From 2037a1b64791f8951019c141ecb48a4ec0d76197 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sat, 8 Jun 2024 22:18:23 +0200 Subject: [PATCH 01/11] add yate service for autostart --- config/hosts/yate/default.nix | 1 + config/hosts/yate/service.nix | 21 +++++++++++++++++++++ config/hosts/yate/yate.nix | 3 +++ 3 files changed, 25 insertions(+) create mode 100644 config/hosts/yate/service.nix diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 62851d8..5304abd 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -5,5 +5,6 @@ ./configuration.nix ./networking.nix ./yate.nix + ./service.nix ]; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix new file mode 100644 index 0000000..e426a31 --- /dev/null +++ b/config/hosts/yate/service.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + systemd.services.yate = { + enable = true; + description = "Yate telehony engine"; + unitConfig = { + Type = "simple"; + After="network.target"; + }; + serviceConfig = { + ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; + Type="simple"; + Restart="always"; + # ... + }; + wantedBy = [ "default.target" ]; + requiredBy = [ "network.target" ]; + # ... + }; +} diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 7d4f8be..c4834bb 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -3,6 +3,9 @@ { environment.systemPackages = [ pkgs.yate + pkgs.git + pkgs.tcpdump + pkgs.tmux ]; # Just disable it for now. -- 2.44.1 From b4de5dbb5372ce4f73e90c33d72a51c65c3fe43c Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 9 Jun 2024 18:12:01 +0200 Subject: [PATCH 02/11] introduce /etc/yate, clone/reset on service start --- config/hosts/yate/service.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index e426a31..8c0eb50 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -9,13 +9,20 @@ After="network.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; # ... }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; + preStart = "if mkdir -p /etc/yate + then + ${pkgs.git}/bin/git -C /etc/yate clone forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /etc/yate pull + else + ${pkgs.git}/bin/git -C /etc/yate checkout -f origin/main + fi"; # ... }; } -- 2.44.1 From 1ef4c1cd48dfd149adcd3cad03a7dad3521c0339 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Mon, 5 Aug 2024 20:58:09 +0200 Subject: [PATCH 03/11] Fix config via git --- config/hosts/yate/configuration.nix | 2 ++ config/hosts/yate/service.nix | 17 +++++++++++------ config/hosts/yate/yate.nix | 8 ++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 6b4bb71..1ba7fc9 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,5 +6,7 @@ domain = "z9.ccchh.net"; }; + users.users.chaos.password = "yes"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 8c0eb50..337ddfc 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -12,17 +12,22 @@ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; # ... }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; - preStart = "if mkdir -p /etc/yate + preStart = "if ! [ -d \"/var/lib/yate/.git\" ] then - ${pkgs.git}/bin/git -C /etc/yate clone forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - ${pkgs.git}/bin/git -C /etc/yate pull - else - ${pkgs.git}/bin/git -C /etc/yate checkout -f origin/main - fi"; + ${pkgs.git}/bin/git init /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + echo \"New repo set up.\" + fi + ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; # ... }; } diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index c4834bb..f72da0f 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -10,4 +10,12 @@ # Just disable it for now. networking.firewall.enable = false; + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" ]; + + environment.etc.yate.user = "root"; + environment.etc.yate.group = "yate-config"; + environment.etc.yate.mode = "0775"; + environment.etc.yate.source = "/var/lib/yate"; } -- 2.44.1 From fd525ee06f3c44fe1fa827951651d86b78c9bd7e Mon Sep 17 00:00:00 2001 From: echtnurich Date: Tue, 6 Aug 2024 22:06:26 +0200 Subject: [PATCH 04/11] make yate systemd service --- .sops.yaml | 17 ++ config/hosts/yate/configuration.nix | 2 +- config/hosts/yate/default.nix | 1 + config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++ config/hosts/yate/service.nix | 25 ++- config/hosts/yate/sops.nix | 7 + config/hosts/yate/yate.nix | 2 +- flake.nix | 1 + 8 files changed, 282 insertions(+), 6 deletions(-) create mode 100644 config/hosts/yate/secrets.yaml create mode 100644 config/hosts/yate/sops.nix diff --git a/.sops.yaml b/.sops.yaml index c42474e..9d81ef7 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 + - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt creation_rules: - path_regex: config/hosts/git/.