Merge pull request #10 from entropia/leona/profile-entropia-cluster-vm

feat(profiles/entropia-cluster-vm): init
entropia · May 7, 2024 · 417299c · 417299c
2 parents 5868b25 + 633b46c
commit 417299c
Show file tree

Hide file tree

Showing 10 changed files with 332 additions and 49 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -3,7 +3,9 @@ keys:
   - &admin_evlli_pgp 56B96D1C10D68F49E31BB8A18092413A3F6DD75F
   - &admin_jcgruenhage_pgp 09E8418B46B53B0F825DE4BE018ACF465280F466
   - &admin_transcaffeine_pgp 5E0A9CB3980657CB9AB94AE6790EAEC8F99AB41F
+  - &admin_leona_pgp EB5CEED62922C6050F9FC85BD5B08ADFC75E3605
   - &host_oob_gayway_age age14ud0wf5nt2y4vh2kddasnqtdyrhl5xcrmh8py60tw9z5cw8xy9wqqyxsp6
+  - &host_abrechnung_age age1tcvenngz4qfgyqpxcrf9xgdygs730h83d4ln6xz99slhnaeek5fsh9xgrx
 
 creation_rules:
   - path_regex: secrets/all/[^/]+\.yaml$
@@ -16,6 +18,29 @@ creation_rules:
           - *admin_jcgruenhage_pgp
           - *admin_transcaffeine_pgp
 
+  - path_regex: secrets/profiles/entropia-cluster-vm.yaml
+    key_groups:
+      - age:
+          - *admin_xanderio_age
+          - *host_abrechnung_age
+        pgp:
+          - *admin_evlli_pgp
+          - *admin_jcgruenhage_pgp
+          - *admin_transcaffeine_pgp
+          - *admin_leona_pgp
+
+
+  - path_regex: secrets/hosts/abrechnung.yaml
+    key_groups:
+      - age:
+          - *admin_xanderio_age
+          - *host_abrechnung_age
+        pgp:
+          - *admin_evlli_pgp
+          - *admin_jcgruenhage_pgp
+          - *admin_transcaffeine_pgp
+          - *admin_leona_pgp
+
   - path_regex: secrets/hosts/oob_gayway.yaml
     key_groups:
       - age:

diff --git a/flake.lock b/flake.lock
diff --git a/hosts/abrechnung/default.nix b/hosts/abrechnung/default.nix
@@ -2,8 +2,8 @@
 
   imports = [
     ./disko.nix
-    ./hardware-configuration.nix
     inputs.disko.nixosModules.disko
+    ../../profiles/entropia-cluster-vm
   ];
 
   entropia.users = [ "leona" ];

diff --git a/hosts/abrechnung/hardware-configuration.nix b/hosts/abrechnung/hardware-configuration.nix
diff --git a/profiles/entropia-cluster-vm/backup.nix b/profiles/entropia-cluster-vm/backup.nix
@@ -0,0 +1,20 @@
+{ config, ... }: {
+  x.sops.secrets."hosts/${config.networking.hostName}/backup_zweitwohnsitz_password" = {};
+
+  services.borgbackup.jobs.zweitwohnsitz = {
+    paths = [ "/var/lib" "/root" ];
+    exclude = [ "'**/.cache'" ];
+    doInit = true;
+    repo =  "ssh://[email protected]/./${config.networking.hostName}.${config.networking.domain}";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.sops.secrets."hosts/${config.networking.hostName}/backup_zweitwohnsitz_password".path}";
+    };
+    environment = {
+      BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+    };
+    compression = "auto,zlib";
+    startAt = "daily";
+  };
+}
diff --git a/profiles/entropia-cluster-vm/default.nix b/profiles/entropia-cluster-vm/default.nix
@@ -0,0 +1,15 @@
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    ./backup.nix
+    ./monitoring.nix
+  ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/profiles/entropia-cluster-vm/monitoring.nix b/profiles/entropia-cluster-vm/monitoring.nix
@@ -0,0 +1,48 @@
+{ config, ... }: {
+  x.sops.secrets."profiles/entropia-cluster-vm/vmagent-remote-write-basic-auth-password" = {};
+
+  services.prometheus.exporters.node.enable = true;
+
+  services.vmagent = {
+    enable = true;
+    remoteWrite = {
+      url = "https://stats.entropia.de/prometheus/api/v1/write";
+      basicAuthUsername = "meow";
+      basicAuthPasswordFile = config.sops.secrets."profiles/entropia-cluster-vm/vmagent-remote-write-basic-auth-password".path;
+    };
+    extraArgs = [
+      "-remoteWrite.flushInterval=30s"
+      "-remoteWrite.showURL"
+    ];
+    prometheusConfig = {
+      global = {
+        external_labels = {
+          environment = "prod";
+          instance = "${config.networking.hostName}.entropia.de";
+        };
+        scrape_interval = "1m";
+        scrape_timeout = "10s";
+      };
+      scrape_configs = [
+        {
+          job_name = "vmagent";
+          metrics_path = "/metrics";
+          static_configs = [
+            {
+              targets = [ "127.0.0.1:8429" ];
+            }
+          ];
+        }
+        {
+          job_name = "node";
+          metrics_path = "/metrics";
+          static_configs = [
+            {
+              targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+            }
+          ];
+        }
+      ];
+    };  
+  };
+}
diff --git a/secrets/hosts/abrechnung.yaml b/secrets/hosts/abrechnung.yaml
@@ -0,0 +1,87 @@
+hosts:
+    abrechnung:
