tailscale: update file pathing

.sops.yaml

@@ -15,3 +15,7 @@ creation_rules:
     key_groups:
       - age:
           - *notoh
+  - path_regex: secrets/tailscale/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *notoh

hosts/default.nix

@@ -6,6 +6,7 @@ inputs: let
   nix-index-Module = inputs.nix-index-database.hmModules.nix-index;
   anyrunModule = inputs.anyrun.homeManagerModules.default;
   agsModule = inputs.ags.homeManagerModules.default;
+  atticModule = inputs.attic.nixosModules.atticd;
   inherit (inputs.nixpkgs.lib) nixosSystem;
 in {
   tsuki = nixosSystem {
@@ -15,6 +16,7 @@ in {
       ./tsuki
       sopsModule
       hmModule
+      atticModule
       {
         home-manager = {
           useGlobalPkgs = true;
@@ -140,6 +142,7 @@ in {
       ./sora
       sopsModule
       hmModule
+      atticModule
       {
         home-manager = {
           useGlobalPkgs = true;
@@ -193,4 +196,24 @@ in {
       }
     ];
   };
+  kaze = nixosSystem {
+    inherit system;
+    specialArgs = {inherit inputs;};
+    modules = [
+      ./kaze
+      sopsModule
+      hmModule
+      {
+        home-manager = {
+          useGlobalPkgs = true;
+          useUserPackages = true;
+          users.notoh = {
+            imports = [
+              ./kaze/home.nix
+            ];
+          };
+        };
+      }
+    ];
+  };
 }

hosts/deploy.nix

@@ -70,5 +70,15 @@ inputs: {
       sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
       magicRollback = true;
     };
+    kaze = {
+      hostname = "";
+      profiles.system = {
+        user = "root";
+        path = activate.nixos inputs.self.nixosConfigurations.kaze;
+      };
+      sshUser = "root";
+      sshOpts = ["-t" "-i" "~/.ssh/forgejo"];
+      magicRollback = true;
+    };
   };
 }

hosts/kaze/default.nix

@@ -0,0 +1,33 @@
+{...}: {
+  imports = [
+    ./hardware.nix
+    ./services
+    ./networking.nix
+    ../../modules
+  ];
+
+  boot.loader = {
+    grub = {
+      enable = true;
+      configurationLimit = 5;
+      device = "/dev/vda";
+      useOSProber = true;
+    };
+  };
+
+  networking = {
+    hostName = "kaze";
+  };
+
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "";
+  };
+
+  users.users.notoh.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4qfqJNxwNg9ryeT/XbjfQyuDKbBAwRn2Lzq3Iq5kA7 kaze"
+  ];
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd8j1+fC/ng7l17rsxugVtlhurUe1ICizwA9lQkSuNY forgejo"
+  ];
+}

hosts/kaze/hardware.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/9cb414ab-0bb4-4db7-b77e-7d2a8cafd657";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/100a4262-ce57-47a7-b99a-f124a8e369de";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/kaze/home.nix

@@ -0,0 +1,14 @@
+{...}: {
+  imports = [
+    ../../home
+  ];
+
+  systemd.user.startServices = "sd-switch";
+  programs.home-manager.enable = true;
+
+  home = {
+    username = "notoh";
+    homeDirectory = "/home/notoh";
+    stateVersion = "23.05";
+  };
+}

hosts/kaze/networking.nix

@@ -0,0 +1,15 @@
+_: {
+  networking = {
+    networkmanager.enable = true;
+    nameservers = ["1.1.1.1"];
+    firewall = {
+      enable = true;
+    };
+  };
+  environment.etc = {
+    "resolv.conf".text = ''
+      nameserver 1.1.1.1
+      nameserver 1.0.0.1
+    '';
+  };
+}

hosts/kaze/services/default.nix

@@ -0,0 +1,4 @@
+_: {
+  imports = [
+  ];
+}

hosts/kaze/services/minio.nix

@@ -3,9 +3,6 @@
   pkgs,
   ...
 }: {
-  imports = [
-    ./davfs.nix
-  ];
   environment.systemPackages = [pkgs.minio-client];
   sops.secrets.minio = {
     owner = "minio";

hosts/kaze/services/tailscale.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.tsauth-kaze = {
+    sopsFile = ../../../secrets/tailscale/secrets.yaml;
+  };
+  environment.systemPackages = [pkgs.jq pkgs.tailscale];
+  services.tailscale = {
+    useRoutingFeatures = lib.mkDefault "client";
+  };
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-kaze.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
+    '';
+  };
+}

hosts/sakura/services/tailscale.nix

@@ -4,7 +4,9 @@
   pkgs,
   ...
 }: {
-  sops.secrets.tsauth-sakura = {};
+  sops.secrets.tsauth-sakura = {
+    sopsFile = ../../../secrets/tailscale/secrets.yaml;
+  };
   environment.systemPackages = [pkgs.jq pkgs.tailscale];
   services.tailscale = {
     useRoutingFeatures = lib.mkDefault "client";