* key_groups: @@ -96,6 +97,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_public_web_static + - path_regex: config/hosts/yate/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_yate - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 1ba7fc9..f350966 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,7 +6,7 @@ domain = "z9.ccchh.net"; }; - users.users.chaos.password = "yes"; +# users.users.chaos.password = "yes"; system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 5304abd..009e1a1 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -6,5 +6,6 @@ ./networking.nix ./yate.nix ./service.nix + ./sops.nix ]; } diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml new file mode 100644 index 0000000..e40f320 --- /dev/null +++ b/config/hosts/yate/secrets.yaml @@ -0,0 +1,233 @@ +git_clone_key: ENC[AES256_GCM,data:U/Ogt05wAZsGWTcdKN/Iv2LfScrpR5PuiPU97OHYO75hHV98B5fdQ1SXOgKHa+JdmDHTyh0sDjFt1DwqzCtFmSuQzRh5vpsXHml6qjo1vmsgX2g3HNfA9jAnWQb7HiyYx1HxgEXeJBwBNHO2/O7h7mEkC17lWrdNsX2AiENcVZBPYceJ+YV5ZuhAswh6MS99co57jQhpOv520Hz76qgYwtEDtLL0FEDO2ZIuvyo4CXgS53uIMwF/aJjgKz6+C1cgL6xvNg+ZjIqadIU2sSopkDxxL9l9XTiqM/NrHCI62BAR90ixIiSPePEvkGXzMblPdJl2XL3wW2zn4Ag64jCSylOksSqJCDrqkpc10S/mHGSWDDRneqD/m90Dbyt0I8d5xUpDnRguOxVSLFXvPUjSKmLIW4EN2rmlChzDAqY3w7XaoUnWUVUgHLR4EsVxwLVjVx38Q90JIudz57N/2mvyjHphHJxvy6ye5qLbaxB8RfFkG5yfFzueoSmni5Znc6XkbaiKOPBEXGIio+7EHTgs,iv:QDPgBoFWw1ywfkdoMR15il9iPELtfgqx3p7HYo90kPk=,tag:FWEXc6nOzSE4NxlEtFt3sw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP + TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw + KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS + bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 + xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-06T20:00:59Z" + mac: ENC[AES256_GCM,data:mGhASa+NAaiiYRK74HfMKIfQxBnT/db1tpn2kmSvi0+NSZzxVZjOtsAF3zUqBf7Mjh1Fr3Bfr/MlskiKfznO9rMmwF93r7TeFURIUwAXN7/TFvdjJQGTBo2uIGoE94xZImNuwGlZmZXoZtE9/i31wH9g7al9pqRKmEyJ3oP0eCo=,iv:2Yb9ofOitYLvHC1HybQBxoRBkx8VBxTONfLt4pfp4y4=,tag:N259N6s+c2cYEjLzB+a7sg==,type:str] + pgp: + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg + do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL + r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 + cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl + Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa + JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi + ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk + YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa + QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy + aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg + GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U + ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ + ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ + et8Y1DEjVg== + =u7aP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 + Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S + YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 + twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 + uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx + Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ + gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU + JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng + mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji + yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp + E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S + XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq + vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX + =advR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz + 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec + ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa + RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty + y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE + L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 + glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ + B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl + L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl + o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO + Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS + XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb + fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy + =vqhH + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd + +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 + Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 + LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un + kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 + cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn + 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh + 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU + K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb + QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 + Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S + XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj + IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C + =hGXq + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg + YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi + LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ + +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG + SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io + 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq + 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 + 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll + CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U + pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF + EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS + XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 + uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 + =vZLC + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x + p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 + XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa + oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB + SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS + 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG + oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ + XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo + IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc + 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa + XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS + XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ + fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I + =SLD4 + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp + 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ + 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 + sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB + NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI + K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX + 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 + SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 + TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva + 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR + oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S + XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t + LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII + =MQ9C + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF + XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe + 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ + Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc + abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di + +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk + nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 + BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf + T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 + VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm + jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS + XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY + 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ + =uyf4 + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st + V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 + 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ + i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d + V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE + zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz + TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p + FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF + aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO + 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym + NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS + XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn + kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr + =7R+0 + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw + cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 + 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi + I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== + =0G+m + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX + KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l + MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy + p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k + YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs + yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O + oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv + 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre + FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF + 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm + k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS + XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh + B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI + =ZgbM + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 337ddfc..88302d7 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -1,17 +1,31 @@ { config, pkgs, ... }: { +# systemd.managerEnvironment = { +# SYSTEMD_LOG_LEVEL = "debug"; +# }; + + + + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "root"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; +}; + systemd.services.yate = { enable = true; description = "Yate telehony engine"; unitConfig = { Type = "simple"; - After="network.target"; + After= "network.target"; }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; + User="root"; Group="yate-config"; StateDirectory = "yate"; StateDirectoryMode = "0775"; @@ -19,14 +33,17 @@ }; wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; - preStart = "if ! [ -d \"/var/lib/yate/.git\" ] + preStart = "echo \"\n\" >> /run/secrets/git_clone_key + if ! [ -d \"/var/lib/yate/.git\" ] then ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream echo \"New repo set up.