VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Migrate cert-store to disko+impermanence

Browse source
This commit is contained in:
Vili Sinervä 2025-06-30 00:57:27 +03:00
parent 7e05e5ddc0
commit bab875ce72
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
15 changed files with 134 additions and 227 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -2,7 +2,7 @@ keys:
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
- &lithium age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk
- &cert-store age1at6mfmg4nyw79f3gfzqflgwv3d9hxya7uvfu30aqr8djqwjp2yeq7kz3vz
- &cert-store age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7
- &cert-store-age age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp
- &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7

9
hosts/cert-store/configuration.nix
View file

@ -1,8 +1,15 @@
{ ... }:
{ lib, ... }:
{
environment.persistence."/persist".enable = true;
swapDevices = lib.mkForce [ ];
imports = [
../../shared/base.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../shared/disko/zfs-impermanence.nix
../../servers/acme-cert-store.nix
];
}

38
hosts/cert-store/state.nix
View file

@ -1,39 +1,5 @@
{ lib, modulesPath, ... }:
{ ... }:
{
networking.hostId = "ba4814a6";
system.stateVersion = "24.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/301cf8bf-93f0-4ba6-b14f-b7be94b075a0";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/9E16-9A5D";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/ci/state.nix
View file

@ -1,25 +1,4 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "25.05";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/forgejo/state.nix
View file

@ -1,24 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "24.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/6de79a95-d101-4734-8482-1e0869498ce8";
fsType = "ext4";
@ -32,8 +15,4 @@
"dmask=0077"
];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

24
hosts/gaming/state.nix
View file

@ -1,25 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "24.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/22c7a7ae-cedc-43db-b4f1-d591466d8f60";
fsType = "ext4";
@ -38,8 +20,4 @@
device = "/dev/disk/by-uuid/dec871b2-5727-486c-978a-8bb2279bd2b8";
fsType = "ext4";
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/idacloud/state.nix
View file

@ -1,24 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "24.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/aaebdb14-a988-4cf8-bb33-f22419d55fbe";
fsType = "ext4";
@ -37,8 +20,4 @@
device = "/dev/disk/by-uuid/634b600c-8d3e-4021-906a-f00b7750e61e";
fsType = "ext4";
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/nextcloud/state.nix
View file

@ -1,24 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "23.05";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/428cdba7-04a8-4e69-992a-96aa197cd6c7";
fsType = "ext4";
@ -32,8 +15,4 @@
"dmask=0022"
];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

21
hosts/siit-dc/state.nix
View file

@ -1,4 +1,4 @@
{ lib, modulesPath, ... }:
{ lib, ... }:
{
networking.hostId = "f1636fe0";
networking.networkmanager.enable = lib.mkForce false;
@ -26,23 +26,4 @@
grub.enable = true;
};
system.stateVersion = "25.05";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/syncthing/state.nix
View file

@ -1,24 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "22.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/895d2004-3bd2-4bc5-bb46-62f94a0a68e3";
fsType = "ext4";
@ -37,8 +20,4 @@
device = "/dev/disk/by-uuid/d08136ed-7950-412c-bcf6-7c6e9f015e47";
fsType = "ext4";
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

23
hosts/vaultwarden/state.nix
View file

@ -1,24 +1,7 @@
{ lib, modulesPath, ... }:
{ ... }:
{
system.stateVersion = "23.11";
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361";
fsType = "ext4";
@ -28,8 +11,4 @@
device = "/dev/disk/by-uuid/A604-6A7B";
fsType = "vfat";
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