hosts/sora/services/davfs.nix

@@ -1,20 +0,0 @@
-{pkgs, ...}: {
-  environment.systemPackages = [pkgs.davfs2];
-  users.users.davfs2 = {
-    group = "davfs2";
-    isSystemUser = true;
-  };
-  users.groups.davfs2 = {};
-  sops.secrets.davfs2 = {
-    owner = "root";
-    group = "root";
-    mode = "0600";
-    path = "/etc/davfs2/secrets";
-  };
-
-  fileSystems."/var/lib/mounted" = {
-    device = "https://u384391.your-storagebox.de";
-    fsType = "davfs";
-    options = ["rw,file_mode=0660,dir_mode=0755" "0" "0"];
-  };
-}

hosts/sora/services/default.nix

@@ -6,7 +6,6 @@
     ./ntfy-sh.nix
     ./tailscale.nix
     ./attic.nix
-    ./minio.nix
     ./factorio.nix
     # ./minecraft.nix
     # ./foundryvtt.nix

hosts/sora/services/neko.nix

@@ -1,23 +0,0 @@
-_: {
-  sops.secrets.neko-admin = {};
-  networking.firewall.allowedTCPPorts = [8085];
-  networking.firewall.allowedUDPPorts = [52000 52100];
-  virtualisation.oci-containers.containers.neko = {
-    image = "m1k1o/neko:firefox";
-    ports = [
-      "8085:8080"
-      "52000-52100:52000-52100/udp"
-    ];
-    environment = {
-      NEKO_SCREEN = "1600x900@60";
-      NEKO_PASSWORD = "forsen";
-      NEKO_EPR = "52000-52100";
-      NEKO_NAT1TO1 = "5.161.102.107";
-      NEKO_CONTROL_PROTECTION = "true";
-      NEKO_VIDEO_CODEC = "vp8";
-    };
-    environmentFiles = [
-      /run/secrets/neko-admin
-    ];
-  };
-}

hosts/sora/services/tailscale.nix

@@ -4,7 +4,9 @@
   pkgs,
   ...
 }: {
-  sops.secrets.tsauth-sora = {};
+  sops.secrets.tsauth-sora = {
+    sopsFile = ../../../secrets/tailscale/secrets.yaml;
+  };
   environment.systemPackages = [pkgs.jq pkgs.tailscale];
   services.tailscale = {
     useRoutingFeatures = lib.mkDefault "server"; # important to make it a server, it sets sysctl for ip forwarding without intervention and reboot

secrets/secrets.yaml

@@ -4,8 +4,6 @@ cloudflare-api-key: ENC[AES256_GCM,data:ZEYzFht24xogGov/Dkk9MQm0CZ/GPHvVgC7manQ2
 gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJQ73mFt7BF+PXeqA/ilbZJW3GbCfAoXWLDP3qzFYqs9XeEV/FhHznkVHB88xdr+Fbv7cuCEa7PnnYbSiwr/R68EZLsGSr+u99+uu1TH6ABXG9nJna0bkwkTfx6ui/Yc2GndWS+Ew==,iv:rYdMasJS1LqMGvMYFyAdEkoTLtOHrZHGcfBOvbn63bg=,tag:YNcP/pvgKHPYNhAwVGdFHw==,type:str]
 authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
 authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
-tsauth-sora: ENC[AES256_GCM,data:3jzPB0whb9xHudVl/MhNeCUgjDfzzQpxGJGqfMf2GqEtfEkiynVTLO/TFDt1PorBuUQOjVfxn8c=,iv:5vLHbhY2ZlnsVQbLlu6Hxo32azpfcj6ORAMn3oSdcHY=,tag:zN8qPOSaSMMdJn+zsTXPaA==,type:str]
-tsauth-sakura: ENC[AES256_GCM,data:iN77ArKDnltxrWGCz8bMqMHBAp45oGUk+n5ilAE0tY2rz01PGaCmIgPFSDfNaMphH6gX+AbEd5Y=,iv:k/lBIZW7aKT3u+dgcFnQORah2yHZXAmY+PBv53tM1ao=,tag:9/pebj3D9LURTedqkduoaw==,type:str]
 snowflake-runner-token: ENC[AES256_GCM,data:CYtnZeCCd3IbNq95xCAoftYRxYf5QdZk1cw2PgRQMkBBc2kVkBpluQ==,iv:zoUvBD0QYk3rZytVjKZ8qizLxiBdzkRnTowXUULgMZY=,tag:J5vg+ipkcPKUSmbCq0Yoiw==,type:str]
 basegbot-runner-token: ENC[AES256_GCM,data:US3VkT2+S9sKPJ7zPNNBudV/884/cNfmEZVdmWHnL4WWdvUej5aIbQ==,iv:mEjU7DF4NCX7WwLP4+CxlV3aKZOkL7t6wyM4Mz7sPrg=,tag:JrMiiQ2TT3OET4iyO6pUog==,type:str]
 nixgarden-runner-token: ENC[AES256_GCM,data:3XxAKiWHxFLicQPebYwBhqL+fMft8iCkikyveIb9O++X1YuygNFRLw==,iv:DT58z4RvmVQth/4VubcMIT55CyGk1/3j5s7IQ/9Bw8s=,tag:oXDNZPTQ02Ybe9pqN5zHow==,type:str]
@@ -29,8 +27,8 @@ sops:
             YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
             5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-04T19:18:34Z"
+    lastmodified: "2024-01-05T00:43:09Z"
-    mac: ENC[AES256_GCM,data:ZsoHocjIzcVonvAist4pyBbpPEWT2MYcvgq4A1uACY/FU+voIi5ZN2qtPc5dj5kyogwYFO3V3DaFlbwqMJnab5IdYatVhWdICKUl65M0IlLSM4YYOKygHnThCTpQvi0ZptoY+tGrr9vEjXsAcwyg1lUYOoedJjesWirfus6AZD8=,iv:jXGdQvYARD3wuaNsFkFWSvzNVzxCFXzcfMyi3ySgcsU=,tag:PxlBvsMjMoMsrseGw5iM9w==,type:str]
+    mac: ENC[AES256_GCM,data:7qfyv9z/W7BddOZA61Qo++Bl4Kik8dJJ0i4OjgyLzgQewa7LrgrwtUaIbMfmlJHOcORaBZs/tS3igwBhSBRYK1Mzcst2dGBuJW+I6aEFD9HUN0T5M8qT9awalk+kd8vhnZoXN8t9Kzl065M95eyV+7Cl7sYQDqaZdsrLBpTw/Go=,iv:0JGj9QqD+JPtYfywemH2hdhZCmMsh/vupdhVN7UJFKY=,tag:MACJ7yD2wKD3AKWSDaHlMQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