\" fi - ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + test ${pkgs.openssh}/bin/ssh + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; # ... }; diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix new file mode 100644 index 0000000..38b06f9 --- /dev/null +++ b/config/hosts/yate/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index f72da0f..a32df32 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -16,6 +16,6 @@ environment.etc.yate.user = "root"; environment.etc.yate.group = "yate-config"; - environment.etc.yate.mode = "0775"; + environment.etc.yate.mode = "symlink"; environment.etc.yate.source = "/var/lib/yate"; } diff --git a/flake.nix b/flake.nix index 8a8ebf7..29854b0 100644 --- a/flake.nix +++ b/flake.nix @@ -192,6 +192,7 @@ modules = [ ./config/common ./config/proxmox-vm + sops-nix.nixosModules.sops ./config/hosts/yate ]; }; -- 2.44.1 From 149f846d3222f373fa226bb06ab9bce42f808f11 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:03:17 +0200 Subject: [PATCH 05/11] create yate service user --- config/hosts/yate/service.nix | 7 ++++--- config/hosts/yate/yate.nix | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 88302d7..bdaed23 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -9,7 +9,7 @@ sops.secrets."git_clone_key" = { mode = "0600"; - owner = "root"; + owner = "yate"; group = "yate-config"; restartUnits = [ "yate.service" ]; }; @@ -25,7 +25,7 @@ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; Type="simple"; Restart="always"; - User="root"; + User="yate"; Group="yate-config"; StateDirectory = "yate"; StateDirectoryMode = "0775"; @@ -39,12 +39,13 @@ ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master echo \"New repo set up.\" fi test ${pkgs.openssh}/bin/ssh ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout -f origin/master"; # ... }; } diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index a32df32..3f9b054 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -11,10 +11,17 @@ # Just disable it for now. networking.firewall.enable = false; - users.groups.yate-config = {}; - users.groups.yate-config.members = [ "colmema-deploy" "chaos" ]; + users.users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; - environment.etc.yate.user = "root"; + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + + environment.etc.yate.user = "yate"; environment.etc.yate.group = "yate-config"; environment.etc.yate.mode = "symlink"; environment.etc.yate.source = "/var/lib/yate"; -- 2.44.1 From 3b83a5d8ab77967a0d5ab0f1a8abb853f25fd4dd Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:51:12 +0200 Subject: [PATCH 06/11] recreate the full config everytime --- config/hosts/yate/service.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index bdaed23..7d74449 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -34,18 +34,14 @@ wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key - if ! [ -d \"/var/lib/yate/.git\" ] - then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate pull -f --set-upstream - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master - echo \"New repo set up.\" - fi - test ${pkgs.openssh}/bin/ssh ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + # ... }; } -- 2.44.1 From c9967f73c0361fdf6f146cc3211f2a5a379a9496 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Wed, 7 Aug 2024 18:53:15 +0200 Subject: [PATCH 07/11] decolour the log because of blob data --- config/hosts/yate/service.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 7d74449..9e4b98b 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -22,7 +22,7 @@ After= "network.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share -Do"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; Type="simple"; Restart="always"; User="yate"; -- 2.44.1 From c62f722899481d40af8d25b8ec1313415c88c0ee Mon Sep 17 00:00:00 2001 From: echtnurich Date: Thu, 8 Aug 2024 20:11:42 +0200 Subject: [PATCH 08/11] make sure source is available before deleting config --- config/hosts/yate/service.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 9e4b98b..7befcb0 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -34,13 +34,18 @@ wantedBy = [ "default.target" ]; requiredBy = [ "network.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key + sleep 1 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master"; + ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master + fi"; # ... }; -- 2.44.1 From f9f258a2125d3cd94a7aa3c64ce842ca10ea962b Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 18:52:22 +0200 Subject: [PATCH 09/11] change yate-config repo --- config/hosts/yate/secrets.yaml | 6 +++--- config/hosts/yate/service.