diff --git a/.sops.yaml b/.sops.yaml index c0dd96fc3..029cabf36 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -27,13 +27,6 @@ creation_rules: pgp: - 64604147C434F65EC306A21F135EEDD0F71934F3 path_regex: machines/hodgepodge/secrets/[^/]+.yaml$ - - key_groups: - - age: - - age1dl25evn7gstv4t48na8ypxhtxgpf67zfk2v0n3g9fkna8vx3cavsm868ly - - age15yyjuhudx0qaxrgshap4uwylvc6gek5dev7wsvc0zn32v6easp4qmyffmg - pgp: - - 64604147C434F65EC306A21F135EEDD0F71934F3 - path_regex: machines/moraine/secrets/[^/]+.yaml$ - key_groups: - age: - age14rlwkyskyfz65vrvu2n4v3vslqvuqc8uk7vjsre9n52zpnhke30svsjvak diff --git a/README.org b/README.org index 0b1a81ea2..d4d4b17b0 100644 --- a/README.org +++ b/README.org @@ -262,29 +262,6 @@ case are the stars here. As of <2024-01-22>, Ryosuke is serving as a living room HTPC. I've also brough it to the office as a "laptop". -** =moraine= -:PROPERTIES: -:CUSTOM_ID: moraine -:END: - -Hetzner AX52 (+ ECC) (+ 2x16TB HDD) - -Media server. Work in progress. - -*** Name Origin -:PROPERTIES: -:CUSTOM_ID: name-origin -:END: - -[[https://outerwilds.fandom.com/wiki/Moraine][Moraine - Official Outer Wilds Wiki]] - -#+begin_quote -*Moraine* is a [[https://outerwilds.fandom.com/wiki/Hearthian][Hearthian]] who enjoys using the [[https://outerwilds.fandom.com/wiki/Signalscope][Signalscope]], especially to listen -to the [[https://outerwilds.fandom.com/wiki/Travelers][travelers]] music from across the [[https://outerwilds.fandom.com/wiki/Solar_system][Solar system]]. They are found on a -platform atop the tallest tree in [[https://outerwilds.fandom.com/wiki/The_Village][The Village]], so they will have a better view -of the planets. -#+end_quote - ** =boschic= (NixOS) / =DORE= (Windows) :PROPERTIES: :CUSTOM_ID: boschic diff --git a/hive.nix b/hive.nix index 22407ef07..73bba8ca6 100644 --- a/hive.nix +++ b/hive.nix @@ -33,12 +33,5 @@ in "@us-east" ]; }; - moraine = { - tags = [ - "@seadome" - "@tso" - ]; - targetUser = "anomich"; - }; }; } diff --git a/home/profiles/ssh.nix b/home/profiles/ssh.nix index 4d037ff31..f33510b35 100644 --- a/home/profiles/ssh.nix +++ b/home/profiles/ssh.nix @@ -13,7 +13,6 @@ in matchBlocks = { "gabbro".hostname = "${hosts.gabbro.ipv6.address}::1"; "hierophant".hostname = "${hosts.hierophant.ipv6.address}::1"; - "moraine".hostname = "${hosts.moraine.ipv6.address}::1"; "platauc".hostname = "${hosts.platauc.ipv6.address}::1"; "synoxyn" = { diff --git a/lib/src/sops.nix b/lib/src/sops.nix index f1b5492b5..ef5c55ff3 100644 --- a/lib/src/sops.nix +++ b/lib/src/sops.nix @@ -39,7 +39,6 @@ let "gabbro" "hierophant" "hodgepodge" - "moraine" "ryosuke" "tuvok" ]; @@ -71,7 +70,7 @@ in { path_regex = "secrets\/storm\.observer\.secrets\.yaml$"; key_groups = l.singleton { - age = [ keys.age.moraine ] ++ adminKeys.age; + age = [ ] ++ adminKeys.age; inherit (adminKeys) pgp; }; } diff --git a/machines/moraine/README.md b/machines/moraine/README.md deleted file mode 100644 index 5878f317e..000000000 --- a/machines/moraine/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# moraine - -## Layout - -Loosely based on TRaSH's advice [link](https://trash-guides.info/Hardlinks/How-to-setup-for/ - -```shell-session -sudo chown -R $USER:$USER /data -sudo chmod -R a=,a+rX,u+w,g+w /data -``` - -```txt -. -├── mnt # │ │ │ │ │ │ -│ └── silo # │ │ │ │ │ [5] rclone mount of storage box -└── srv # │ │ │ │ │ │ - └── data # │ │ │ │ │ │ - ├── media # │ │ │ │ │ │ - │ ├── incoming # │ │ │ │ [4] queued for starr processing - │ └── library # │ │ │ │ │ [5] symlink: /mnt/silo/data (tbd: unionfs) - │ ├── movies # │ │ │ │ │ [5] target for radarr - │ ├── music # │ │ │ │ │ [5] target for lidarr - │ ├── other # │ │ │ │ │ [5] tbd (archival, oddities) - │ └── tv # │ │ │ │ │ [5] target for sonarr - └── torrents # │ │ │ │ │ │ - ├── complete # │ │ │ [3] │ │ - ├── incoming # │ [1] │ │ │ │ - ├── metadata # │ │ [2] meta-info files for active torrents - └── watch # [0] torrent meta-info file intake -``` - -### `/mnt` - -[FHS: 3.12. /mnt : Mount point for a temporarily mounted filesystem](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s12.html) - -> This directory is provided so that the system administrator may -> temporarily mount a filesystem as needed. The content of this -> directory is a local issue and should not affect the manner in which -> any program is run. -> -> This directory must not be used by installation programs: a suitable -> temporary directory not in use by the system must be used instead. - -### `/srv` - -[FHS: 3.17. /srv : Data for services provided by this system](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s17.html) - -> This main purpose of specifying this is so that users may find the -> location of the data files for