From 2037a1b64791f8951019c141ecb48a4ec0d76197 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sat, 8 Jun 2024 22:18:23 +0200 Subject: [PATCH 01/12] add yate service for autostart --- config/hosts/yate/default.nix | 1 + config/hosts/yate/service.nix | 21 +++++++++++++++++++++ config/hosts/yate/yate.nix | 3 +++ 3 files changed, 25 insertions(+) create mode 100644 config/hosts/yate/service.nix diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 62851d8..5304abd 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -5,5 +5,6 @@ ./configuration.nix ./networking.nix ./yate.nix + ./service.nix ]; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix new file mode 100644 index 0000000..e426a31 --- /dev/null +++ b/config/hosts/yate/service.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + systemd.services.yate = { + enable = true; + description = "Yate telehony engine"; + unitConfig = { + Type = "simple"; + After="network.target"; + }; + serviceConfig = { + ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; + Type="simple"; + Restart="always"; + # ... + }; + wantedBy = [ "default.target" ]; + requiredBy = [ "network.target" ]; + # ... + }; +} diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 7d4f8be..c4834bb 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -3,6 +3,9 @@ { environment.systemPackages = [ pkgs.yate + pkgs.git + pkgs.tcpdump + pkgs.tmux ]; # Just disable it for now. From b4de5dbb5372ce4f73e90c33d72a51c65c3fe43c Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 9 Jun 2024 18:12:01 +0200 Subject: [PATCH 02/12] introduce /etc/yate, clone/reset on service start --- config/hosts/yate/service.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index e426a31..8c0eb50 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -9,13 +9,20 @@ After="network.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; # ... }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; + preStart = "if mkdir -p /etc/yate + then + ${pkgs.git}/bin/git -C /etc/yate clone forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /etc/yate pull + else + ${pkgs.git}/bin/git -C /etc/yate checkout -f origin/main + fi"; # ... }; } From 1ef4c1cd48dfd149adcd3cad03a7dad3521c0339 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Mon, 5 Aug 2024 20:58:09 +0200 Subject: [PATCH 03/12] Fix config via git --- config/hosts/yate/configuration.nix | 2 ++ config/hosts/yate/service.nix | 17 +++++++++++------ config/hosts/yate/yate.nix | 8 ++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 6b4bb71..1ba7fc9 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,5 +6,7 @@ domain = "z9.ccchh.net"; }; + users.users.chaos.password = "yes"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 8c0eb50..337ddfc 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -12,17 +12,22 @@ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; # ... }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; - preStart = "if mkdir -p /etc/yate + preStart = "if ! [ -d \"/var/lib/yate/.git\" ] then - ${pkgs.git}/bin/git -C /etc/yate clone forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - ${pkgs.git}/bin/git -C /etc/yate pull - else - ${pkgs.git}/bin/git -C /etc/yate checkout -f origin/main - fi"; + ${pkgs.git}/bin/git init /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + echo \"New repo set up.\" + fi + ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; # ... }; } diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index c4834bb..f72da0f 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -10,4 +10,12 @@ # Just disable it for now. networking.firewall.enable = false; + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" ]; + + environment.etc.yate.user = "root"; + environment.etc.yate.group = "yate-config"; + environment.etc.yate.mode = "0775"; + environment.etc.yate.source = "/var/lib/yate"; } From fd525ee06f3c44fe1fa827951651d86b78c9bd7e Mon Sep 17 00:00:00 2001 From: echtnurich Date: Tue, 6 Aug 2024 22:06:26 +0200 Subject: [PATCH 04/12] make yate systemd service --- .sops.yaml | 17 ++ config/hosts/yate/configuration.nix | 2 +- config/hosts/yate/default.nix | 1 + config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++ config/hosts/yate/service.nix | 25 ++- config/hosts/yate/sops.nix | 7 + config/hosts/yate/yate.nix | 2 +- flake.nix | 1 + 8 files changed, 282 insertions(+), 6 deletions(-) create mode 100644 config/hosts/yate/secrets.yaml create mode 100644 config/hosts/yate/sops.nix diff --git a/.sops.yaml b/.sops.yaml index c42474e..9d81ef7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 + - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt creation_rules: - path_regex: config/hosts/git/.* key_groups: @@ -96,6 +97,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_public_web_static + - path_regex: config/hosts/yate/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_yate - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 1ba7fc9..f350966 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,7 +6,7 @@ domain = "z9.ccchh.net"; }; - users.users.chaos.password = "yes"; +# users.users.chaos.password = "yes"; system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 5304abd..009e1a1 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -6,5 +6,6 @@ ./networking.nix ./yate.nix ./service.nix + ./sops.nix ]; } diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml new file mode 100644 index 0000000..e40f320 --- /dev/null +++ b/config/hosts/yate/secrets.yaml @@ -0,0 +1,233 @@ +git_clone_key: ENC[AES256_GCM,data:U/Ogt05wAZsGWTcdKN/Iv2LfScrpR5PuiPU97OHYO75hHV98B5fdQ1SXOgKHa+JdmDHTyh0sDjFt1DwqzCtFmSuQzRh5vpsXHml6qjo1vmsgX2g3HNfA9jAnWQb7HiyYx1HxgEXeJBwBNHO2/O7h7mEkC17lWrdNsX2AiENcVZBPYceJ+YV5ZuhAswh6MS99co57jQhpOv520Hz76qgYwtEDtLL0FEDO2ZIuvyo4CXgS53uIMwF/aJjgKz6+C1cgL6xvNg+ZjIqadIU2sSopkDxxL9l9XTiqM/NrHCI62BAR90ixIiSPePEvkGXzMblPdJl2XL3wW2zn4Ag64jCSylOksSqJCDrqkpc10S/mHGSWDDRneqD/m90Dbyt0I8d5xUpDnRguOxVSLFXvPUjSKmLIW4EN2rmlChzDAqY3w7XaoUnWUVUgHLR4EsVxwLVjVx38Q90JIudz57N/2mvyjHphHJxvy6ye5qLbaxB8RfFkG5yfFzueoSmni5Znc6XkbaiKOPBEXGIio+7EHTgs,iv:QDPgBoFWw1ywfkdoMR15il9iPELtfgqx3p7HYo90kPk=,tag:FWEXc6nOzSE4NxlEtFt3sw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP + TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw + KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS + bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 + xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-06T20:00:59Z" + mac: ENC[AES256_GCM,data:mGhASa+NAaiiYRK74HfMKIfQxBnT/db1tpn2kmSvi0+NSZzxVZjOtsAF3zUqBf7Mjh1Fr3Bfr/MlskiKfznO9rMmwF93r7TeFURIUwAXN7/TFvdjJQGTBo2uIGoE94xZImNuwGlZmZXoZtE9/i31wH9g7al9pqRKmEyJ3oP0eCo=,iv:2Yb9ofOitYLvHC1HybQBxoRBkx8VBxTONfLt4pfp4y4=,tag:N259N6s+c2cYEjLzB+a7sg==,type:str] + pgp: + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg + do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL + r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 + cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl + Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa + JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi + ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk + YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa + QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy + aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg + GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U + ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ + ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ + et8Y1DEjVg== + =u7aP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 + Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S + YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 + twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 + uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx + Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ + gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU + JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng + mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji + yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp + E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S + XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq + vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX + =advR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz + 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec + ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa + RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty + y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE + L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 + glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ + B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl + L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl + o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO + Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS + XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb + fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy + =vqhH + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd + +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 + Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 + LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un + kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 + cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn + 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh + 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU + K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb + QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 + Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S + XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj + IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C + =hGXq + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg + YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi + LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ + +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG + SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io + 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq + 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 + 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll + CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U + pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF + EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS + XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 + uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 + =vZLC + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x + p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 + XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa + oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB + SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS + 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG + oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ + XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo + IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc + 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa + XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS + XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ + fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I + =SLD4 + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp + 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ + 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 + sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB + NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI + K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX + 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 + SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 + TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva + 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR + oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S + XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t + LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII + =MQ9C + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF + XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe + 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ + Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc + abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di + +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk + nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 + BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf + T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 + VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm + jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS + XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY + 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ + =uyf4 + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st + V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 + 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ + i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d + V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE + zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz + TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p + FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF + aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO + 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym + NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS + XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn + kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr + =7R+0 + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw + cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 + 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi + I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== + =0G+m + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX + KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l + MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy + p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k + YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs + yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O + oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv + 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre + FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF + 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm + k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS + XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh + B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI + =ZgbM + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 337ddfc..88302d7 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -1,17 +1,31 @@ { config, pkgs, ... }: { +# systemd.managerEnvironment = { +# SYSTEMD_LOG_LEVEL = "debug"; +# }; + + + + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "root"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; +}; + systemd.services.yate = { enable = true; description = "Yate telehony engine"; unitConfig = { Type = "simple"; - After="network.target"; + After= "network.target"; }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; + User="root"; Group="yate-config"; StateDirectory = "yate"; StateDirectoryMode = "0775"; @@ -19,14 +33,17 @@ }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; - preStart = "if ! [ -d \"/var/lib/yate/.git\" ] + preStart = "echo \"\n\" >> /run/secrets/git_clone_key + if ! [ -d \"/var/lib/yate/.git\" ] then ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream echo \"New repo set up.\" fi - ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + test ${pkgs.openssh}/bin/ssh + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; # ... }; diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix new file mode 100644 index 0000000..38b06f9 --- /dev/null +++ b/config/hosts/yate/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index f72da0f..a32df32 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -16,6 +16,6 @@ environment.etc.yate.user = "root"; environment.etc.yate.group = "yate-config"; - environment.etc.yate.mode = "0775"; + environment.etc.yate.mode = "symlink"; environment.etc.yate.source = "/var/lib/yate"; } diff --git a/flake.nix b/flake.nix index 8a8ebf7..29854b0 100644 --- a/flake.nix +++ b/flake.nix @@ -192,6 +192,7 @@ modules = [ ./config/common ./config/proxmox-vm + sops-nix.nixosModules.sops ./config/hosts/yate ]; }; From 149f846d3222f373fa226bb06ab9bce42f808f11 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:03:17 +0200 Subject: [PATCH 05/12] create yate service user --- config/hosts/yate/service.nix | 7 ++++--- config/hosts/yate/yate.nix | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 88302d7..bdaed23 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -9,7 +9,7 @@ sops.secrets."git_clone_key" = { mode = "0600"; - owner = "root"; + owner = "yate"; group = "yate-config"; restartUnits = [ "yate.service" ]; }; @@ -25,7 +25,7 @@ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; - User="root"; + User="yate"; Group="yate-config"; StateDirectory = "yate"; StateDirectoryMode = "0775"; @@ -39,12 +39,13 @@ ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master echo \"New repo set up.\" fi test ${pkgs.openssh}/bin/ssh ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout -f origin/master"; # ... }; } diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index a32df32..3f9b054 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -11,10 +11,17 @@ # Just disable it for now. networking.firewall.enable = false; - users.groups.yate-config = {}; - users.groups.yate-config.members = [ "colmema-deploy" "chaos" ]; + users.users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; - environment.etc.yate.user = "root"; + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + + environment.etc.yate.user = "yate"; environment.etc.yate.group = "yate-config"; environment.etc.yate.mode = "symlink"; environment.etc.yate.source = "/var/lib/yate"; From 3b83a5d8ab77967a0d5ab0f1a8abb853f25fd4dd Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:51:12 +0200 Subject: [PATCH 06/12] recreate the full config everytime --- config/hosts/yate/service.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index bdaed23..7d74449 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -34,18 +34,14 @@ wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key - if ! [ -d \"/var/lib/yate/.git\" ] - then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master - echo \"New repo set up.