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml index e40f320..1dcfe87 100644 --- a/config/hosts/yate/secrets.yaml +++ b/config/hosts/yate/secrets.yaml @@ -1,4 +1,4 @@ -git_clone_key: ENC[AES256_GCM,data:U/Ogt05wAZsGWTcdKN/Iv2LfScrpR5PuiPU97OHYO75hHV98B5fdQ1SXOgKHa+JdmDHTyh0sDjFt1DwqzCtFmSuQzRh5vpsXHml6qjo1vmsgX2g3HNfA9jAnWQb7HiyYx1HxgEXeJBwBNHO2/O7h7mEkC17lWrdNsX2AiENcVZBPYceJ+YV5ZuhAswh6MS99co57jQhpOv520Hz76qgYwtEDtLL0FEDO2ZIuvyo4CXgS53uIMwF/aJjgKz6+C1cgL6xvNg+ZjIqadIU2sSopkDxxL9l9XTiqM/NrHCI62BAR90ixIiSPePEvkGXzMblPdJl2XL3wW2zn4Ag64jCSylOksSqJCDrqkpc10S/mHGSWDDRneqD/m90Dbyt0I8d5xUpDnRguOxVSLFXvPUjSKmLIW4EN2rmlChzDAqY3w7XaoUnWUVUgHLR4EsVxwLVjVx38Q90JIudz57N/2mvyjHphHJxvy6ye5qLbaxB8RfFkG5yfFzueoSmni5Znc6XkbaiKOPBEXGIio+7EHTgs,iv:QDPgBoFWw1ywfkdoMR15il9iPELtfgqx3p7HYo90kPk=,tag:FWEXc6nOzSE4NxlEtFt3sw==,type:str] +git_clone_key: ENC[AES256_GCM,data:/9zM2jveLx+RRODQke8mmeo2iYo0djw+fmwgD3WGWyxxRxg1GHzKF503N/PFQ+Kksgn+p/jqEb1NsG4ukcv7B9uv/8v3uLLo821Nn6g+P/UcPp6VzWeyrYJ/5p90A+TEg4pAXDRx079FzgRMQVLDXhGg7C+KnqLAygKl10KOPZfKcsMmSJiTmsTcx+CSZ2Zp0Yfo/x3vDw9Cxy+Nr8NGKtWz6I0Bmr/XGrfWjs5uoHwLs2hZ/hyAiQCZmzMKgNSTJiFzxyepF7ImYzuKXkY7Zyr21r3NWnGMOTIe/xhzgB+EUXcmoKmYnGrG9+350NTNxna2bxY5J1SiqDOA2iWYzfl+fvxM+zHt+qwl37vPNfCI3zs7WLn8rtA7+0N1p4XsA6m0BfWxLt2Nex8c+grPZ1ndGjX1nov4arDWE7jti63BT4Imwt6S+AuaX5MlmV5EH1G8nTuguBgxWC2uWzK5vHst3hNn/NcSfZd5uKhzT20qq8b3LPAyQ0PKfiDNYFTE+DzJExWvZus2LIQxGvl1,iv:lO/uxPX+hgKhQ7HAB7x6+vkJGbTAGaxFl1McCgSnz7Y=,tag:TazynolI4e1xpFHtTH0Tig==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-06T20:00:59Z" - mac: ENC[AES256_GCM,data:mGhASa+NAaiiYRK74HfMKIfQxBnT/db1tpn2kmSvi0+NSZzxVZjOtsAF3zUqBf7Mjh1Fr3Bfr/MlskiKfznO9rMmwF93r7TeFURIUwAXN7/TFvdjJQGTBo2uIGoE94xZImNuwGlZmZXoZtE9/i31wH9g7al9pqRKmEyJ3oP0eCo=,iv:2Yb9ofOitYLvHC1HybQBxoRBkx8VBxTONfLt4pfp4y4=,tag:N259N6s+c2cYEjLzB+a7sg==,type:str] + lastmodified: "2024-09-08T16:47:20Z" + mac: ENC[AES256_GCM,data:0BIL7zHvXKv36hjRVdagxSAwkT1PHVi4jqAeoGj4xo8B8f5q8xcerE4DNNIdEbCxGARGTMS/qC3JeOsMcNU9tk34wnMXxddqw5wf0k2evwfqp6+2I+silQTkpEKhNXaiD6KdilLQheUZhuCNAlU5I3fqkFnfNMC2HRwMhTm9tg8=,iv:yaCljmi/JiEwgwoRjSrzMmZN96/KG7yHQ4zF5rKgKH8=,tag:G9MqahsLpXRzAS6cMa9zxw==,type:str] pgp: - created_at: "2024-08-05T20:33:02Z" enc: |- diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index 7befcb0..f959f65 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -42,7 +42,7 @@ rm -rf /var/lib/yate/.* ${pkgs.git}/bin/git init /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:echtnurich/yate-config.git + ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master fi"; -- 2.44.1 From fb458e244bafd87e227d104c806bb3d58a94e88e Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 21:07:47 +0200 Subject: [PATCH 10/11] fix yate deploy key --- config/hosts/yate/secrets.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml index 1dcfe87..6235c17 100644 --- a/config/hosts/yate/secrets.yaml +++ b/config/hosts/yate/secrets.yaml @@ -1,4 +1,4 @@ -git_clone_key: ENC[AES256_GCM,data:/9zM2jveLx+RRODQke8mmeo2iYo0djw+fmwgD3WGWyxxRxg1GHzKF503N/PFQ+Kksgn+p/jqEb1NsG4ukcv7B9uv/8v3uLLo821Nn6g+P/UcPp6VzWeyrYJ/5p90A+TEg4pAXDRx079FzgRMQVLDXhGg7C+KnqLAygKl10KOPZfKcsMmSJiTmsTcx+CSZ2Zp0Yfo/x3vDw9Cxy+Nr8NGKtWz6I0Bmr/XGrfWjs5uoHwLs2hZ/hyAiQCZmzMKgNSTJiFzxyepF7ImYzuKXkY7Zyr21r3NWnGMOTIe/xhzgB+EUXcmoKmYnGrG9+350NTNxna2bxY5J1SiqDOA2iWYzfl+fvxM+zHt+qwl37vPNfCI3zs7WLn8rtA7+0N1p4XsA6m0BfWxLt2Nex8c+grPZ1ndGjX1nov4arDWE7jti63BT4Imwt6S+AuaX5MlmV5EH1G8nTuguBgxWC2uWzK5vHst3hNn/NcSfZd5uKhzT20qq8b3LPAyQ0PKfiDNYFTE+DzJExWvZus2LIQxGvl1,iv:lO/uxPX+hgKhQ7HAB7x6+vkJGbTAGaxFl1McCgSnz7Y=,tag:TazynolI4e1xpFHtTH0Tig==,type:str] +git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +14,8 @@ sops: bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-08T16:47:20Z" - mac: ENC[AES256_GCM,data:0BIL7zHvXKv36hjRVdagxSAwkT1PHVi4jqAeoGj4xo8B8f5q8xcerE4DNNIdEbCxGARGTMS/qC3JeOsMcNU9tk34wnMXxddqw5wf0k2evwfqp6+2I+silQTkpEKhNXaiD6KdilLQheUZhuCNAlU5I3fqkFnfNMC2HRwMhTm9tg8=,iv:yaCljmi/JiEwgwoRjSrzMmZN96/KG7yHQ4zF5rKgKH8=,tag:G9MqahsLpXRzAS6cMa9zxw==,type:str] + lastmodified: "2024-09-08T18:35:07Z" + mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] pgp: - created_at: "2024-08-05T20:33:02Z" enc: |- -- 2.44.1 From e24b5b6fb111d3dc3db8bd3539fcbd1389314928 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sun, 8 Sep 2024 21:08:17 +0200 Subject: [PATCH 11/11] fix yate-config not pulling --- config/hosts/yate/service.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index f959f65..9013060 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -18,8 +18,7 @@ enable = true; description = "Yate telehony engine"; unitConfig = { - Type = "simple"; - After= "network.target"; + After= "network-online.target"; }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; @@ -32,19 +31,16 @@ # ... }; wantedBy = [ "default.target" ]; - requiredBy = [ "network.target" ]; + requires = [ "network-online.target" ]; preStart = "echo \"\n\" >> /run/secrets/git_clone_key - sleep 1 + sleep 5 SSH_SUCCESS=1 - ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de || SSH_SUCCESS=0 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 if [ $SSH_SUCCESS = 1 ]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* - ${pkgs.git}/bin/git init /var/lib/yate + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - ${pkgs.git}/bin/git -C /var/lib/yate remote add origin forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - ${pkgs.git}/bin/git -C /var/lib/yate checkout --track -f origin/master fi"; # ... -- 2.44.1