22
secrets/cert-store.yaml
View file

@ -5,20 +5,20 @@ sops:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndkh1anJaR0l6dXhBRUhG
RVYxL1BMWUdscFhha0orWVNOMnZQU2ZZTDNnCkpvRlJJTHpMOUZTY2tkUmpjWThP
TzJxVVRWdTJEd08vUkFYWXNBRURpbWMKLS0tIFJSVC8wRDNKanZ5Y1F4QmZoOEhZ
MW5HcHhOSDdpOGttSWxrUW1NSVlaeWcKThXXIIBjL5dfUV+0L7fR3xPToND3mzVE
W3GcwU+muQObNsqR8F2EnbUdklpiUz//VmfbxyQA8+BU8DgfQlJkHw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKczdMTHNtaDdCVG5XNWV3
SGhoYTRyNnh3TUJKYmhvTlh3dlU4SThjRmwwCjE0a1ltMEJ1UjdTaUhGVHc5cHhn
V1NZWko2Mm4wWnRmdFZ3TVdSNGVjd0kKLS0tIGhXN0NvKzFiS3llN3QwYjRCNU85
enVpUDZhNEd4OCsySDZnSmIrRGlNaW8KTDI/B+JR5FO3h1kjEzC7PGn0WCsFKO6F
Efgr1f5PdyaNZOGgnWm1GarH9WeFSPX57q+p+z6xU+DU7xv72oH6Uw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1at6mfmg4nyw79f3gfzqflgwv3d9hxya7uvfu30aqr8djqwjp2yeq7kz3vz
- recipient: age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBobnJoaHY5aTM4WUludm9w
NjQ4eTBqOXZFZExzRjN1RWxMK21ibmVKTmpJCk9mTi81d050dThobDZuekczd2Vj
N21xaU83a3plTUVhb3BLYlpBQVA3OVkKLS0tIE0rTXFGYWxXSU1Eb21FbDhTK2xK
VEhpK3RVaXArOG51R3NUMy9YNk96MDQKLZyN5DKnu3nL2A2QTo4gM4JccbIFFDnv
oK+6EgWR0xEm0baFoYnC9AEmM8gxuH3V3dLfteFb/QN3+F+rsW01uQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFcyWU1FTTBHa2YxeGVZ
NG93RVFCUVNpNWJQVVp5QXpUbzl0cFV5SDFRCjFiQjcrN0JkRTVNSFRtelVqa3g1
bnE2QldHeHV6Mm1UR01EcG16MXZzaVkKLS0tIDF5QkVhVVNIbllHSExXRVYzSW0y
dEw0eC9vQ09UYUxVYlByZ3U1MW5RQTAKjRYBemgMpjuO7kIgWWY/dIngE+oWJoaI
8WJ1n7QqrOo5Q3tBFcSbQc0dR5AGSo5itZzPBsDjS7e4fIz3DrPJOQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-22T21:06:19Z"
mac: ENC[AES256_GCM,data:721h9RrvnmUmIIpp02tLqlkF0Nx4Fmy36pMagqg9wo7xP8gtauEwE8FYOQWsrqo6vJTv1G+nzMRoorRrRodPuvYHBzxvxgNVacU4bzD5zN9v+wz/HEgbB+YIDKeOAY3/8Sjf5BrZdaN/75GNJUtYX8EVpUy9m9Y/WqtP3OWHTsA=,iv:jYXah33gFURc0+AbaHoBpsoWhBNJaBkie7Hc8Gz8qco=,tag:j96I6pH4xSUhocEpEr586Q==,type:str]

12
servers/acme-cert-store.nix
View file

@ -8,8 +8,8 @@ let
${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml
cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/fullchain.pem ./new-fullchain
cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/key.pem ./new-key
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key
if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
echo "Old and new fullchain are the same, skipping!"
@ -45,6 +45,14 @@ in
};
};
environment.persistence."/persist".directories = [
{
directory = "/home/cert-store";
user = "cert-store";
group = "users";
mode = "u=rwx,g=,o=";
}
];
users.users."cert-store" = {
isNormalUser = true;
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [

72
shared/disko/zfs-impermanence.nix Normal file
View file

@ -0,0 +1,72 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
name = "boot";
type = "EF00";
size = "512M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions = {
canmount = "off";
compression = "zstd";
};
datasets = {
root = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
postCreateHook = "zfs snapshot zroot/root@blank";
};
nix = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
persist = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"com.sun:auto-snapshot" = "true";
};
mountpoint = "/persist";
};
home = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"com.sun:auto-snapshot" = "true";
};
mountpoint = "/home";
postCreateHook = "zfs snapshot zroot/home@blank";
};
};
};
};
};
}

23
shared/hardware/vm.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ lib, modulesPath, ... }:
{
swapDevices = [
{
@ -8,4 +8,25 @@
];
services.qemuGuest.enable = true;
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}