\" - fi - test ${pkgs.openssh}/bin/ssh ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + # ... }; } From c9967f73c0361fdf6f146cc3211f2a5a379a9496 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:53:15 +0200 Subject: [PATCH 07/12] decolour the log because of blob data --- config/hosts/yate/service.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 7d74449..9e4b98b 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -22,7 +22,7 @@ After= "network.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; Type="simple"; Restart="always"; User="yate"; From c62f722899481d40af8d25b8ec1313415c88c0ee Mon Sep 17 00:00:00 2001 From: echtnurich Date: Thu, 8 Aug 2024 20:11:42 +0200 Subject: [PATCH 08/12] make sure source is available before deleting config --- config/hosts/yate/service.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 9e4b98b..7befcb0 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -34,13 +34,18 @@ wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key + sleep 1 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master + fi"; # ... }; From f9f258a2125d3cd94a7aa3c64ce842ca10ea962b Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 18:52:22 +0200 Subject: [PATCH 09/12] change yate-config repo --- config/hosts/yate/secrets.yaml | 6 +++--- config/hosts/yate/service.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml index e40f320..1dcfe87 100644 --- a/config/hosts/yate/secrets.yaml +++ b/config/hosts/yate/secrets.yaml @@ -1,4 +1,4 @@ -git_clone_key: ENC[AES256_GCM,data:U/Ogt05wAZsGWTcdKN/Iv2LfScrpR5PuiPU97OHYO75hHV98B5fdQ1SXOgKHa+JdmDHTyh0sDjFt1DwqzCtFmSuQzRh5vpsXHml6qjo1vmsgX2g3HNfA9jAnWQb7HiyYx1HxgEXeJBwBNHO2/O7h7mEkC17lWrdNsX2AiENcVZBPYceJ+YV5ZuhAswh6MS99co57jQhpOv520Hz76qgYwtEDtLL0FEDO2ZIuvyo4CXgS53uIMwF/aJjgKz6+C1cgL6xvNg+ZjIqadIU2sSopkDxxL9l9XTiqM/NrHCI62BAR90ixIiSPePEvkGXzMblPdJl2XL3wW2zn4Ag64jCSylOksSqJCDrqkpc10S/mHGSWDDRneqD/m90Dbyt0I8d5xUpDnRguOxVSLFXvPUjSKmLIW4EN2rmlChzDAqY3w7XaoUnWUVUgHLR4EsVxwLVjVx38Q90JIudz57N/2mvyjHphHJxvy6ye5qLbaxB8RfFkG5yfFzueoSmni5Znc6XkbaiKOPBEXGIio+7EHTgs,iv:QDPgBoFWw1ywfkdoMR15il9iPELtfgqx3p7HYo90kPk=,tag:FWEXc6nOzSE4NxlEtFt3sw==,type:str] +git_clone_key: ENC[AES256_GCM,data:/9zM2jveLx+RRODQke8mmeo2iYo0djw+fmwgD3WGWyxxRxg1GHzKF503N/PFQ+Kksgn+p/jqEb1NsG4ukcv7B9uv/8v3uLLo821Nn6g+P/UcPp6VzWeyrYJ/5p90A+TEg4pAXDRx079FzgRMQVLDXhGg7C+KnqLAygKl10KOPZfKcsMmSJiTmsTcx+CSZ2Zp0Yfo/x3vDw9Cxy+Nr8NGKtWz6I0Bmr/XGrfWjs5uoHwLs2hZ/hyAiQCZmzMKgNSTJiFzxyepF7ImYzuKXkY7Zyr21r3NWnGMOTIe/xhzgB+EUXcmoKmYnGrG9+350NTNxna2bxY5J1SiqDOA2iWYzfl+fvxM+zHt+qwl37vPNfCI3zs7WLn8rtA7+0N1p4XsA6m0BfWxLt2Nex8c+grPZ1ndGjX1nov4arDWE7jti63BT4Imwt6S+AuaX5MlmV5EH1G8nTuguBgxWC2uWzK5vHst3hNn/NcSfZd5uKhzT20qq8b3LPAyQ0PKfiDNYFTE+DzJExWvZus2LIQxGvl1,iv:lO/uxPX+hgKhQ7HAB7x6+vkJGbTAGaxFl1McCgSnz7Y=,tag:TazynolI4e1xpFHtTH0Tig==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-06T20:00:59Z" - mac: ENC[AES256_GCM,data:mGhASa+NAaiiYRK74HfMKIfQxBnT/db1tpn2kmSvi0+NSZzxVZjOtsAF3zUqBf7Mjh1Fr3Bfr/MlskiKfznO9rMmwF93r7TeFURIUwAXN7/TFvdjJQGTBo2uIGoE94xZImNuwGlZmZXoZtE9/i31wH9g7al9pqRKmEyJ3oP0eCo=,iv:2Yb9ofOitYLvHC1HybQBxoRBkx8VBxTONfLt4pfp4y4=,tag:N259N6s+c2cYEjLzB+a7sg==,type:str] + lastmodified: "2024-09-08T16:47:20Z" + mac: ENC[AES256_GCM,data:0BIL7zHvXKv36hjRVdagxSAwkT1PHVi4jqAeoGj4xo8B8f5q8xcerE4DNNIdEbCxGARGTMS/qC3JeOsMcNU9tk34wnMXxddqw5wf0k2evwfqp6+2I+silQTkpEKhNXaiD6KdilLQheUZhuCNAlU5I3fqkFnfNMC2HRwMhTm9tg8=,iv:yaCljmi/JiEwgwoRjSrzMmZN96/KG7yHQ4zF5rKgKH8=,tag:G9MqahsLpXRzAS6cMa9zxw==,type:str] pgp: - created_at: "2024-08-05T20:33:02Z" enc: |- diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 7befcb0..f959f65 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -42,7 +42,7 @@ rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master fi"; From fb458e244bafd87e227d104c806bb3d58a94e88e Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 21:07:47 +0200 Subject: [PATCH 10/12] fix yate deploy key --- config/hosts/yate/secrets.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml index 1dcfe87..6235c17 100644 --- a/config/hosts/yate/secrets.yaml +++ b/config/hosts/yate/secrets.yaml @@ -1,4 +1,4 @@ -git_clone_key: ENC[AES256_GCM,data:/9zM2jveLx+RRODQke8mmeo2iYo0djw+fmwgD3WGWyxxRxg1GHzKF503N/PFQ+Kksgn+p/jqEb1NsG4ukcv7B9uv/8v3uLLo821Nn6g+P/UcPp6VzWeyrYJ/5p90A+TEg4pAXDRx079FzgRMQVLDXhGg7C+KnqLAygKl10KOPZfKcsMmSJiTmsTcx+CSZ2Zp0Yfo/x3vDw9Cxy+Nr8NGKtWz6I0Bmr/XGrfWjs5uoHwLs2hZ/hyAiQCZmzMKgNSTJiFzxyepF7ImYzuKXkY7Zyr21r3NWnGMOTIe/xhzgB+EUXcmoKmYnGrG9+350NTNxna2bxY5J1SiqDOA2iWYzfl+fvxM+zHt+qwl37vPNfCI3zs7WLn8rtA7+0N1p4XsA6m0BfWxLt2Nex8c+grPZ1ndGjX1nov4arDWE7jti63BT4Imwt6S+AuaX5MlmV5EH1G8nTuguBgxWC2uWzK5vHst3hNn/NcSfZd5uKhzT20qq8b3LPAyQ0PKfiDNYFTE+DzJExWvZus2LIQxGvl1,iv:lO/uxPX+hgKhQ7HAB7x6+vkJGbTAGaxFl1McCgSnz7Y=,tag:TazynolI4e1xpFHtTH0Tig==,type:str] +git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-08T16:47:20Z" - mac: ENC[AES256_GCM,data:0BIL7zHvXKv36hjRVdagxSAwkT1PHVi4jqAeoGj4xo8B8f5q8xcerE4DNNIdEbCxGARGTMS/qC3JeOsMcNU9tk34wnMXxddqw5wf0k2evwfqp6+2I+silQTkpEKhNXaiD6KdilLQheUZhuCNAlU5I3fqkFnfNMC2HRwMhTm9tg8=,iv:yaCljmi/JiEwgwoRjSrzMmZN96/KG7yHQ4zF5rKgKH8=,tag:G9MqahsLpXRzAS6cMa9zxw==,type:str] + lastmodified: "2024-09-08T18:35:07Z" + mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] pgp: - created_at: "2024-08-05T20:33:02Z" enc: |- From e24b5b6fb111d3dc3db8bd3539fcbd1389314928 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 21:08:17 +0200 Subject: [PATCH 11/12] fix yate-config not pulling --- config/hosts/yate/service.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index f959f65..9013060 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -18,8 +18,7 @@ enable = true; description = "Yate telehony engine"; unitConfig = { - Type = "simple"; - After= "network.target"; + After= "network-online.target"; }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; @@ -32,19 +31,16 @@ # ... }; wantedBy = [ "default.target" ]; - requiredBy = [ "network.target" ]; + requires = [ "network-online.