From ef5c7fabf7d98aab6052ff6beced8ba0593d1cbe Mon Sep 17 00:00:00 2001 From: SebastianStork Date: Mon, 6 Oct 2025 23:50:34 +0200 Subject: [PATCH] hosts/srv-private: Reinstall with impermanence --- hosts/srv-private/default.nix | 6 ++- hosts/srv-private/disko.nix | 45 ++++++++++++-------- hosts/srv-private/hardware.nix | 31 ++++++++------ hosts/srv-private/secrets.json | 76 +++++++++++++++++----------------- 4 files changed, 88 insertions(+), 70 deletions(-) diff --git a/hosts/srv-private/default.nix b/hosts/srv-private/default.nix index 15644e7..5429129 100644 --- a/hosts/srv-private/default.nix +++ b/hosts/srv-private/default.nix @@ -1,6 +1,6 @@ { config, ... }: { - system.stateVersion = "24.11"; + system.stateVersion = "25.05"; meta = { domains.validate = true; @@ -8,9 +8,11 @@ }; custom = { + impermanence.enable = true; + sops = { enable = true; - agePublicKey = "age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t"; + agePublicKey = "age1rp7lrakhlnnhzcgjtut8ncamem6wjrtna3e9mgdkt3dqd9dvk3usa5tzk5"; }; boot.loader.systemd-boot.enable = true; diff --git a/hosts/srv-private/disko.nix b/hosts/srv-private/disko.nix index 56221a9..ead84f6 100644 --- a/hosts/srv-private/disko.nix +++ b/hosts/srv-private/disko.nix @@ -1,41 +1,52 @@ { disko.devices = { - disk.disk1 = { - device = "/dev/vda"; + disk.main = { + device = "/dev/sda"; type = "disk"; content = { type = "gpt"; partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; ESP = { - type = "EF00"; size = "512M"; + type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; }; }; - root = { + nix = { + size = "20G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/nix"; + mountOptions = [ "noatime" ]; + }; + }; + persist = { size = "100%"; content = { - type = "lvm_pv"; - vg = "pool"; + type = "filesystem"; + format = "ext4"; + mountpoint = "/persist"; + mountOptions = [ "noatime" ]; }; }; }; }; }; - lvm_vg.pool = { - type = "lvm_vg"; - lvs.root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ "defaults" ]; - }; - }; + nodev."/" = { + fsType = "tmpfs"; + mountOptions = [ + "defaults" + "mode=755" + ]; }; }; } diff --git a/hosts/srv-private/hardware.nix b/hosts/srv-private/hardware.nix index a0ae9d1..d58ab44 100644 --- a/hosts/srv-private/hardware.nix +++ b/hosts/srv-private/hardware.nix @@ -8,11 +8,12 @@ nixpkgs.hostPlatform = "x86_64-linux"; boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" + "ahci" + "xhci_pci" "virtio_pci" + "virtio_scsi" + "sd_mod" "sr_mod" - "virtio_blk" ]; zramSwap.enable = true; @@ -20,23 +21,27 @@ networking.useDHCP = false; systemd.network = { enable = true; - networks."10-ens3" = { - matchConfig.Name = "ens3"; + networks."10-enp1s0" = { + matchConfig.Name = "enp1s0"; + linkConfig.RequiredForOnline = "routable"; + networkConfig.DHCP = "no"; address = [ - "152.53.85.193/22" - "2a0a:4cc0:c0:23bd::1/64" + "138.199.200.104/32" + "2a01:4f8:1c1a:732c::1/64" ]; routes = [ - { Gateway = "152.53.84.1"; } + { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + } { Gateway = "fe80::1"; } ]; dns = [ - "46.38.225.230" - "46.38.252.230" - "2a03:4000:0:1::e1e6" - "2a03:4000:8000::fce6" + "1.1.1.1" + "8.8.8.8" + "2606:4700:4700::1111" + "2001:4860:4860::8888" ]; - linkConfig.RequiredForOnline = "routable"; }; }; } diff --git a/hosts/srv-private/secrets.json b/hosts/srv-private/secrets.json index 35a7821..63dfb4b 100644 --- a/hosts/srv-private/secrets.json +++ b/hosts/srv-private/secrets.json @@ -1,40 +1,40 @@ { - "seb-password": "ENC[AES256_GCM,data:5RF/qbpMl1zq0SAdDNyI4EaSkN7dwSyG2K8wsAs77tZEOQxNzNasLiuGeQwJdzNXVaVeIx53nWSGPtdYSBQjkGPN3Q+0YX/S+Q==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:tqmBxOc62IhJGxXvjzugYw==,type:str]", - "tailscale": { - "auth-key": "ENC[AES256_GCM,data:p/CZOdluFGXpY+Pqfd1XBQnjOo4bMYx4NNiEIVuLZXkEIJLQmXyQCpQ6jCszzcr6O6YIootcjyASyx3sFw==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:Nh+fP6VqpxfZpx8LliY6tw==,type:str]", - "service-auth-key": "ENC[AES256_GCM,data:KLaSMrOXEeHI0RmKK83eTPjCsr07SMOJnk1ywmtg/VIire/629UYSIzOIu/AAeHxWUiUsku4ADzyAFnr6ak=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:dql6J+VDZ3mAds1ogilceg==,type:str]" - }, - "restic": { - "password": "ENC[AES256_GCM,data:bHQGGxWLEeXtq/6Kcl8HzrEb8Z46WJwNQgNOJjZz,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:0og/qnjxvGsilAV2LWKSHw==,type:str]" - }, - "backblaze": { - "key-id": "ENC[AES256_GCM,data:tA0VKR3AhXqtHImTfiXDeIINCwkBxVNS/w==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:JPKf8qUzfXDXTqNUl95+2Q==,type:str]", - "application-key": "ENC[AES256_GCM,data:o1CFIZiPiuY1cdAFVQpmYRzog7/Lzu9sGbZqczd4vw==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:CIgb4GeFD/seHS0o7nxsgg==,type:str]" - }, - "healthchecks": { - "ping-key": "ENC[AES256_GCM,data:fUcldy97AWJOGIemkKwRzRNw5IUPzw==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:28ssHfDMjVnTG+GfBVjT2g==,type:str]" - }, - "syncthing": { - "cert": "ENC[AES256_GCM,data:8G697avMrmghzc8m1h7K0bbo4cK4tlToyaweU85N+GQgyjbHj34USvdMTBzdQs0yz/lgzhzxHURnwM/bWINCXUxhxI0aoH3ULU4KH0PvCV9I9Xbsvj4PNO+fBsMqExL11m0fyCngk7GwBavNpQw+X62a+SwGfyuPdLdjRUqSAdXgTpk9bZ3PIUjb+XLMpiQ2hElFKtzp85WTY1GcSyjG98ineSB/p31SX2svtvojy9dNwpVeYirXeh2ZJLj/EyS+hOfrYicQ6X8KnrGdH1FKXaci3xAhDg45PJLiuh0Dxi+sX1bZ62S3cHWDhq5S/GucwNrd1dZN5T8m9HPVmIaJcGk5mEst4oKiCugYEeio39JWShTDNgIBXlFm+Srt+2aKEqOrnukl1hnvnVPcTPfhYVaUiQdlQadWB3qLtZpTuSjvKvclrhpSzzFz/l1gjo3kWLBOQ+WaFMsHFi2Lx484NP6MkShRTvhDMDDByAP0neZGLMCB3Ckiavzl10Irp9ozjb2CIWJCdKoz1oeJ7knDAn1omCM3Dg12pKOjuy5Xh+WdZeatZyiM1HgJCBWxEhlFpLWPaSVgYsrp57ewBH0gfjBI8LTEx3hukabMM3QD7Xk1pdKlSAKaTcs4ZSqDPHN0CReDha/EKKG/Za3qy8IHAIokggkVp8cDbw+fI+Z3moV1YWHzU+nM6GaFUzboXZH7omYhhvlAQnRp+MHEZHk7wzhNUxKigOEiG2UBL9YpLOgSkZYz/DIw6qBp7CziVVwYu22ppYtpiMP00RwnBZEoB6llIvN6uKD5gq/4kE56XJU/nEet206E7ckvfMg96XScNIZrJNdQiyDZl3zIUEBBhMIuNL61wtr5+d8+JteAN5IFbEIaHGw7BY+yE9fHvi8yiSRXW/DYQYdHNtK9xyMEGs/TD8xubWVjjF9iYKAwy0uDEBOof7cNFVWBZJRcFoeuqg1CK8RoMxdVJo7KWERwC3e5z13t+SX62andWGtFfqS2zTHvyYGtvyjVBG89wROKfllS3Pl820LVHu4qiDudC2o3BlGYLhVbknU=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:OMtxG6KxSVQ2bbskeLIu1g==,type:str]", - "key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]" - }, - "radicale": { - "htpasswd": "ENC[AES256_GCM,data:3EtGDFVnTJxjB4URcgUH1qLvShA4hAg1Zavb0azFNizEc9VcLvWDfNCoBjat+Ovc/I4UA2Dv86uu+gGj3wN+zg==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:K0VQ9LEccCuIPXzEuLK4mA==,type:str]" - }, - "sops": { - "age": [ - { - "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdEtRd2R6YzVUS0xtOUFM\nSmg2L0x0WnhrazN6dlNGK295OWFvNlV4ekY0CnpCQmtRSjErZlk3UUFuR2R3Yy9P\nREtRcEg2Y09WSFJkbWNwcVRJNnpRWVUKLS0tIHdpOWZBVlhrR203Q05tVXR4eTdV\nRzVHRncrdWV2eGtBUnl0SjhDTm1mWWsKH8YnoFLn8GZehS60rpWZ0dTtOKxpMOPM\ny0266elas/kr+w0DRlBH1HdtXv+kwo22KK3t/Q966Fkc5rxCYa++CQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcGVRNzRrM2RTeFJScDBR\nZUFSOUd2dXhZaGh3TDdVYVdWZVBYYjNDUm5nCnl3RHJBM0F0RUlIWjJ3ZEVRVEVI\neXZMSVkvbU1Qamc0VGZIeW1lekVTeFEKLS0tIHVpTGtoSytuZFlIdzBtNEI0a1lh\naURRQUR4cVBhNmRFOTQ2MFdBN3p3OEkKJjy8KnruglNwYOuOcWIspJZq3+0VqHGx\nV6cldtjSabCks3xtTUYjvb8/mMwHT1ANW/bRkJ/BrBClZGGEM3hZgQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-09-19T16:19:13Z", - "mac": "ENC[AES256_GCM,data:F3bCLnDFCdfqdOMzhqBNSvdjIXpPi9Ynzp1FORsZ5if5gt2JylWR7tEPD4AWNrNmWiJtT1jFkvNB/qd00BxVQ3wwLqJMPW1COZ+SkyonBhgHCvn+BfYRil2FeJgkEgWekMWtf0DpKtYKaqxPS2JmJyIJCWxePI3lQDHR8JvcVcg=,iv:uYgctx6vgD+5qN9LDZi/t2YgxrkfSHYb86SwlKX2XDM=,tag:K1KRzjBhNDR5vnYHDiDkRg==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } + "seb-password": "ENC[AES256_GCM,data:5RF/qbpMl1zq0SAdDNyI4EaSkN7dwSyG2K8wsAs77tZEOQxNzNasLiuGeQwJdzNXVaVeIx53nWSGPtdYSBQjkGPN3Q+0YX/S+Q==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:tqmBxOc62IhJGxXvjzugYw==,type:str]", + "tailscale": { + "auth-key": "ENC[AES256_GCM,data:p/CZOdluFGXpY+Pqfd1XBQnjOo4bMYx4NNiEIVuLZXkEIJLQmXyQCpQ6jCszzcr6O6YIootcjyASyx3sFw==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:Nh+fP6VqpxfZpx8LliY6tw==,type:str]", + "service-auth-key": "ENC[AES256_GCM,data:KLaSMrOXEeHI0RmKK83eTPjCsr07SMOJnk1ywmtg/VIire/629UYSIzOIu/AAeHxWUiUsku4ADzyAFnr6ak=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:dql6J+VDZ3mAds1ogilceg==,type:str]" + }, + "restic": { + "password": "ENC[AES256_GCM,data:bHQGGxWLEeXtq/6Kcl8HzrEb8Z46WJwNQgNOJjZz,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:0og/qnjxvGsilAV2LWKSHw==,type:str]" + }, + "backblaze": { + "key-id": "ENC[AES256_GCM,data:tA0VKR3AhXqtHImTfiXDeIINCwkBxVNS/w==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:JPKf8qUzfXDXTqNUl95+2Q==,type:str]", + "application-key": "ENC[AES256_GCM,data:o1CFIZiPiuY1cdAFVQpmYRzog7/Lzu9sGbZqczd4vw==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:CIgb4GeFD/seHS0o7nxsgg==,type:str]" + }, + "healthchecks": { + "ping-key": "ENC[AES256_GCM,data:fUcldy97AWJOGIemkKwRzRNw5IUPzw==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:28ssHfDMjVnTG+GfBVjT2g==,type:str]" + }, + "syncthing": { + "cert": "ENC[AES256_GCM,data:8G697avMrmghzc8m1h7K0bbo4cK4tlToyaweU85N+GQgyjbHj34USvdMTBzdQs0yz/lgzhzxHURnwM/bWINCXUxhxI0aoH3ULU4KH0PvCV9I9Xbsvj4PNO+fBsMqExL11m0fyCngk7GwBavNpQw+X62a+SwGfyuPdLdjRUqSAdXgTpk9bZ3PIUjb+XLMpiQ2hElFKtzp85WTY1GcSyjG98ineSB/p31SX2svtvojy9dNwpVeYirXeh2ZJLj/EyS+hOfrYicQ6X8KnrGdH1FKXaci3xAhDg45PJLiuh0Dxi+sX1bZ62S3cHWDhq5S/GucwNrd1dZN5T8m9HPVmIaJcGk5mEst4oKiCugYEeio39JWShTDNgIBXlFm+Srt+2aKEqOrnukl1hnvnVPcTPfhYVaUiQdlQadWB3qLtZpTuSjvKvclrhpSzzFz/l1gjo3kWLBOQ+WaFMsHFi2Lx484NP6MkShRTvhDMDDByAP0neZGLMCB3Ckiavzl10Irp9ozjb2CIWJCdKoz1oeJ7knDAn1omCM3Dg12pKOjuy5Xh+WdZeatZyiM1HgJCBWxEhlFpLWPaSVgYsrp57ewBH0gfjBI8LTEx3hukabMM3QD7Xk1pdKlSAKaTcs4ZSqDPHN0CReDha/EKKG/Za3qy8IHAIokggkVp8cDbw+fI+Z3moV1YWHzU+nM6GaFUzboXZH7omYhhvlAQnRp+MHEZHk7wzhNUxKigOEiG2UBL9YpLOgSkZYz/DIw6qBp7CziVVwYu22ppYtpiMP00RwnBZEoB6llIvN6uKD5gq/4kE56XJU/nEet206E7ckvfMg96XScNIZrJNdQiyDZl3zIUEBBhMIuNL61wtr5+d8+JteAN5IFbEIaHGw7BY+yE9fHvi8yiSRXW/DYQYdHNtK9xyMEGs/TD8xubWVjjF9iYKAwy0uDEBOof7cNFVWBZJRcFoeuqg1CK8RoMxdVJo7KWERwC3e5z13t+SX62andWGtFfqS2zTHvyYGtvyjVBG89wROKfllS3Pl820LVHu4qiDudC2o3BlGYLhVbknU=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:OMtxG6KxSVQ2bbskeLIu1g==,type:str]", + "key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]" + }, + "radicale": { + "htpasswd": "ENC[AES256_GCM,data:3EtGDFVnTJxjB4URcgUH1qLvShA4hAg1Zavb0azFNizEc9VcLvWDfNCoBjat+Ovc/I4UA2Dv86uu+gGj3wN+zg==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:K0VQ9LEccCuIPXzEuLK4mA==,type:str]" + }, + "sops": { + "age": [ + { + "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc2E0amJTa1QxTVloc2Vj\nUUo0VW02ZXUvV0M1VTdCOVh1M0YzeWo5WVJRCnNZN1FNZVA1R2tvSlI5QmJMaURG\nbG9XTEQvYzliREVIUEhzaXFjVUM4bkEKLS0tIEE3VXgyWFZKeDFLc3QxdGZrUWZu\nVWI3Y1R5K1pycE12ZDBkbXVGWVBYTXMKsoiaQZWFHoTnPsDc4zhDrk1ZwzW1KtLn\nFAu58/Goy8YWfcATxXpU+tfauTWkotM/sGzXwyYD+zi4elekHSU/OA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1rp7lrakhlnnhzcgjtut8ncamem6wjrtna3e9mgdkt3dqd9dvk3usa5tzk5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMmlwaXZvcTdMWVZ3VzNm\nMTR3TnJxLzNVYUFTUGNDR1Jhc1c3QTBOS0QwCm1NVkFaUSs3LzNGT25pSmVPRVVP\nbUdoTEJCcnNpNjE4aTljeGZoYjQ4cG8KLS0tIG1paitmUlBPekM4YXJwR3Z1Z2VW\nZTR6ZXdWYmVMK01RMVZLUlJyOExBMVkKJ/msnrWYumh1OmB5W2w+bUjAt2m7RrOT\nJVGy7zHKk5HWD7VLoYUCpPGoWWeq2O3dC4BjE0jFOya/2zz3YckF+A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-09-19T16:19:13Z", + "mac": "ENC[AES256_GCM,data:F3bCLnDFCdfqdOMzhqBNSvdjIXpPi9Ynzp1FORsZ5if5gt2JylWR7tEPD4AWNrNmWiJtT1jFkvNB/qd00BxVQ3wwLqJMPW1COZ+SkyonBhgHCvn+BfYRil2FeJgkEgWekMWtf0DpKtYKaqxPS2JmJyIJCWxePI3lQDHR8JvcVcg=,iv:uYgctx6vgD+5qN9LDZi/t2YgxrkfSHYb86SwlKX2XDM=,tag:K1KRzjBhNDR5vnYHDiDkRg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } }