feat: add new host envoy for mail, switch disko to partlabel

2025-10-10 23:00:39 +02:00 · 2024-04-07 21:59:54 +02:00 · 2024-04-07 21:59:54 +02:00 · 289fcdd197
commit 289fcdd197
parent 303fbd5595
45 changed files with 302 additions and 154 deletions
--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@ -0,0 +1,30 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme;
+in {
+  age.secrets.acme-cloudflare-dns-token = {
+    rekeyFile = ./secrets/acme-cloudflare-dns-token.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  age.secrets.acme-cloudflare-zone-token = {
+    rekeyFile = ./secrets/acme-cloudflare-zone-token.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      inherit (acme) email;
+      credentialFiles = {
+        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
+        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
+      };
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+    wildcardDomains = acme.domains;
+  };
+}
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -0,0 +1,42 @@
+{
+  config,
+  nodes,
+  ...
+}: {
+  imports = [
+    ../../modules/optional/hardware/hetzner-cloud.nix
+
+    ../../modules
+    ../../modules/optional/initrd-ssh.nix
+    ../../modules/optional/zfs.nix
+
+    ./acme.nix
+    ./fs.nix
+    ./net.nix
+  ];
+
+  boot.mode = "bios";
+
+  users.groups.acme.members = ["nginx"];
+  wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
+  services.nginx.enable = true;
+  services.nginx.recommendedSetup = true;
+
+  meta.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  # Connect safely via wireguard to skip authentication
+  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  meta.telegraf = {
+    enable = true;
+    scrapeSensors = false;
+    influxdb2 = {
+      domain = config.networking.providedDomains.influxdb;
+      organization = "machines";
+      bucket = "telegraf";
+      node = "sire-influxdb";
+    };
+  };
+}
--- a/hosts/envoy/fs.nix
+++ b/hosts/envoy/fs.nix
@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (config.repo.secrets.local) disks;
+in {
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/disk/by-id/${disks.main}";
+        content = with lib.disko.gpt; {
+          type = "gpt";
+          partitions = {
+            grub = partGrub;
+            bios = partBoot "512M";
+            rpool = partLuksZfs disks.main "rpool" "100%";
+          };
+        };
+      };
+    };
+    zpool = with lib.disko.zfs; {
+      rpool = mkZpool {datasets = impermanenceZfsDatasets;};
+    };
+  };
+
+  boot.loader.grub.devices = ["/dev/disk/by-id/${disks.main}"];
+}
--- a/hosts/envoy/net.nix
+++ b/hosts/envoy/net.nix
@ -0,0 +1,38 @@
+{config, ...}: {
+  networking.hostId = config.repo.secrets.local.networking.hostId;
+  networking.domain = config.repo.secrets.global.domains.me;
+
+  boot.initrd.systemd.network = {
+    enable = true;
+    networks = {inherit (config.systemd.network.networks) "10-wan";};
+  };
+
+  systemd.network.networks = {
+    "10-wan" = let
+      icfg = config.repo.secrets.local.networking.interfaces.wan;
+    in {
+      address = [
+        icfg.hostCidrv4
+        icfg.hostCidrv6
+      ];
+      gateway = ["fe80::1"];
+      routes = [
+        {routeConfig = {Destination = "172.31.1.1";};}
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      matchConfig.MACAddress = icfg.mac;
+      networkConfig.IPv6PrivacyExtensions = "yes";
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+
+  networking.nftables.firewall.zones.untrusted.interfaces = ["wan"];
+
+  # Allow accessing influx
+  wireguard.proxy-sentinel.client.via = "sentinel";
+}
--- a/hosts/envoy/secrets/acme-cloudflare-dns-token.age
+++ b/hosts/envoy/secrets/acme-cloudflare-dns-token.age
--- a/hosts/envoy/secrets/acme-cloudflare-zone-token.age
+++ b/hosts/envoy/secrets/acme-cloudflare-zone-token.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM
+R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho
+-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp
+s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0
+-> Ao-grease vp@ m_b
+oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+
+S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ
+--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY
+vÂâ-##·¬=|Ú•˝-IÝR†·żÝn<§z´fÄ.\śő‘cU/OÓ	6÷¶ëĽ±�Üož’Ţ$ő¶8\Ň6E•ËeËí†n
--- a/hosts/envoy/secrets/host.pub
+++ b/hosts/envoy/secrets/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv
--- a/hosts/envoy/secrets/local.nix.age
+++ b/hosts/envoy/secrets/local.nix.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 Iz/ZYzOsB5ONZTT2azO8HcfvwEdS8zjYv2a+gdSa6Rw
+3RvSD6jq4IKXOWmgFiLK0OgZkvrbRQZLqlYgiVMixAY
+-> piv-p256 xqSe8Q A4BW1CqEWMOdGkIjIqvXJrzC54BBaEbnhywgd1UA9gQf
+lRdaSMaW/xFvzBYk56T6ld64vrFS4EbQdcJJarOd2hE
+-> Xw[-grease ^u-qoTf JV
+7ht6GO0MH9xXNpmbVpi/NYiy27V0XHtE+qNmMqZSj0/rVtnYWMhm4Ezu+3Y
+--- EYikW64z1mfwwVgFevfGeo4Sp4994H8WnvbJ+RfxMnc
+Pðlðb wqÚZêÿÉÞœä9‚ÁÃí—Ô«:V†ål~(Þƒ¦#xÒ£V[ã|!óæccVn»%®kÊYðr;hS)g�gELÀ€‘wZAôJHµÚj~a´Ëö{®*ªC8·
+ábÓi!
˜ãÏ#â	K4¶‡À/3Ð$I§c7’Uèÿ…Tš°j«×f€Ëj`LX0f•hO%~ª”¥*]Þc“Óñ¯›œÞR¤Aß0Øy¿0¤v¯²¨#{·CÙ.BqW-ÓÄÊÁž1WÂ7/jÈ”ã}!òÓãüçò/„¡öEb%Ô ƒ—št«q¼²!éùe>g€ó)Î›d~Üð„¨yA
+‰ZŽá¼NÐÏßìŸžmo–|„˜ÆrX˜Íˆº6T$¿~5ÜýýÍ‚Rj>û– zh•³•K�IeÀdä}›Nó zZñãšá¢e`e¦Ý�Äb~KÆÐ]hï1—ÇÉè½yF
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgdSxSAnqaIqpr7OhyaKXGfQLUWf2bkpyF2mSG01LVv`