a particular service, and so that -> services which require a single tree for readonly data, writable -> data and scripts (such as cgi scripts) can be reasonably placed. -> Data that is only of interest to a specific user should go in that -> users' home directory. If the directory and file structure of the -> data is not exposed to consumers, it should go in `/var/lib`. - -## Hardware Data - -### Overview - -```txt - CPU1: AMD Ryzen 7 7700 8-Core Processor (Cores 16) - Memory: 63458 MB - Disk /dev/nvme0n1: 1024 GB (=> 953 GiB) - Disk /dev/nvme1n1: 1024 GB (=> 953 GiB) - Disk /dev/sda: 16 TB (=> 14 TiB) - Disk /dev/sdb: 16 TB (=> 14 TiB) - Total capacity 30 TiB with 4 Disks - -Network data: - eth0 LINK: yes - MAC: *************** - IP: *************** - IPv6: 2a01:4f8:200:5047::2/64 - RealTek RTL-8169 Gigabit Ethernet driver -``` - -### Filesystems - -```txt -$ sudo lsblk --fs - -NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS -sda -└─sda1 btrfs local 3977e543-92a3-492d-92cc-20e79bf14654 29.1T 0% /mnt/local/downloads/torrents - /mnt/local/backups - /mnt/local/downloads/completed - /mnt/local/Media -sdb -└─sdb1 btrfs local 3977e543-92a3-492d-92cc-20e79bf14654 -nvme0n1 -├─nvme0n1p1 -├─nvme0n1p2 vfat FAT32 boot 64F0-05C1 - 972.7M 5% /boot -└─nvme0n1p3 btrfs nixos 19574e5d-7a98-4182-8215-4632a7a82f77 1.9T 0% /home - /nix/store - /var/log - /nix - /persist - / -nvme1n1 -├─nvme1n1p1 -├─nvme1n1p2 vfat FAT32 boot-2 66FE-10AC -└─nvme1n1p3 btrfs nixos 19574e5d-7a98-4182-8215-4632a7a82f77 -``` - -#### Subvolumes - -```sh-session -$ sudo btrfs subvolume list / - -ID 256 gen 14116 top level 5 path @root -ID 258 gen 12635 top level 5 path @store -ID 259 gen 14116 top level 5 path @log -ID 260 gen 14116 top level 5 path @home -ID 261 gen 10 top level 5 path @persist -ID 262 gen 11 top level 5 path @mysql -ID 263 gen 12 top level 5 path @postgres -ID 264 gen 13 top level 5 path @root-blank -ID 269 gen 29 top level 256 path srv -ID 270 gen 30 top level 256 path var/lib/portables -ID 271 gen 31 top level 256 path var/lib/machines -ID 272 gen 14094 top level 256 path tmp -``` - -## Errata - -### References - -- [TRaSH-Guides](https://trash-guides.info/) - -### Potential issues with RealTek r8169 NIC - -[Hang Up with Realtek r8169-r8168 NIC - Hetzner Docs](https://docs.hetzner.com/robot/dedicated-server/operating-systems/realtek-r8169-r8168-nic) - -> The system loses the network connection because the network card hangs up. The -> TCP segmentation offload of the NICs is defective and must be deactivated. diff --git a/machines/moraine/bin/README.org.gpg b/machines/moraine/bin/README.org.gpg deleted file mode 100644 index dd0dbd560..000000000 Binary files a/machines/moraine/bin/README.org.gpg and /dev/null differ diff --git a/machines/moraine/bin/provision.sh b/machines/moraine/bin/provision.sh deleted file mode 100644 index 00a58f19f..000000000 --- a/machines/moraine/bin/provision.sh +++ /dev/null @@ -1,295 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -IFS=$'\n\t' - -# Provisions NixOS on a customised Hetzner AX52 server, wiping the server. -# -# CPU: AMD Ryzen™ 7 7700 -# RAM: 64 GB DDR5 (+ECC) -# Storage: 2 x 1TB NVMe SSD (+ 2 x 16TB HDD) - -export LC_ALL=C - -apt update -y -apt install -y dpkg-dev "linux-headers-$(uname -r)" linux-image-amd64 sudo parted -apt install -y kitty-terminfo - -###: CONFIGURATION ======================================================= - -export NEW_HOSTNAME=moraine - -##: --- Devices --- - -export FSOPTS="defaults,x-mount.mkdir,noatime" -export BTRFSOPTS="${FSOPTS},compress=zstd" - -# Preserve the Cloudbox/Saltbox `/mnt/local/` structure for easier reference. -# Mounting a non-root fs under `/mnt` also seems like best practice. -export LOCAL_PREFIX="/mnt/mnt/local" - -# boot/root -export NVME01="/dev/nvme0n1" -export NVME02="/dev/nvme1n1" - -# local data -export HDD01="/dev/sda" -export HDD02="/dev/sdb" - -export NVMEXX=( - "$NVME01" - "$NVME02" -) - -export HDDXX=( - "$HDD01" - "$HDD02" -) - -export BIOS_PART=1 -export EFI_PART=2 -export ROOT_PART=3 - -export BOOT_DEV="${NVME01}p${EFI_PART}" - -##: --- Helper Functions --- - -# Wrapper for parted >= 3.3 that does not exit 1 when it cannot inform -# the kernel of partitions changing (we use partprobe for that). -parted_nice() { - parted "$@" 2>parted-stderr.txt || { - grep "unable to inform the kernel of the change" parted-stderr.txt \ - || echo >&2 "Parted failed; stderr: $( -# -# We use `>` because the file may already contain some detected RAID arrays, -# which would take precedence over our ``. -echo 'AUTO -all -ARRAY UUID=00000000:00000000:00000000:00000000' \ - >/etc/mdadm/mdadm.conf - -##: --- PRIMARY LAYOUT -------------------------------------------------------- - -# FIXME: use sfdisk -function mkPrimaryLayout() { - local nvme=$1 - - sgdisk --zap-all "$nvme" - parted_nice --script "$nvme" mklabel gpt - # Wipe any previous RAID/ZFS signatures - wipefs --all --force "$nvme" - - sgdisk -n1:0:+2M -t1:EF02 "$nvme" # bios - sgdisk -n2:0:+1G -t2:EF00 "$nvme" # boot (efi) - sgdisk -n3:0:0 -t3:8300 "$nvme" # root - - partprobe - - # Wait for all required devices to exist - udevadm settle --timeout=5 --exit-if-exists="${nvme}p2" - udevadm settle --timeout=5 --exit-if-exists="${nvme}p3" -} - -for nvme in "${NVMEXX[@]}"; do - mkPrimaryLayout "${nvme}" -done - -mkfs.fat -F 32 -n boot "$BOOT_DEV" - -# No real practical use except to match partition layout. -mkfs.fat -F 32 -n boot-2 "${NVME02}p${EFI_PART}" - -# NOTE: The actual filesystem will be mounted just prior to NixOS installation. -mkdir -p /mnt/boot - -##: --- 3: NixOS --- - -mkfs.btrfs --force \ - --label nixos \ - --data single \ - --metadata raid1 \ - "${NVME01}p3" \ - "${NVME02}p3" - -btrfs device scan - -mkdir -p /mnt -mount -t btrfs LABEL=nixos /mnt - -# Subvolume basename should begin with `@` to distinguish it from a normal path. -# -btrfs subvolume create /mnt/@root -btrfs subvolume create /mnt/@store -btrfs subvolume create /mnt/@log -btrfs subvolume create /mnt/@home -btrfs subvolume create /mnt/@persist -btrfs subvolume create /mnt/@mysql -btrfs subvolume create /mnt/@postgres - -# Create a read-only snapshot of the `@root` subvolume for impermanace. -btrfs subvolume snapshot -r /mnt/@root /mnt/@root-blank - -btrfs subvolume list -a /mnt -umount /mnt - -mount -t btrfs -o "subvol=@root,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt - -mount -t btrfs -o "subvol=@store,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/nix - -mount -t btrfs -o "subvol=@log,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/var/log - -mount -t btrfs -o "subvol=@home,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/home - -mount -t btrfs -o "subvol=@persist,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/persist - -mount -t btrfs -o "subvol=@mysql,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/var/lib/mysql - -mount -t btrfs -o "subvol=@postgres,ssd,${FSOPTS}" LABEL="nixos" \ - /mnt/var/lib/postgres - -# Creating file systems changes their UUIDs. -# Trigger udev so that the entries in /dev/disk/by-uuid get refreshed. -# `nixos-generate-config` depends on those being up-to-date. -# See https://github.com/NixOS/nixpkgs/issues/62444 -udevadm trigger - -btrfs subvolume list -a /mnt - -##: --- SECONDARY LAYOUT ------------------------------------------------------- - -function mkSecondaryLayout() { - local hdd=$1 - - sgdisk --zap-all "$hdd" - parted_nice --script "$hdd" mklabel gpt - # Wipe any previous RAID/ZFS signatures - wipefs --all --force "$hdd" - - sgdisk -n1:0:0 -t1:8300 "$hdd" - - partprobe - - # Wait for all devices to exist - udevadm settle --timeout=5 --exit-if-exists="${hdd}1" -} - -for hdd in "${HDDXX[@]}"; do - mkSecondaryLayout "$hdd" -done - -lsblk - -mkfs.btrfs --force \ - --label local \ - --data raid0 \ - --metadata raid1 \ - "${HDD01}1" \ - "${HDD02}1" - -udevadm trigger -btrfs device scan - -mkdir -p "${LOCAL_PREFIX}" -mount -t btrfs LABEL=local "${LOCAL_PREFIX}" -btrfs subvolume create "${LOCAL_PREFIX}/@backups" -btrfs subvolume create "${LOCAL_PREFIX}/@completed" -btrfs subvolume create "${LOCAL_PREFIX}/@torrents" -btrfs subvolume create "${LOCAL_PREFIX}/@media" -btrfs subvolume list -a "${LOCAL_PREFIX}" -umount "${LOCAL_PREFIX}" - -mount -t btrfs -o "subvol=@backups,${FSOPTS}" LABEL="local" \ - "${LOCAL_PREFIX}/backups" -mount -t btrfs -o "subvol=@completed,${FSOPTS}" LABEL="local" \ - "${LOCAL_PREFIX}/downloads/completed" -mount -t btrfs -o "subvol=@torrents,${FSOPTS}" LABEL="local" \ - "${LOCAL_PREFIX}/downloads/torrents" -mount -t btrfs -o "subvol=@media,${FSOPTS}" LABEL="local" \ - "${LOCAL_PREFIX}/Media" - -# Repeat mkdir since `/mnt` has since been umounted. -mkdir -p /mnt/boot -mount "$BOOT_DEV" /mnt/boot - -###: INSTALL NIX =============================================================== - -mkdir -p /etc/nix -# Let root run nix -echo "build-users-group =" >/etc/nix/nix.conf - -curl -L https://nixos.org/nix/install | sh - -# Make Nix available for immediate usage. -# -# As this is a third-party script, sourcing may refer to unset variables, so -# loosen up "strict mode". -# -# TODO: is it really necessary to set `+x`? -set +u +x -# shellcheck disable=SC1091 -. "$HOME/.nix-profile/etc/profile.d/nix.sh" -set -u -x - -echo "experimental-features = nix-command flakes" >>/etc/nix/nix.conf - -nix-channel --add https://nixos.org/channels/nixos-23.05 nixpkgs -nix-channel --add https://nixos.org/channels/nixos-23.05 nixos -nix-channel --update - -# Open a Nix shell with the NixOS installation dependencies. -nix-env -f '' -iA nixos-install-tools - -###: PREPARE NIXOS CONFIGURATION =============================================== - -git clone https://git.sr.ht/~montchr/dotfield /mnt/etc/nixos \ - -b add-moraine -ln -s /mnt/etc/nixos /mnt/etc/dotfield - -nixos-generate-config --root /mnt - -nix build "/mnt/etc/nixos#nixosConfigurations.