secrets/tailscale/secrets.yaml

@@ -0,0 +1,23 @@
+tsauth-sora: ENC[AES256_GCM,data:GAgCIpYMS5e4t2RW4t6w9jI2mfJQdBq2eRBDAKt6HJ/JaZyv983bx5xojTStqOWYUIKaFZ5IL30=,iv:AQTKdSPr2G9tow/hbgFKSrh/i4D9JaFrc7/JFOvP1Bo=,tag:4ss1dNK0Z//JIWnds/hMKQ==,type:str]
+tsauth-sakura: ENC[AES256_GCM,data:35SN+Tu9pGXYu/i/VbBFHMwJmAttjLrE5JrcQXUuwqkUbv/jnFuELtwC6jsO9hSllD6vGJJsYoJ3,iv:C3Tl2T6SOrUEdUAFs3Ly8/RPaqj0SKOPwFppeGZf3XI=,tag:o3vtwxMvHUpXpKbXtSqhzQ==,type:str]
+tsauth-kaze: ENC[AES256_GCM,data:a7kV+lYKjnnHsQipDVnaHtoslvqXpcaawSe0lYXlJiGnTjpXR6SRpq2XgsO6+6g/xi8NZeLUK4U=,iv:yAjGPZrm80u0JpwwWLPLXUxV0uLX1C+t0osUZ/em23o=,tag:7Q6Awv5VKJe9i5uWDeBR7g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ckvmyqkwk69j64ev3fmckytz6k2dv79z4gn5qf6gxqyevp5yjfesdfkxmn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSXF1aHNHUSszd2hRSEc1
+            OTh5WWhrYkN5alpncEYxQ1h4Skh3OS96dlI4Ck9LaTZkZHBhMitVNWdvcnhybU9T
+            UUJsRmYwNU5iNi8zK3IxY0pjeGFzNFEKLS0tIHhNMG1QY2kyQlpYLy82Vk9WWCtU
+            S2doM1FiZkRFT0dCckx4Tzd1b2pZRHMKEIsD+AjBcHOFSQiXrCuLv+IBcF+4vUYB
+            YeHe81lcjqWO2TEcP1fdBh0JWUtDVXQbZiBDxs5Vlz35x/OnA9fwPQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-05T00:34:38Z"
+    mac: ENC[AES256_GCM,data:8kxJBDvDVaiB+wTRLXFDNnhzGdWzHS2ntdVxysejN+ghYRqP5qToe6zd9dudOjzOzS15jpLG/MP7Rg5OXRjB656gd+DjkoQzHj5us/EtokOiDW6O8W058nNefQEyrBVtzHBwvphhg8Sh5E7VLWy6QYz3O35//wDXdUH+yX2RYIU=,iv:XQ4WdqdFC0pPR6RG4vOdzBRt8sYoqUJARwHPohLccGE=,tag:cRBJA6S0jJQalOeqzIPo8Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1