diff --git a/.sops.yaml b/.sops.yaml index 2a94999..b6c1cd4 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q - &lithium age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk - - &cert-store age1at6mfmg4nyw79f3gfzqflgwv3d9hxya7uvfu30aqr8djqwjp2yeq7kz3vz + - &cert-store age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7 - &cert-store-age age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp - &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4 - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7 diff --git a/hosts/cert-store/configuration.nix b/hosts/cert-store/configuration.nix index ea28884..de3ae0a 100644 --- a/hosts/cert-store/configuration.nix +++ b/hosts/cert-store/configuration.nix @@ -1,8 +1,15 @@ -{ ... }: +{ lib, ... }: { + environment.persistence."/persist".enable = true; + swapDevices = lib.mkForce [ ]; imports = [ ../../shared/base.nix + + ../../shared/hardware/impermanence.nix ../../shared/hardware/vm.nix + + ../../shared/disko/zfs-impermanence.nix + ../../servers/acme-cert-store.nix ]; } diff --git a/hosts/cert-store/state.nix b/hosts/cert-store/state.nix index a5a8d61..2ff20e3 100644 --- a/hosts/cert-store/state.nix +++ b/hosts/cert-store/state.nix @@ -1,39 +1,5 @@ -{ lib, modulesPath, ... }: +{ ... }: { + networking.hostId = "ba4814a6"; system.stateVersion = "24.11"; - - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/301cf8bf-93f0-4ba6-b14f-b7be94b075a0"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/9E16-9A5D"; - fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; - }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/ci/state.nix b/hosts/ci/state.nix index ef43817..90e6bcd 100644 --- a/hosts/ci/state.nix +++ b/hosts/ci/state.nix @@ -1,25 +1,4 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "25.05"; - - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/forgejo/state.nix b/hosts/forgejo/state.nix index 82ab26a..7fc935e 100644 --- a/hosts/forgejo/state.nix +++ b/hosts/forgejo/state.nix @@ -1,24 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "24.11"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/6de79a95-d101-4734-8482-1e0869498ce8"; fsType = "ext4"; @@ -32,8 +15,4 @@ "dmask=0077" ]; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/gaming/state.nix b/hosts/gaming/state.nix index 73748f0..f177860 100644 --- a/hosts/gaming/state.nix +++ b/hosts/gaming/state.nix @@ -1,25 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "24.11"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/22c7a7ae-cedc-43db-b4f1-d591466d8f60"; fsType = "ext4"; @@ -38,8 +20,4 @@ device = "/dev/disk/by-uuid/dec871b2-5727-486c-978a-8bb2279bd2b8"; fsType = "ext4"; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/idacloud/state.nix b/hosts/idacloud/state.nix index 7bf990f..42293a5 100644 --- a/hosts/idacloud/state.nix +++ b/hosts/idacloud/state.nix @@ -1,24 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "24.11"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/aaebdb14-a988-4cf8-bb33-f22419d55fbe"; fsType = "ext4"; @@ -37,8 +20,4 @@ device = "/dev/disk/by-uuid/634b600c-8d3e-4021-906a-f00b7750e61e"; fsType = "ext4"; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/nextcloud/state.nix b/hosts/nextcloud/state.nix index 9f49631..8a46c46 100644 --- a/hosts/nextcloud/state.nix +++ b/hosts/nextcloud/state.nix @@ -1,24 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "23.05"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/428cdba7-04a8-4e69-992a-96aa197cd6c7"; fsType = "ext4"; @@ -32,8 +15,4 @@ "dmask=0022" ]; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/siit-dc/state.nix b/hosts/siit-dc/state.nix index 3654001..ce30adf 100644 --- a/hosts/siit-dc/state.nix +++ b/hosts/siit-dc/state.nix @@ -1,4 +1,4 @@ -{ lib, modulesPath, ... }: +{ lib, ... }: { networking.hostId = "f1636fe0"; networking.networkmanager.enable = lib.mkForce false; @@ -26,23 +26,4 @@ grub.enable = true; }; system.stateVersion = "25.05"; - - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/syncthing/state.nix b/hosts/syncthing/state.nix index eef4aba..e2961fb 100644 --- a/hosts/syncthing/state.nix +++ b/hosts/syncthing/state.nix @@ -1,24 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "22.11"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/895d2004-3bd2-4bc5-bb46-62f94a0a68e3"; fsType = "ext4"; @@ -37,8 +20,4 @@ device = "/dev/disk/by-uuid/d08136ed-7950-412c-bcf6-7c6e9f015e47"; fsType = "ext4"; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/vaultwarden/state.nix b/hosts/vaultwarden/state.nix index 931558c..e66c6e8 100644 --- a/hosts/vaultwarden/state.nix +++ b/hosts/vaultwarden/state.nix @@ -1,24 +1,7 @@ -{ lib, modulesPath, ... }: +{ ... }: { system.stateVersion = "23.11"; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361"; fsType = "ext4"; @@ -28,8 +11,4 @@ device = "/dev/disk/by-uuid/A604-6A7B"; fsType = "vfat"; }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/secrets/cert-store.yaml b/secrets/cert-store.yaml index 4a584ab..8ef082c 100644 --- a/secrets/cert-store.yaml +++ b/secrets/cert-store.yaml @@ -5,20 +5,20 @@ sops: - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndkh1anJaR0l6dXhBRUhG - RVYxL1BMWUdscFhha0orWVNOMnZQU2ZZTDNnCkpvRlJJTHpMOUZTY2tkUmpjWThP - TzJxVVRWdTJEd08vUkFYWXNBRURpbWMKLS0tIFJSVC8wRDNKanZ5Y1F4QmZoOEhZ - MW5HcHhOSDdpOGttSWxrUW1NSVlaeWcKThXXIIBjL5dfUV+0L7fR3xPToND3mzVE - W3GcwU+muQObNsqR8F2EnbUdklpiUz//VmfbxyQA8+BU8DgfQlJkHw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKczdMTHNtaDdCVG5XNWV3 + SGhoYTRyNnh3TUJKYmhvTlh3dlU4SThjRmwwCjE0a1ltMEJ1UjdTaUhGVHc5cHhn + V1NZWko2Mm4wWnRmdFZ3TVdSNGVjd0kKLS0tIGhXN0NvKzFiS3llN3QwYjRCNU85 + enVpUDZhNEd4OCsySDZnSmIrRGlNaW8KTDI/B+JR5FO3h1kjEzC7PGn0WCsFKO6F + Efgr1f5PdyaNZOGgnWm1GarH9WeFSPX57q+p+z6xU+DU7xv72oH6Uw== -----END AGE ENCRYPTED FILE----- - - recipient: age1at6mfmg4nyw79f3gfzqflgwv3d9hxya7uvfu30aqr8djqwjp2yeq7kz3vz + - recipient: age1z66g62uxyhjvs44hu34zu7e8nx2r3ry7mrdeacx85g9jjhw9nquqy9esn7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBobnJoaHY5aTM4WUludm9w - NjQ4eTBqOXZFZExzRjN1RWxMK21ibmVKTmpJCk9mTi81d050dThobDZuekczd2Vj - N21xaU83a3plTUVhb3BLYlpBQVA3OVkKLS0tIE0rTXFGYWxXSU1Eb21FbDhTK2xK - VEhpK3RVaXArOG51R3NUMy9YNk96MDQKLZyN5DKnu3nL2A2QTo4gM4JccbIFFDnv - oK+6EgWR0xEm0baFoYnC9AEmM8gxuH3V3dLfteFb/QN3+F+rsW01uQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFcyWU1FTTBHa2YxeGVZ + NG93RVFCUVNpNWJQVVp5QXpUbzl0cFV5SDFRCjFiQjcrN0JkRTVNSFRtelVqa3g1 + bnE2QldHeHV6Mm1UR01EcG16MXZzaVkKLS0tIDF5QkVhVVNIbllHSExXRVYzSW0y + dEw0eC9vQ09UYUxVYlByZ3U1MW5RQTAKjRYBemgMpjuO7kIgWWY/dIngE+oWJoaI + 8WJ1n7QqrOo5Q3tBFcSbQc0dR5AGSo5itZzPBsDjS7e4fIz3DrPJOQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-22T21:06:19Z" mac: ENC[AES256_GCM,data:721h9RrvnmUmIIpp02tLqlkF0Nx4Fmy36pMagqg9wo7xP8gtauEwE8FYOQWsrqo6vJTv1G+nzMRoorRrRodPuvYHBzxvxgNVacU4bzD5zN9v+wz/HEgbB+YIDKeOAY3/8Sjf5BrZdaN/75GNJUtYX8EVpUy9m9Y/WqtP3OWHTsA=,iv:jYXah33gFURc0+AbaHoBpsoWhBNJaBkie7Hc8Gz8qco=,tag:j96I6pH4xSUhocEpEr586Q==,type:str] diff --git a/servers/acme-cert-store.nix b/servers/acme-cert-store.nix index 0d9592b..bb771e4 100644 --- a/servers/acme-cert-store.nix +++ b/servers/acme-cert-store.nix @@ -8,8 +8,8 @@ let ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml - cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/fullchain.pem ./new-fullchain - cp ${config.users.users."cert-store".home}/acme/-.vsinerva.fi/key.pem ./new-key + cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain + cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key if ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then echo "Old and new fullchain are the same, skipping!" @@ -45,6 +45,14 @@ in }; }; + environment.persistence."/persist".directories = [ + { + directory = "/home/cert-store"; + user = "cert-store"; + group = "users"; + mode = "u=rwx,g=,o="; + } + ]; users.users."cert-store" = { isNormalUser = true; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ diff --git a/shared/disko/zfs-impermanence.nix b/shared/disko/zfs-impermanence.nix new file mode 100644 index 0000000..b5e6315 --- /dev/null +++ b/shared/disko/zfs-impermanence.nix @@ -0,0 +1,72 @@ +{ + disko.devices = { + disk = { + main = { + device = "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + name = "boot"; + type = "EF00"; + size = "512M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + canmount = "off"; + compression = "zstd"; + }; + datasets = { + root = { + type = "zfs_fs"; + mountpoint = "/"; + options.mountpoint = "legacy"; + postCreateHook = "zfs snapshot zroot/root@blank"; + }; + nix = { + type = "zfs_fs"; + mountpoint = "/nix"; + options.mountpoint = "legacy"; + }; + persist = { + type = "zfs_fs"; + options = { + mountpoint = "legacy"; + "com.sun:auto-snapshot" = "true"; + }; + mountpoint = "/persist"; + }; + home = { + type = "zfs_fs"; + options = { + mountpoint = "legacy"; + "com.sun:auto-snapshot" = "true"; + }; + mountpoint = "/home"; + postCreateHook = "zfs snapshot zroot/home@blank"; + }; + }; + }; + }; + }; +} diff --git a/shared/hardware/vm.nix b/shared/hardware/vm.nix index a38cdf0..cdc579d 100644 --- a/shared/hardware/vm.nix +++ b/shared/hardware/vm.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, modulesPath, ... }: { swapDevices = [ { @@ -8,4 +8,25 @@ ]; services.qemuGuest.enable = true; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; }