${NEW_HOSTNAME}.config.system.build.toplevel" - -export NIX_PATH=${NIX_PATH:+$NIX_PATH:}$HOME/.nix-defexpr/channels - -# FIXME: it seems `--flake` fails when installed by this method -# > /nix/var/nix/profiles/system/sw/bin/bash: line 10: umount: command not found -# not only in the above example, but several other missing mount/umount errors -# PATH="$PATH:/usr/sbin:/sbin" NIX_PATH="$NIX_PATH" "$(which nixos-install)" \ -# --no-root-passwd \ -# --root /mnt \ -# --flake "/mnt/etc/nixos#${NEW_HOSTNAME}" \ -# --max-jobs "$(nproc)" \ -# --impure - -PATH="$PATH:/usr/sbin:/sbin" NIX_PATH="$NIX_PATH" "$(which nixos-install)" \ - --no-root-passwd \ - --root /mnt \ - --max-jobs "$(nproc)" diff --git a/machines/moraine/default.nix b/machines/moraine/default.nix deleted file mode 100644 index f87b813b9..000000000 --- a/machines/moraine/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs, ops, ... }: -let - inherit (ops) hosts; -in -{ - imports = [ - ./filesystems.nix - ./network.nix - ./secrets/sops.nix - ./users/anomich.nix - - ./services/deluge/daemon.nix - ./services/deluge/web-ui.nix - - #./services/lidarr.nix - #./services/ombi.nix - #./services/prowlarr.nix - ]; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - environment.systemPackages = [ pkgs.borgbackup ]; - - dotfield.guardian.enable = true; - dotfield.guardian.username = "anomich"; - users.mutableUsers = false; - users.users.root.openssh.authorizedKeys.keys = - hosts.boschic.users.seadoom.keys ++ hosts.tuvix.users.cdom.keys ++ hosts.ryosuke.users.cdom.keys; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/machines/moraine/disk-config.nix b/machines/moraine/disk-config.nix deleted file mode 100644 index 8a688bf91..000000000 --- a/machines/moraine/disk-config.nix +++ /dev/null @@ -1,70 +0,0 @@ -# FIXME: unused, possibly not feasible as of [2023-06-10]: -# Source: -{ lib, ... }: -{ - disk = - lib.genAttrs - [ - "/dev/nvme0n1" - "/dev/nvme1n1" - ] - (disk: { - type = "disk"; - device = disk; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "2M"; - part-type = "primary"; - flags = [ "bios_grub" ]; - } - { - name = "ESP"; - start = "2M"; - end = "1GiB"; - fs-type = "fat32"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "nixos"; - start = "1GiB"; - end = "100%"; - content = { - type = "btrfs"; - name = "nixos"; - }; - } - ]; - }; - }); - # mdadm = { - # boot = { - # type = "mdadm"; - # level = 1; - # metadata = "1.0"; - # content = { - # type = "filesystem"; - # format = "vfat"; - # mountpoint = "/boot"; - # }; - # }; - # nixos = { - # type = "mdadm"; - # level = 1; - # content = { - # type = "filesystem"; - # format = "ext4"; - # mountpoint = "/"; - # }; - # }; - # }; -} diff --git a/machines/moraine/filesystems.nix b/machines/moraine/filesystems.nix deleted file mode 100644 index 1751fd3f8..000000000 --- a/machines/moraine/filesystems.nix +++ /dev/null @@ -1,133 +0,0 @@ -let - commonOpts = [ - "noatime" - "x-mount.mkdir" - "compress=zstd" - ]; -in -{ - boot.supportedFilesystems = [ "btrfs" ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@root" - "ssd" - ]; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@store" - "ssd" - ]; - }; - - fileSystems."/var/log" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@log" - "ssd" - ]; - neededForBoot = true; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@home" - "ssd" - ]; - }; - - fileSystems."/persist" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@persist" - "ssd" - ]; - neededForBoot = true; - }; - - fileSystems."/var/lib/mysql" = { - device = "/dev/disk-by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@mysql" - "ssd" - "nofail" - ]; - }; - - fileSystems."/var/lib/postgres" = { - device = "/dev/disk-by-label/nixos"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@postgres" - "ssd" - "nofail" - ]; - }; - - fileSystems."/mnt/local/backups" = { - device = "/dev/disk/by-label/local"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@backups" - "nofail" - ]; - }; - - fileSystems."/mnt/local/downloads/completed" = { - device = "/dev/disk/by-label/local"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@completed" - "nofail" - ]; - }; - - fileSystems."/mnt/local/downloads/torrents" = { - device = "/dev/disk/by-label/local"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@torrents" - "nofail" - ]; - }; - - fileSystems."