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key - sleep 1 + sleep 5 SSH_SUCCESS=1 - ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de || SSH_SUCCESS=0 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 if [ $SSH_SUCCESS = 1 ]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* - ${pkgs.git}/bin/git init /var/lib/yate + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master fi"; # ... From f6b424fa7a735f741824d4794fe0b445e0af6a1f Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sat, 8 Jun 2024 22:18:23 +0200 Subject: [PATCH 12/12] add yate service for autostart introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling --- .sops.yaml | 17 ++ config/hosts/yate/configuration.nix | 2 + config/hosts/yate/default.nix | 2 + config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++ config/hosts/yate/service.nix | 48 ++++++ config/hosts/yate/sops.nix | 7 + config/hosts/yate/yate.nix | 18 +++ flake.nix | 1 + 8 files changed, 328 insertions(+) create mode 100644 config/hosts/yate/secrets.yaml create mode 100644 config/hosts/yate/service.nix create mode 100644 config/hosts/yate/sops.nix diff --git a/.sops.yaml b/.sops.yaml index c42474e..9d81ef7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 + - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt creation_rules: - path_regex: config/hosts/git/.* key_groups: @@ -96,6 +97,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_public_web_static + - path_regex: config/hosts/yate/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_yate - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 6b4bb71..f350966 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,5 +6,7 @@ domain = "z9.ccchh.net"; }; +# users.users.chaos.password = "yes"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 62851d8..009e1a1 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -5,5 +5,7 @@ ./configuration.nix ./networking.nix ./yate.nix + ./service.nix + ./sops.nix ]; } diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml new file mode 100644 index 0000000..6235c17 --- /dev/null +++ b/config/hosts/yate/secrets.yaml @@ -0,0 +1,233 @@ +git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP + TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw + KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS + bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 + xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-08T18:35:07Z" + mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] + pgp: + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg + do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL + r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 + cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl + Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa + JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi + ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk + YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa + QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy + aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg + GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U + ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ + ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ + et8Y1DEjVg== + =u7aP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 + Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S + YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 + twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 + uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx + Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ + gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU + JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng + mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji + yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp + E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S + XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq + vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX + =advR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz + 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec + ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa + RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty + y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE + L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 + glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ + B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl + L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl + o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO + Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS + XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb + fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy + =vqhH + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd + +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 + Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 + LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un + kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 + cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn + 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh + 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU + K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb + QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 + Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S + XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj + IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C + =hGXq + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg + YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi + LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ + +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG + SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io + 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq + 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 + 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll + CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U + pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF + EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS + XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 + uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 + =vZLC + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x + p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 + XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa + oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB + SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS + 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG + oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ + XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo + IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc + 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa + XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS + XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ + fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I + =SLD4 + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp + 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ + 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 + sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB + NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI + K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX + 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 + SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 + TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva + 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR + oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S + XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t + LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII + =MQ9C + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF + XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe + 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ + Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc + abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di + +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk + nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 + BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf + T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 + VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm + jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS + XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY + 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ + =uyf4 + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st + V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 + 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ + i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d + V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE + zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz + TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p + FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF + aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO + 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym + NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS + XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn + kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr + =7R+0 + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw + cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 + 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi + I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== + =0G+m + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX + KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l + MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy + p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k + YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs + yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O + oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv + 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre + FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF + 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm + k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS + XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh + B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI + =ZgbM + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix new file mode 100644 index 0000000..9013060 --- /dev/null +++ b/config/hosts/yate/service.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +{ +# systemd.managerEnvironment = { +# SYSTEMD_LOG_LEVEL = "debug"; +# }; + + + + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "yate"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; +}; + + systemd.services.yate = { + enable = true; + description = "Yate telehony engine"; + unitConfig = { + After= "network-online.target"; + }; + serviceConfig = { + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + Type="simple"; + Restart="always"; + User="yate"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; + # ... + }; + wantedBy = [ "default.target" ]; + requires = [ "network-online.target" ]; + preStart = "echo \"\n\" >> /run/secrets/git_clone_key + sleep 5 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + fi"; + + # ... + }; +} diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix new file mode 100644 index 0000000..38b06f9 --- /dev/null +++ b/config/hosts/yate/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 7d4f8be..3f9b054 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -3,8 +3,26 @@ { environment.systemPackages = [ pkgs.yate + pkgs.git + pkgs.tcpdump + pkgs.tmux ]; # Just disable it for now. networking.firewall.enable = false; + + users.users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; + + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + + environment.etc.yate.user = "yate"; + environment.etc.yate.group = "yate-config"; + environment.etc.yate.mode = "symlink"; + environment.etc.yate.source = "/var/lib/yate"; } diff --git a/flake.nix b/flake.nix index 8a8ebf7..29854b0 100644 --- a/flake.nix +++ b/flake.nix @@ -192,6 +192,7 @@ modules = [ ./config/common ./config/proxmox-vm + sops-nix.nixosModules.sops ./config/hosts/yate ]; };