIaGGlj8JRRHfpF6Vr1fbJA4VWZCUGt/T + ELrYGQoxCUrcZ5o9uvI0Ki+BGCOiOJ7qOsG0hkXQl46MI3OE+UgGnQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZDUweFRvOVNOZUE3MWRo - QXNxc1lJRTlqcCt6SU5nRVRHZDg4QW9POFR3CjFWV21VTlBCcGRJQlVGbGpvd0Y5 - NGFuRVZCN3JFNUN1cW1hcm5YUEJhb0UKLS0tIGlReUhFR0ZDNnJsOVJQeFEyVWtr - ajJXQVVQRW84Y1owMElOZURmSnlLZDAKu0Q+Q/Pj25tp6mxKUak63S9xLN7yXQ4w - g15Ly4kU2d1dr07DXVgayLuGPtrsCUzcBkoPBhB7KR3XlOEZq1kCfQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYlJEWXl4Ym5hNDRyOW82 + WmwvbXdrQTVUVElUTGFhTmw4bFg2NThLWGdvClFqR0orNE5QSWhtancwR2NTWElz + QUN3YmpwVnNUUnZtOHAvblRER3ZGNjgKLS0tIGNFU2F6a1dxbjdCYlpwWDlUOTdp + TjJEUEMxeU5kczZJdGtaVlU2cVY1WVUKkK55TM6wt8mjSPs9Et/8L0uqk584KN5b + IETi/iTeDlSPO06KM24eybiIrKBu+S0ZgqXgRCnOLHAz0LSdJVPHEw== -----END AGE ENCRYPTED FILE----- - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzR01TVlE4VTdMQmhwNDM5 - K0tWbTU1eDFUWmh6d3V4UUdkL0RNYlBDUlhvCnY1cXkzRnB2WmVKalp6N2dKU1du - c1BHRDQ5VGZCRzdDT3VVMEoxYm16bU0KLS0tIEpzVDdrUzRWL2tRNnc2SUxzT0dz - bXRGOGJ1MUc0WnFBRlFzelVLZnFES0kKCsBBiG3dweP6DV5neaGDW6bLugHm8TIj - 7eh1EpkBbxLEwEvI9sriE98EAarBmHR2n7MqTQRDZ4zN9QjkrqDtYQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkT1JaL05GK0psYjBsVHB0 + YlRVY1lQR2Fyck1GN3FvOStxOVRmTXE3R0dzClBRNW9YNXJWeDEwTUhPakdvTGFM + Y0p2eXBLUU5MRHl5aklWWmpaUjZEb2sKLS0tIEJrdVV6SkFWZW1uZWFybENmak42 + U2RYOUNnOHdWcG0zakkxZGVrdDVTVUEKZ8sOwUBgAWVBOrqxefxvyea8fXnLfbZZ + 4KkxdodeA/g7ztu6zeqpTV6pM+ltILjsEw1woG18u8RHKDspw8LarQ== -----END AGE ENCRYPTED FILE----- - recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbUwxWGtYYWg4enhta21n - LzJEMFVBN2lDUzZYT1dnNzZra3EveWNJSEVvCkJQbklhUHNyY3Evd2lXNmpDSGpl - RVM5Y1VJWjZvLzJucEhteWNiRzF5M2sKLS0tIEFybW9IUHE2SENGcE1LTHE0Mmd5 - RDI3V0dwR0x3UGpVdk5PV0F4Nm5TUFkK5Dh/RsDu3+/a2GIftfHrA0+xxaHg1awr - mbPCPVZW+2mRS+J21jIcZZK5Wxm/SbSYQOfUDUSbjyORWHIugGQ3xQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdE1hbWhTMitzUW90NmxW + eFk2WlY0dlB4UjRQWkZzOE0zSHJLWi9NM2p3CklmV2dtZXNHWjcrTkpZZjRBRVBP + R3RUREdyTDJVVGxBbGx1eUgvcEJEL1EKLS0tIGJSbFdseUY4TWZHUGREcWtFc282 + Y3F3a2pWQlRSa2NlZ2hVVXpVQkZIMzgKtTzX7BR9ajpVZ/liDgBNwfsxjTCVuycd + L0oLVvEyUlpWPAqVL8JgJuFLIlA5dwPzLkmxdbUlQOEdVkbc8OGJ/Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 + - recipient: age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdjBqa3lrYmlJZ0Nzb3ZV - eE51SmFpZjRhV2VtS1FId2xmNnl1M0VQczNjCm04Vk1EbkU1RisvczhkSXVPaU1z - MVV4UTJCRmtSdHM2Q0dTaVVFMkVuTVkKLS0tIGRQV0RBMTg4NWJIUWNSMFhlbm9C - djh6aXpLa2NILzdoS01uYXpEbUovNEUKI4K86hhFtHQpDo7pNGocT5Iyq618y39L - 0eBWGCaYgCUOF86LGPKwlkgadSFkvkCOnPrJSs1VnL+4u1332UBM8w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTW9JZnd2dHZWT05DbHUy + cnpKOU9nc0lxWVBEOFozT0xNV3J1Ukx5KzA0ClNhR3NQKzN1TlU4eDdacnBQcjJn + SWE4TWpUR1JrZ29SUjc1akRkS0lvYWsKLS0tIFhaNktXRUR0VUZSTTd4QytKT1Jx + NmFpWVNKRENSYkNWcVk2M3RIYmtpSmMKBfzyOjjoCRsvTUX34PiGEIJ0ETJjq5ZR + qsxGOTOrG9FMv9slfvWPOaMnDeJCQc2CZS0b0EqfNg/eFzFxG/jOuw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-22T22:15:42Z" mac: ENC[AES256_GCM,data:BK0dsImd1ClVYdR7xHksz4FzfXcRpN5uSME0TCX9rvA0R59sGzdRjab02xVOfPkkHbAxj7WN6LRxB/nzTVNS6rk8xe004tVnbYjbc21gqqGW3sH5rdX/VqvsB2JJo5CfxXbTHRccjnzWAOzTxylfG4ILxNZvOJRX/rKFzUJKsxE=,iv:Uc8tAAhFLeXetMbgpjvmYCUftlQrU+D8fwEYtBN1KEM=,tag:v+ld334czS0hYVW7YWwB6A==,type:str] diff --git a/secrets/vaultwarden.yaml b/secrets/vaultwarden.yaml index 4949090..ee96aaa 100644 --- a/secrets/vaultwarden.yaml +++ b/secrets/vaultwarden.yaml @@ -5,20 +5,20 @@ sops: - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z0lZRSs3ZjN3aEUzNHk0 - WDZlTEpmWDZSMzNaN0dTMGQxOUtnWmI1SmprCnhyZWw0dnc0VFRKVW5kSDZnY2du - UUJvZXNJVDVZNzBrODBHNnIwcU01YmcKLS0tIDdtS0hJM3RTSE5nN3k5VnNWQnRJ - NHNJSGl0eUJqRlhONjFyS3FPYTFnR00KSMkGMpGvo9TzttkLWfEAx6/dwVmoE5ku - 5LqbhxaorIuDopJamCW1kFTDrdqrC51xsxzILoP7vjZk/X5UjNxbiQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVTNtWE05aW5kcWtaRjJ5 + dmFvcGkvZmNRaTNsUVlXb1lSWDdHZEJJR25FCkIxRlA2U2dQdDBvMklOaWJDVlYw + WUNBN1BOZjlLYU56UldxaDNBRTN0NEEKLS0tIEJ1NGV0TXlOSmJseEo3MlJyN2JO + cjk2eWlCSzliLzhiSU9QYzFnb1k2ajgKxGiG5M29Vk/c14LxaHMkZbqSjGTiQ3+8 + Z1IN6hRY58lM1cPtsF9cn8pVuWssE3Rr1FLw8QhNpGJ6uxdkS6yH2Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 + - recipient: age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNzk0dTdnUkF0dnNaeHJU - dEE3Qy9YbU10Y2kxaVBvcFdhakNFaUVZb3dVCnlLanlZS3JNRFFaQW9YdElSdVRG - Ukl3K0dieDZ0b21FZnRObmh4Uk54SU0KLS0tIEhKMDdGTE1OeW9MVWlMN01RdkVj - cGw5c2ZFeUFlNG1iVlJRSU0ybm5nak0KjDTs2Ni3X2danaXioJrkZdF/Q6367buY - TTBICi2pfaWBj8gsKJfh02t2dW8tnFe10bw8eg/UGtCBWR9ZTAp3cA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwT2JLK0dSVVFXWGN3RlEy + aldWbmRyenRkTDVJTzlOUWQ2TnZ3M3lkekRVCkxrRXdpdGpCSlgrNENScXFoelNq + bzJvSHhwaU5GVSs3NzgrQVRGTDdhVWcKLS0tIEw2UXdsL1NDdkVTZjNleUVYQmZM + Wkl3M1NKOHF6Q1F2d2JRWExRS2VkcU0KD9RVjY6Wu0bwmujR5F6aHCSRupX+8E/t + Wl4dgo0xcj8SHz4WdkDynKwpZvfuB0+t3vtcFg3r1O2JEVDtkdBCpA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-21T12:35:15Z" mac: ENC[AES256_GCM,data:IM827nPacOaI0sU4XzBxG0UEWxR7S3N5Frjqi4YMI9A96KHsBh6N9UYB3oSmmmKr7dlShEQUZwbNJG33KlV3AYLoJ+8FpkZx5ZB8aQZVkgk4w0YSfEO3zKDUmk9boeFP86bubzm3yU9USdy+DOtgfxRG5sCPnWooqiau8s3mjDs=,iv:ZU+Z3h7r7yjptyPahfOyw9di2+bob2EQPKPryau74gA=,tag:0CpJYkUXyKC5TxfmKpYiVQ==,type:str] diff --git a/servers/vaultwarden.nix b/servers/vaultwarden.nix index f96826e..1635003 100644 --- a/servers/vaultwarden.nix +++ b/servers/vaultwarden.nix @@ -5,6 +5,15 @@ ./utils/cert-store-client.nix ]; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/vaultwarden"; + user = "vaultwarden"; + group = "vaultwarden"; + mode = "u=rwx,g=,o="; + } + ]; + sops = { secrets = { smtp-pass = { diff --git a/shared/base.nix b/shared/base.nix index f26da08..38d5574 100644 --- a/shared/base.nix +++ b/shared/base.nix @@ -34,24 +34,6 @@ ssss ]; - ######################################## Impermanence ########################################### - environment.persistence."/persist" = { - enable = lib.mkDefault false; - hideMounts = true; - - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_ed25519_key" - ]; - - directories = [ - "/var/lib/systemd/timers" - "/var/lib/nixos" - "/var/log" - ]; - }; - ######################################## ZSH configuration ###################################### users.defaultUserShell = pkgs.zsh; environment.shells = with pkgs; [ zsh ]; diff --git a/shared/hardware/impermanence.nix b/shared/hardware/impermanence.nix index 26432ce..e6215fc 100644 --- a/shared/hardware/impermanence.nix +++ b/shared/hardware/impermanence.nix @@ -1,5 +1,23 @@ { lib, ... }: { + # Default set of directories we always want to persist + environment.persistence."/persist" = { + enable = true; + hideMounts = true; + + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_ed25519_key" + ]; + + directories = [ + "/var/lib/systemd/timers" + "/var/lib/nixos" + "/var/log" + ]; + }; + fileSystems."/persist".neededForBoot = true; services.zfs = {