/mnt/local/Media" = { - device = "/dev/disk/by-label/local"; - fsType = "btrfs"; - options = commonOpts ++ [ - "subvol=@media" - "nofail" - ]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - }; - - # Note that `/dev/disk/by-uuid` is not compatible with `randomEncryption` - # because the UUID will change on every boot. - # https://github.com/NixOS/nixpkgs/blob/c06d5fa9c605d143b15cafdbbb61c7c95388d76e/nixos/modules/config/swap.nix#L24-L26 - # FIXME: update uuids - # swapDevices = [ - # { - # # device = "/dev/disk/by-uuid/5881331f-7c23-452b-8562-c9103098dce8"; - # # randomEncryption.enable = true; - # } - # { - # # device = "/dev/disk/by-uuid/80b1fe3d-96f0-45c6-9787-80de4570906c"; - # # randomEncryption.enable = true; - # } - # ]; -} diff --git a/machines/moraine/network.nix b/machines/moraine/network.nix deleted file mode 100644 index e68d639df..000000000 --- a/machines/moraine/network.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - ops, - flake, - ... -}: -let - inherit (config.networking) hostName; - inherit (ops.hosts.${hostName}) ipv6; - l = flake.inputs.nixpkgs.lib // builtins; -in -{ - # TODO: the value here can be generalised to any host, maybe make reusable - systemd.network.networks."10-uplink".networkConfig.Address = "${ipv6.address}::/${l.toString ipv6.prefixLength}"; -} diff --git a/machines/moraine/secrets/secrets.yaml b/machines/moraine/secrets/secrets.yaml deleted file mode 100644 index 2cbb336d8..000000000 --- a/machines/moraine/secrets/secrets.yaml +++ /dev/null @@ -1,58 +0,0 @@ -users: - anomich: - hashed-password: ENC[AES256_GCM,data:lOum0E34W/y6KiDE+JxDZ0LNpJrtFbSqSFDvUt4j/MbBdzFQe/Ytq8dlJHcoQ1uibckCtDn4GOnVodP17BFXjrAEtuZO3FYjCg==,iv:1MbIqZlw2/HYtv5z+nUnsRKR6NSETTdiZhDNaFNHkgY=,tag:nyP0GrJDixqhzJdErCIprw==,type:str] -services: - deluge: - auth-file: ENC[AES256_GCM,data:xHm4Ustmwsy1QuzBs/tKQwpMdriV7YPzBe+gOGwawu33KrWADftP1R2wrpA00dccGMpyhB9puWhUdp8tbNwL5LJK1yh+RT9upZdPp8tJNnc7NIq2uSFWelDjTP9k85l0gZV75fhGBa7TDhff9m5ScOakj5+P61VQl/tZ5Vy1/A==,iv:iJB9PZNX/hMs26LyKL9puTr1hwiKpIXoKVph0pjOAHQ=,tag:C2ChWnnMKb4iQ/6Iu56thw==,type:str] - http-basic-auth: ENC[AES256_GCM,data:VAlSWkrorowrWSkhdis4B0ddaLm82cr4oArkrW/omXVN3+WGFsnswnQ4hGMlMVpWIBOREN3NHxjneYvbcZsgEC8NnIrd4LZ3rmcLuZGttBcyIO07EB2A1WKlNM6BMaDM0rJam+b4+A==,iv:lSian5FCgKh/KsCjxt6QPGRlp7WT3hhQSwQSjGn7xcg=,tag:FKThburu+/Bosdo4vMhpIQ==,type:str] - ssl-cert: ENC[AES256_GCM,data:95WqUIDsgY2sYrome2G17aZC4nJMq+GhyDUECTw0AlF427x9H5ANcPoZDPZqwCWOUg1MR2cHGqceq45qThSgv06FwEmYn08uI3g3w1MTXmh4mI076yVfMU8sEnct9XhWljvkY0dL4oLzXFGjINgDTm9AzmXGSt3+ssTXN4LRWza5bFlJyzyc1u6lN5MeKIQBaoC+wk6zMss51164vtunSdYAsIsemLxcyglMhgdAF0/3QM04Gffu7NSx4GK1iPAsFyLrpiOcvNanKhSfZuxK/jBcD5ryIV1pWWbbV0Yk4P824XOTqq8R928DZtpjNOSjJZgk8HH7XYq2rEqhTPe19aEWADAPGP9UJDxVyjDMt/UYdz3bUs+y8w+X/kfwIJ1lr+Dj6pyZUusGZq1a3HP2BKMNRk+PSfiUilqa7iMLatJLKNbGccYfjxNjfkUWMp8hxQtICO1R0gvGklwSTfaiolZHXYueb+/29LfYRtUsfKK+pxclKqBz4g2MbOxv1LR/jSTrdwCrMLraE8KFcWZiIz6bJOLxn2/iWQChOrKlYnRjO1zDwrpyY/Fwb7diDceo/51pDtaEa6PT33tYCyUYdWTOAJp315vcFtvit6G+swVSiD9LLcu1E/J0TnZgeFwtBJNddnlcZ0vCwKL3X7h/a69TzRPIW/HnzHl/SVPpkc+w9vruzJ1/3G3k3CWI41EzQZ8P7HVXJjWnVrU9osmEhSFj01INGOyYmP9rySHpVIdxUi6TJBLB3Ildvm63WQgB5Ug8BFKFWbBMODXN/mkFnMotvHWV1f36VaQ/9P10W+MIanOKFbKOWLxs/1MkJokIqTAWtnAKmydBdG4kH6hTKl3OoTMj9/gkLHVEHwaqXdseJ+p6ISkc/reOJptFzGcB4i3AjWF++ouTmUnVMqPuFPFREvgdZd3E5lCXSH0ofy+Z0ER2cl7WAtq6adOpq8gWlrDYMKViye6BRlbJQYcDgRo42fzyfOTSO2LNew7qdX0yx83kL6E6Nu2hs1vpLZRHbIr+2VsAfQ1nZ8/stRbRB+cYJ3zXkdueDgjKmB+MEWH/r2YILbnQzAM+3NCshl9s/1QhA5VlJN5une6bAtZb2Q/YipdjjG1dVYX+LbxsxilJsZYD7YBD0f6a3j15K2sLy3KjhIf26rIprlZsqCz4NXhBX7and9hEfG10oPqxAWEbIiHKVQ8K1PK1nnIqlelKcsCPcI5GLOeJQaCShxEWfhBI47jJpLF0yP8lLRE1mYM1Y30B2awqHRJJ094Gyptt9ig/tk8CicyBouEvzzvbEl9EgQimk84mUfFkwjiAK6Sg6VjNLFByl8kc7qc2ztso52XFODuTipQKiCDwLA5u5IRGcdy1ze7ZWJpyesGSmwKPvokKZJt+Q9UqgH8WtWyefkiuiWyCIzFfdYHKDvcuId0c0yEgqsqZT7o0edxd+eLGx40MdxJCWQkI6jsJvw0BEIddlyLhyeJ4dqUX/9dRTl6UN9jpHwEKi37bj4+3C+dIsYrZ/eDMXOadL/oLma6KmAJVb9H5rI8HKODQpq1B9MebHusPdG2BERqSFnqu011rknNvCmnV11YsmQ6h4meslEDNbBiOhfCa0Qm/3N/OcCdS4m5L1cliS9SaNL17jp2of4fxzu+RNQrETbROL7qJoMDLUy8razF60jscvSk2q34UVr6xGEXqiM0Fex+H1J8W30EEiqEP2FDQ/XBK9BjtT/D2o9RALQ/PTXoTwfpF8J6zM+OSDl2L7d66UrzhH57/0/MEscpSmtHtAVkG7lyARAJ6PFzRUspMmMpekdzVBnSYjshBQo8e1JRNPt6LFHVopKpCPdLPNDTYX37ofGpivrYLd4ZdEfPdpx0XZ5lFKuG2GS3/T5wfopDYYux0w/S/f2ZtdmliO5wp1CA+vTUvWnVFz20a5e9I5ge0eTpE0hohPc5dvQnJ6yG+u6QdwJ4drNBSE5Uh/4idyaoCWZA4qZc6iZgi/IDf8hkvtZc5LvJUn0hLyAXF6SFptdLfs8RXdINUX5wbEvX4n7n6AKC+rEgwpunV8N0x8SjAOzFRB+9O,iv:6R76OzLxDVRYWb0fLvwI3D/rWKHgftsFaj+TW6IzWuc=,tag:nNSonIqMFF71xB48ck9SkA==,type:str] - ssl-key: ENC[AES256_GCM,data:Q/QVQdTwh78fpqFhe3kFJuOjQGyonNPzdpvlOCWsaL4jdslBgVtova4Xv/oncC7PqV19yYmxFDq9sV5jKaETXVtiBYels0OzMAa7Sy4S1xKk7J+QdZUflHHZqw9jo6raeKjy8ttrPRAz2E8fffs0XzOBaAkMnT6MApp6QrtWAHHF9ZF3Krel5V6Z9scn0ZP3AuxleCICNX9kcZgshuE70qvMJNokMvQBehKp3EZGPK/sI3RkCiUB1uNx/HQ2/vn7sT99IWndHznt3BUmBlICyMqsVHAAFVAhb/Vh5Bha918aLYWbtgHgl/5u0ssEoh3vl9HmaEcbpYkf+iYaz5i6jw1KZs60cGUn2AS+7d68Mgs5MDuf9cZczUMcivDTUaRvs0CnCJj5naR8OKFcrx/lyzP4ifZfkTTWrkg+vYlWOp7fHfQUUblIH66+7fyy0Ww2aH+qxe2+9jwf994vE7VVl6I+OimtaRK1kff6BuWv164MsJaW3qTyvgKQbqLbDk2D8uHuPOLY/uONaVPWSltGl33XCoGzrk229X8C4HiXvkAP36G1mFisD5WxnwdL76RRQenl4PZxyLlaHxJwBFi0fOQCMLzHLZjwFL9IwU/4NqXP1sgZ/ZEgv6pT+jD8IxcO5y6mb+tUr6l2EizHQZ5td36o1z7x4DQ2TDjLO2kzsz3HrdZnUNRkCwLil1kBgOGcv/L2Pig+FZD1XUtyrJRoasmdu986EzNOPkMwjdlSW+NmNt1eDGkMw+4b1xpVfZgupKyGXE4SamzaJdy1P6dxQhbFsm5myD8vK1nlDTdVMBR6mgu2cR+Fcou/jkvupCHemUaehBp2QrsLQFUExBDpagMCQHYHJt7JRF3d8cvSeacwnSifL8k9wkycZPlrT6g9B4tvzG6plnKZSkeMC6QiTA/MH5exCXQpS4tq7fI/BNd8ppPiqxdZSE35mrZktKdkG9PmZQMAHeEOjryxCA3pNytRpMu3JZweyT/BkjNxg04njkKCjaoiRzwQAtzxj+R78a6RTf4zYufmGXSbVRYjyrRF2oSLWpW2D8ZXJUR1AXiclItUe2ccg1t96cxCuHTIaRaxk9A2ZzRyf0qu4eyqArDW0VCG8baZRPwrtQc9aR5azAH5tAKcuUbKeDxWv9iLgOgDJR/IiICJhNdhPIZsFvnNVWjdqzKpxv3dyIPRBybKF3gIC6liOmAk2YMiJvhctUAnWgRjEyTVTdKvI/R0ZdUHVixB1O1EnVEmt0an3/ShN/CqtuA01yG7EaVksr9Sw77GK5wYxljBw6yKxPW+4V+NfU03dWvKMlBgi/hC5GbRRe8H6OYngGYoju+dF016I4GjWmLXKR99Y8oVl9xQc8BCuC2korxL4vpEA+Q9Wn1AuotAQfGJjusqs33wpGWrukKN4eEq9rXvADEjeVupJGD+YPppJMxew3KpWAWJ7OSIOX2l5zhzzCupHfhayft32YmChMI2q97UYR+xqt3BeeTrqSGEY6MxavKvntzUPiHIYfDK6Y9khy43dhFBoz/cpAldwcNZM1SxIdeF2G0ZqJs5/XSlBKuT4OgpcIhCANnMaBgkvGtpajtRe94CEs5QPbUNI8LlWSYRjk5DPWAX8M2WTPBXrT2vpfyKouykRrZP8hVRCJJZms/dNHDAVd8sQ2Wtwpppm0OB7JTpTB2mrwhg1X5SthQY/9fS40ysjUQSTF0f2CiSEYi1Csw9PXBf77hpsIVCf6cqFmu4c2wZlFEnw207ETrh9biKpgI+DJjXsKEJfN6HSfO2xLdiOAIW/Unuyfm7+ewEGUy02I/0BRS0j9Pz3wjQ8NWDWHXa/xwuGlMBqmpmA+vfoIgqRp3UY4QpQ3WyW6vTpttqq8FM/eZHOot3+sqW1cM/mf1ZL4KXleC+wRNZZyLpVS8ctRnovfS1ZJFUqALNjJbfD+Q5WJz0o1LNfHh7QfMp0OKvS8k1/ot1oKmQBDYKz3jD0Kk4+396GAonMPMak5xvvx8eE9qOnr7jCTLEPksoOTZh5ZKuACZ0A6GSPQ6/CgD/DfcHyyLh9g/xtR9mL4PBgP8QSW81whjWAGQDwU6YtjsSUBQGaBVu1NxnwEwNPF824HprgU1cR8H40mEimnv5MPjPAp+gqnKkN6JbFNhsaXRL+MSHz+y9jAPjViSK90OgSQauIDvzcEIDv/jYUVCKBWuCUPQYKITvuQoAxhCm2zTtPY7E+W6+sQASIdYkDvhl+KLdzjUm/JzzjlDU4ia+1jOWCASgnd3sQioDHxZHvQ==,iv:pLnpZoium4WJ8xVrfi3n3CowR91bUl3Ndy8Z6NGTFRY=,tag:n4CYTNjFRERtNbpisqyu6w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1dl25evn7gstv4t48na8ypxhtxgpf67zfk2v0n3g9fkna8vx3cavsm868ly - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZW9PSVhzVStKUDhqTi9M - TTNwOWovYi8rWTNkQUxPaHQ0UmFZaUpxbmhzCjFpRzdMWU5lcS9NaXc3aUpFUFNz - VHY1bjF5VVN1QzFjd2hPZ2RQVTZMV0kKLS0tIDRpdmhpNHBuS1lmd1NQVitHV0NJ - MnNWYlZNZVB5OXFtM2x1d0pmY1RGNXMKN57nqEuKra5U+gdsZj41iV7JvWuT5rRj - QoJKC8Nww6t5+DU4kHlucM2QKyfXpQPSJ9MeoI1UQYhcMJEVT+gOKQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age15yyjuhudx0qaxrgshap4uwylvc6gek5dev7wsvc0zn32v6easp4qmyffmg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UTZXeWQ0MU1ZRlFlYWNw - Sm5PNlI4Vm9VMHpnQ3E4MkJTZnZ4bnVoRVQ4CmhwWm9nQnlNZ3VSQ2YzLzlHbkhQ - bGlWQi9Od2pyWnVWU2JmUnV2S0ZEeW8KLS0tIE94eUhSbjhXZVEzUU1mTWE3bkVD - Y2JzaG5IamlvWHB3aFZTTnl3Q3FXUjAKCMjTJ2yw4VHWqcGeTH/ch9WffYi9+lj4 - 5/4xT1w0maOFm5P2P8wv3fft2NNPKUSavhBDoAerttQ2oZDKBHew5w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-04T06:59:12Z" - mac: ENC[AES256_GCM,data:zYYPa3+yu3WTCETzSaN8STM1BUHotAxSd0LJTJbQjVvAedGAnCsfthl6cGiqi4PdTnSE0cHdzkYpUQ2L86gpy2w1ygpnGWbJpjCF8Sht8zKKfpuxdPqrf4p1YVo/6K/dBrAPUTkdyxz3L+cHs7gc6BPpLLvYXALV3NaGYyLCjZs=,iv:2EPkW7X0lIJtZnNQKZZCR7ykCOYxOM4mQkK0L18p5eA=,tag:nUjStiLdfS9BaTSBB9qXwg==,type:str] - pgp: - - created_at: "2023-07-01T21:34:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - wcFMA+eFmb1k5uWOAQ/+MxjaHdeJ3OLw03arVKZcB5mfz3TrHFudhrEUhHprfJV6 - Sr4Ox8HtiBjUXucIIRhbsG//RWRwTgPi/sxW6grP8JeMYr1arbc2AyM+3eFUibj7 - nk8XQ0l5WCacajaBZcvs7I00Enbubn013Jh4W2o6+mDMIa3IEOIExX5/YcjiFDNy - 9YH2/yYFqECcvJP64kaR4oXBLXNsSsfkvUTVRmkM4XMi9YBrAz2DmAuvs+UbCFqT - qZi3CJno7xyTwpSiIPfKPn1/EVFs21bu8iIGYbFv+zwd32/KPpZe6EUeKlLYwiXO - Vjh7eyzofajHPGVFyNH82egSZ8tOn+/S6gTOz7eZpZ7HQkxsbgR9LxHtCBfBQCC1 - ThOH915829RDzP90QhN8q9qwSD4fb+uq24X9HS+FnNupMjg2xGKFmITG8t5jd/uD - ZHbI3+8pyCOqqb12Dj/KSMFSHakKue8tgJsFA6perYcQbopLTGgJhLi0eD+YzXEj - 8+rBwwQ78zeSYbwqRBrn+bTicByKBR4eeyUuJZjJJ97jqEnAYIGD/rMhxm5XXm6/ - 8PCOCViQF7srkWc4eMgFhKrY1ExQhXV6wvKowzRO9FxvsdDJhG0TAr2GQtQ/qMmW - /oCNGUNrDbhgPor7wvGmoEV4K6/pBGhGTLD4WHv1ohcJXWV1Fqx1fEIuZiWd7DPS - UQGjdJoRoyRv7NgYLmdoWX6/gy+JRFpORXtg1dNpnVecVpzUIVDgLgMVgripqUjx - zjOVhoO4OcpBLTStC/xdkZc1G7U61ikowT3aK0LASUh8CQ== - =ykOS - -----END PGP MESSAGE----- - fp: 64604147C434F65EC306A21F135EEDD0F71934F3 - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/machines/moraine/secrets/sops.nix b/machines/moraine/secrets/sops.nix deleted file mode 100644 index 197f8f963..000000000 --- a/machines/moraine/secrets/sops.nix +++ /dev/null @@ -1 +0,0 @@ -{ sops.defaultSopsFile = ./secrets.yaml; } diff --git a/machines/moraine/services/deluge/daemon.nix b/machines/moraine/services/deluge/daemon.nix deleted file mode 100644 index ec843f6cb..000000000 --- a/machines/moraine/services/deluge/daemon.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, ... }: -let - inherit (config.sops) secrets; - inherit (config.users) users groups; - - cfg = config.services.deluge; - - user = users.${cfg.user}; - baseDir = "/srv/data/torrents"; -in -{ - users.users.${cfg.user}.extraGroups = [ groups."keys".name ]; - - sops.secrets."services/deluge/auth-file" = { - owner = user.name; - inherit (user) group; - # deluged will try to enforce this mode. - # - mode = "0400"; - path = "${cfg.dataDir}/auth-file"; - restartUnits = [ - "deluged.service" - "delugeweb.service" - ]; - }; - - networking.firewall.allowedTCPPorts = [ cfg.config.daemon_port ]; - - services.deluge = { - enable = true; - declarative = true; - openFirewall = true; - # NOTE: auth file requires `localclient::10`, at least on first run - # TODO: this should be fixed or noted in the upstream NixOS module, - # though there is very little evidence explaining this requirement/oddity. - authFile = secrets."services/deluge/auth-file".path; - - # TRaSH-Guides: : - # all options+defaults: - config = { - ##: downloads - download_location = "${baseDir}/incoming"; - prioritize_first_last_pieces = true; - pre_allocate_storage = true; - torrentfiles_location = "${baseDir}/metadata"; - copy_torrent_file = true; - move_completed_path = "${baseDir}/completed"; - move_completed = true; - - ##: plugins (by name) - # - enabled_plugins = [ - # Enable watch directory support. - "AutoAdd" - "Execute" - # High-volume libtorrent optimisations. - # - # - # TODO: configure - "ItConfig" - "Label" - ]; - - ##: network (incoming aka "listening") - listen_ports = [ - 58112 - 58112 - ]; - random_port = false; - - ##: network (outgoing) - outgoing_ports = [ - 0 - 0 - ]; - random_outgoing_ports = true; - - ##: network (encryption) - enc_in_policy = 1; # "Enabled" - enc_out_policy = 1; # "Enabled" - enc_level = 2; # "Full Stream" - - ##: network (extras) - upnp = false; - natpmp = false; - dht = false; - lsd = false; - utpex = false; - - ##: bandwidth (global) - max_connections_global = -1; - max_upload_slots_global = -1; - max_download_speed = -1; - max_upload_speed = -1; - max_half_open_connections = 128; - max_connections_per_second = 128; - ignore_limits_on_local_network = true; - rate_limit_ip_overhead = true; - - ##: bandwidth (per-torrent) - max_connections_per_torrent = -1; - max_upload_slots_per_torrent = -1; - max_download_speed_per_torrent = -1; - max_upload_speed_per_torrent = -1; - - ##: queue - dont_count_slow_torrents = true; - queue_new_to_top = false; - max_active_downloading = 8; - # do not enforce tracker-hampering seed caps - max_active_limit = -1; - max_active_seeding = -1; - remove_seed_at_ratio = false; - seed_time_limit = -1; - seed_time_ratio_limit = -1; - - ##: daemon - allow_remote = true; - daemon_port = 58846; - - ##: miscellaneous - # disable sending analytics to deluge devs - send_info = false; - new_release_check = false; - }; - }; -} diff --git a/machines/moraine/services/deluge/web-ui.nix b/machines/moraine/services/deluge/web-ui.nix deleted file mode 100644 index a5ebb9faf..000000000 --- a/machines/moraine/services/deluge/web-ui.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, ... }: -let - inherit (config.users) users; - inherit (config.sops) secrets; - - nginxCfg = config.services.nginx; - nginxUser = users.${nginxCfg.user}.name; - nginxGroup = users.${nginxCfg.user}.group; - cfg = config.services.deluge; -in -{ - services.deluge.web.enable = true; - # Keep firewall closed -- use reverse proxy. - services.deluge.web.openFirewall = false; - services.deluge.web.port = 8112; # default - - sops.secrets."services/deluge/ssl-cert" = { - owner = nginxUser; - group = nginxGroup; - }; - - sops.secrets."services/deluge/ssl-key" = { - owner = nginxUser; - group = nginxGroup; - }; - - sops.secrets."services/deluge/http-basic-auth" = { - owner = nginxUser; - group = nginxGroup; - }; - - services.nginx.virtualHosts."deluge.storm.observer" = { - enableACME = true; - forceSSL = true; - basicAuthFile = secrets."services/deluge/http-basic-auth".path; - locations."/".proxyPass = "http://localhost:${toString cfg.web.port}"; - }; -} diff --git a/machines/moraine/services/lidarr.nix b/machines/moraine/services/lidarr.nix deleted file mode 100644 index 40a4d0502..000000000 --- a/machines/moraine/services/lidarr.nix +++ /dev/null @@ -1,7 +0,0 @@ -_: { - services.lidarr = { - enable = true; - openFirewall = true; - dataDir = "/mnt/local/Media/Music"; - }; -} diff --git a/machines/moraine/services/ombi.nix b/machines/moraine/services/ombi.nix deleted file mode 100644 index 913955087..000000000 --- a/machines/moraine/services/ombi.