+        backup_zweitwohnsitz_password: ENC[AES256_GCM,data:PYkzTEGtg6esZXfaOMk5VyDFAsQ0+xbkXS5pEKrvtmKzL/eNprk/FDiJGhAYICoVP5I0zgvMfGU2WK090Qy9uD9vbG6yxsrq6lhjGwBAgMaN9Yt879obsFIvBHf+TLDIU2PCygHoIUkopTTlF/SEF+w06P66JYl9eqgINRC3nHo=,iv:41JHqA2ua6S6XS9P/ItLpShfl6AZnXmqjbTc+XC2G3s=,tag:6smZNN7MKA/heDPE40Bj+g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1e9yparaev0gxwmherrjpxmfzgqga5eqdw53lrnv05s3ppjgzyceqftnwpx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdFhyc3BsRlhTOFdmQ1BT
+            YXhCNmhCa2dGY1JaNUZjTFduSE9CblRGMTJRCnloNm5jMnduNWVDU1haZnFLRnAz
+            cEl6NFR4bk5zMkw4YkMzdWN6dHk1SU0KLS0tIE91MW5LNks1TVJLdHE0QXVnajM2
+            SEgwbkhsSjdaQVhGVWwwdjdqa3NiS0kKbchCn/8pW6A2BNARVRNCbUTZLsxmFXWR
+            UgGTuxhyMr5/RGLamx4mdY5AIWi+4GGJIdW/k6i8Q7B5x54DMdkK3Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tcvenngz4qfgyqpxcrf9xgdygs730h83d4ln6xz99slhnaeek5fsh9xgrx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eW5KV2ZZYkl6cXFxNm04
+            b05TM09OcTlTa2FJOFRWd29CbEpMSmF4WkZnClhFVDBUWmxKQUo1Z3AxeGVoOGwz
+            QzJyNGt3UDFTZUl6N0ZPWG1IVkREdEUKLS0tIDFZdFJQejEvYk8zSWxTVlZ4Wmdz
+            RkMySzVYU0d3NmJwNEVPT1NNcmxpS1kK+ahIQugzPcovyndhA8f873yGCXi9VH5L
+            ybkC/4ZL082ANAqd+fCqqCa8TDLar5nSSTnWNsC/tMs7cFNSyNjLVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-21T13:40:19Z"
+    mac: ENC[AES256_GCM,data:PakJCP8kB73USVidD9p4+p4y+RygZYfqdvTIi8jIgfgSvLmErHlOBY0JvYy6gYMlfgH+Ik9xiX795htfwSwVR+gt7+2a4ocA2bDfVatRygQm7D3AJX43vjV7ROw8iQkyInDFJvIfkLm+eaaqQ+QrPyjeYLap07h1nRNiDi68fcY=,iv:cDK670o8Fzkowb+SzfY4apqXThI1oOoXSNifxY3oQFA=,tag:OzlWtFulloz9o2MccN7+Mg==,type:str]
+    pgp:
+        - created_at: "2024-04-21T13:39:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hJ4Dgju0qH8x+MoSAwMEsdhvSUciG6hrrCLFukzld93HuoqvodDM/vRLaBu02m26
+            pZMAqNO2Kknmo75GB1Tu8ufu1KDGq/fIDFPTIXVzCwwOmaj5nL2OZ/9Gv7mYSwO3
+            zknf3JjOOFbM+2BGesnZMEA7dxQ6qT6O3J0PKjLYSOZ7sEB4p3PPJndSat3wXm7h
+            l+swvluTP8nyiZWoaDwcINRmAQkCEJ2rAaI16Gx6EOOruwgQkMs4KrTy1hK9yeSL
+            dwlY/wLs2obBj5J/LZLgMU9l4qITWNIVakvdSY2jXO/DCVxum1QEBz42lWkkpa7t
+            tayU15xvSXHY3hBflcdrLceR3dXppaid
+            =BHwg
+            -----END PGP MESSAGE-----
+          fp: 56B96D1C10D68F49E31BB8A18092413A3F6DD75F
+        - created_at: "2024-04-21T13:39:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DQJGoFMUUQaUSAQdALD/PfmVRw+xJe3SRWsQZ1QJQApSvNSOO+p1CM1B/aXUw
+            LNtQNFIKZ94TlP2ahkCW45yuaCjb6GqxAr0AvcjJYngINe6oRxQXPNMTog/q9REv
+            0lwBTKgL95qff+TefgioWqv1/5IdNe3us3cEbE5755GU3j4Qe/qm9cYAyYBTMoYo
+            rqMJVRGz4Tofr8NzS9eEbVgd2Ocrf8zhloao/4NQkfHnTMUl26pzvOoS4FFjnw==
+            =uH7t
+            -----END PGP MESSAGE-----
+          fp: 09E8418B46B53B0F825DE4BE018ACF465280F466
+        - created_at: "2024-04-21T13:39:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxEs7W/4x4lxAQ//brvk9JWOBLFrelXRo/iLcqsPLm0SlhcPbO6FVAlkOHbF
+            KHOpA5t0uFBr3CK9qOxOrxLgGJQ2AbcVrAmPj4qOD/EYZtcHfOAsTas1nmbtCJVw
+            gnT1QauJncVWQ1doEjzpBWkJf0HNG+IWTNntX3SnAYv/mN/+kHr5056CT/WuCNbl
+            8Sg6tk0awCLzsbYcmdRFPiFTdmvKQYc7jiPU6qDEATTjfgZgO142D6tMQtt6k6os
+            2o44yInNOK0aOhXa9JMG6hf2JM1qiQce4QjpFsaZ9oAS/bbn+PUJ8kdZLArtBqBs
+            0bjNLzNFJ2erMFL7s7B/92mC6Eke/dpajeBfvcG9dgDQkKqK+uH45RuSiXoWnz0r
+            YVEpaYd2m0kqBOWKNJ0OC1DVn39WmtfNJAH8WH8e/tueB7uoo0b4hpmksydWibU1
+            /vjeLoebg6LT3Pvh0UEq5UpxiBRMvBrxKtumjaC0xXXYPKx/lLXNVgGhssHggnSI
+            6Z7IBauIeotQbH2FrGYh6RM+Z12FXO5yrNcMvTWLP4ZPY9csUBekjlcDk/Vgt5/f
+            1YSHVkeRZLUk0/z1EbZ6BPRTmhi3Rwr1a/dW3So8wCAXdosfL5C11V/YSpG/BMxx
+            Q2/mXQ38QNLhr6c5WK0RR8W4HE/pt5TAjZeeQNT1Rt0Xj6DB2pyOHCJMFFdsrr7S
+            XAFrszXfRNnSPvJcQ8eeo7TmdPeFEHsUwbHf78jAsIaOs5WyO6BOSpHjXOpP7UHr
+            YJPuA4UpfzMolrMz2lbgCUDEkH0OyZD6YrdzBe7hG7Q7b8kOV1ThY6hxSbDv
+            =p5JT
+            -----END PGP MESSAGE-----
+          fp: 5E0A9CB3980657CB9AB94AE6790EAEC8F99AB41F
+        - created_at: "2024-04-21T13:39:09Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D/2siLyjns28SAQdApZzPFNKFe14Fyb1Za5zc2VcekbPYhawHDx9Cf8xqnVUw
+            btsE5X7z4Q4z4oeALbLB+hsAmhzkLKsw8c4Un/xJrUJfMGv7BMnzThmCQnxrbMal
+            0lwB3NIhNHZsfL96IwQyaFYtjfPI/RaUQdLoHM10sMXD3SqPV+i2Y5Vd9fIUtKYl
+            1ADmjsV9jofvPZ9FlHQd7366QrTrQyO53y5cEe9ZGYD9nCqHzFQDGCLxSkLteg==
+            =oXvq
+            -----END PGP MESSAGE-----
+          fp: EB5CEED62922C6050F9FC85BD5B08ADFC75E3605
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/secrets/keys/leona.asc b/secrets/keys/leona.asc
@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYks8uxYJKwYBBAHaRw8BAQdAjJpZIb9pVPHGA+l222xCuedZNE2Qt4WYJnV0
+aEukpqm0Jkxlb25hIE1hcm9uaSAoQzQpIDxsZW9uYUBrb2Vsbi5jY2MuZGU+iJQE
+ExYKADwWIQTrXO7WKSLGBQ+fyFvVsIrfx142BQUCY7RJIAIbAwUJBaOagAQLCQgH
+BBUKCQgFFgIDAQACHgUCF4AACgkQ1bCK38deNgX8NwD9GgdjlBO8dwfMKnweSadu
+i1/1ARsQ7IQKcGcKu7uHNjsBAKb3Wk4Fewu/EKPhboQup9N9WRrYAuFuDCjDbM3r
+AEEEtBtMZW9uYSBNYXJvbmkgPGRldkBsZW9uYS5pcz6IlAQTFgoAPBYhBOtc7tYp
+IsYFD5/IW9Wwit/HXjYFBQJiSz4GAhsDBQkFo5qABAsJCAcEFQoJCAUWAgMBAAIe
+BQIXgAAKCRDVsIrfx142BU6KAP91hyOCubng6WX3S399SyOC3eOKQ7rXJgVTTSwU
+B2s6fwD+MmKVwDqds0SuSsT0ftosA52LQbCkPoS0+1jHj6dSPwa0HUxlb25hIE1h
+cm9uaSA8bGVvbmFAbGVvbmEuaXM+iJcEExYKAD8CGwMFCQWjmoAECwkIBwQVCgkI
+BRYCAwEAAh4FAheAFiEE61zu1ikixgUPn8hb1bCK38deNgUFAmJLPsICGQEACgkQ
+1bCK38deNgXPswEA61vN/7nvIARdZLVWukm9umPKcFolUJPB8y7K+gAcfeQA/0Y7
+69wWiCe6izvc8l0dDDb5RWLU9lDNOD8DQsygaC4BuDMEYks9kxYJKwYBBAHaRw8B
+AQdA6S/L0/VDB6rWTKSCfchYgFZ7+/91M0DH6F32LZop7U6IfgQYFgoAJhYhBOtc
+7tYpIsYFD5/IW9Wwit/HXjYFBQJiSz2TAhsgBQkFo5qAAAoJENWwit/HXjYFCpIA
+/16ShGw2pXNv99a4M3T47kV1DhUNXx3gJkSN7bb9Qv1pAPwJPspaxVLppV5u+j0E
+gfGaE+ZdJVTpYWxJwEAGokylBrg4BGJLPYESCisGAQQBl1UBBQEBB0BHOtTVTiSn
+7Jdft4NEx/YeurqImovxpmcGVAys0bULLQMBCAeIfgQYFgoAJgIbDBYhBOtc7tYp
+IsYFD5/IW9Wwit/HXjYFBQJiSz3dBQkFo5rcAAoJENWwit/HXjYFxMUBAKL9USOi
+eLPdarLxTdABhPkHoUWS2VPjb7H3d8DAlSh6AQDsAorykV3a2h++KViNc17SzLss
+0OaDhSx0TqFJCMOOAQ==
+=BVVI
+-----END PGP PUBLIC KEY BLOCK-----