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: -let - cfg = config.services.ombi; -in -{ - services.ombi = { - enable = true; - openFirewall = true; - port = 5081; - }; - services.nginx.virtualHosts."requests.stormobservatory.com" = { - # enableACME = true; - # addSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; - }; - }; -} diff --git a/machines/moraine/services/prowlarr.nix b/machines/moraine/services/prowlarr.nix deleted file mode 100644 index e4dc90b46..000000000 --- a/machines/moraine/services/prowlarr.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - services.prowlarr.enable = true; - services.prowlarr.openFirewall = true; -} diff --git a/machines/moraine/users/anomich.nix b/machines/moraine/users/anomich.nix deleted file mode 100644 index 8bb7e523b..000000000 --- a/machines/moraine/users/anomich.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - ops, - pkgs, - ... -}: -let - username = "anomich"; -in -{ - sops.secrets."users/${username}/hashed-password".neededForUsers = true; - - users.users.${username} = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - hashedPasswordFile = config.sops.secrets."users/${username}/hashed-password".path; - openssh.authorizedKeys.keys = ops.users.cdom.keys.default; - # Loads fish shell on interactive init. - shell = pkgs.bashInteractive; - }; - - home-manager.users.${username} = hmArgs: { - imports = [ hmArgs.profiles.shells.fish.trampoline ]; - home.packages = [ ]; - home.stateVersion = "23.05"; - }; -} diff --git a/nixos/default.nix b/nixos/default.nix index bae4d978d..813e445a6 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -123,26 +123,6 @@ in ]; }; - moraine = makeNixosSystem "moraine" { - system = "x86_64-linux"; - modules = [ - ./mixins/server.nix - - srvos.nixosModules.server - srvos.nixosModules.hardware-hetzner-online-amd - srvos.nixosModules.mixins-nginx - srvos.nixosModules.mixins-terminfo - srvos.nixosModules.mixins-tracing - srvos.nixosModules.mixins-trusted-nix-caches - # TODO: needs additional config - srvos.nixosModules.mixins-telegraf - - # FIXME: needs security before enable - # profiles.monitoring.prometheus - # profiles.monitoring.telegraf - ]; - }; - boschic = makeNixosSystem "boschic" { system = "x86_64-linux"; modules = [ diff --git a/ops/data/hosts.nix b/ops/data/hosts.nix index bbbd30fa1..659e8927a 100644 --- a/ops/data/hosts.nix +++ b/ops/data/hosts.nix @@ -74,23 +74,6 @@ in networks.ts = "100.71.240.35"; users.seadoom.keys = [ keys.ssh.seadoom-at-hodgepodge ]; }; - moraine = { - age = keys.age.moraine; - ipv6 = hetznerIp6 "2a01:4f8:200:5047"; - keys = [ - keys.ssh.moraine - keys.ssh.moraine-rsa - ]; - network = "tso"; - networks.ts = { - ipv4.address = "100.101.74.89"; - ipv6.address = "fd7a:115c:a1e0:ab12:4843:cd96:6265:4a59"; - }; - users.anomich = { - age = keys.age.anomich-at-moraine; - keys = [ keys.ssh.anomich-at-moraine ]; - }; - }; platauc = { ipv4.address = "78.46.148.56"; ipv6 = hetznerIp6 "2a01:4f8:c0c:591c"; diff --git a/ops/data/keys/age/moraine.txt b/ops/data/keys/age/moraine.txt deleted file mode 100644 index 4fb0a7e08..000000000 --- a/ops/data/keys/age/moraine.txt +++ /dev/null @@ -1 +0,0 @@ -age1dl25evn7gstv4t48na8ypxhtxgpf67zfk2v0n3g9fkna8vx3cavsm868ly \ No newline at end of file diff --git a/ops/data/keys/ssh/moraine-rsa.pub b/ops/data/keys/ssh/moraine-rsa.pub deleted file mode 100644 index 3a79be09d..000000000 --- a/ops/data/keys/ssh/moraine-rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCu56Rvtpdr8oPtKT+dru8t/GrqwVtngVIAGGjSRMmg4GBbi8OVx5TkKCNFypJKwx1oCUnIb5f11HVdHukpe/TAjxKlF1kQlXJpaCLszQD5Gdf9SBH8gKrNtoqlsnalaU7faWnbfGoPmMPrd6hNVByslAzrC1OHFiI1vqAmnwh5XdU7Y4r8brScPsG4NoRQ9P3bTNMs4Sk1s0UxMAgziHltG/jlcupQxHx5Zdm2of3wXAWdvrRT3k69aPd6PHs+rQOqZkzuY9vRloKxFSINyTnXnJDlCZis0NzoSoeAdfuWj5xfk795NztCJaazkRSp/4Mg7/hkoWfGvVve5WV+kwOEKpLOWpYHNHUgyABLb7QxZ+Yx/9UGZT91kWVX1KxpSEG7S/Azs327flI+lw3b9kBwYyPIV7A2UztfvCmJmKKKyn1rppUDbICCCQb6ADmwSSvqYsRwDXU0QGyns3sUpNjq0F73QJOIGTTE47+lbEVwYYt3JyXSzl1RaUe7Bw5+mpD1z71EkFuO2Y3BtDaqIbqvjY6rKKT5h+8fw0u+WHcSmZIczncZGLp18qR1PSc4nAlFh0inGMbUQbuqIMYsqmmGkWs71/7rHtvBGBEHq90KYfXXGT3bhzv/Xj0gtUr1XXBEHIV+KAM/4mVBdOowCJiVuRzLyQ7cUYJl+INwi3XZIw== root@moraine \ No newline at end of file diff --git a/ops/data/keys/ssh/moraine.pub b/ops/data/keys/ssh/moraine.pub deleted file mode 100644 index 9849fc592..000000000 --- a/ops/data/keys/ssh/moraine.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK1hnnVzNQ1JJ1TOTOWuxztbCV6EZ4F8xZBrEfOwROVX root@moraine \ No newline at end of file