gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

openiscsi autologin

Browse source
This commit is contained in:
arcnmx 2023-06-14 07:19:16 -07:00
parent fcd61d39ea
commit 4fd6d04a40
5 changed files with 54 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/network.nix
View file

@ -58,8 +58,7 @@ with lib; {
fi fi
# otherwise authenticate with tailscale # otherwise authenticate with tailscale
# to-do: --advertise-exit-node ${getExe tailscale} up --advertise-exit-node -authkey $(cat ${config.sops.secrets.tailscale-key.path})
${getExe tailscale} up -authkey $(cat ${config.sops.secrets.tailscale-key.path})
''; '';
}; };
}; };

10
tewi/deluge.nix
View file

@ -1,7 +1,8 @@
{ config, lib, ... }: let { config, utils, lib, ... }: let
inherit (lib) mkAfter; inherit (lib) mkAfter;
cfg = config.services.deluge; cfg = config.services.deluge;
mediaDir = "/mnt/shadow/deluge"; shadowDir = "/mnt/shadow";
mediaDir = "${shadowDir}/deluge";
in { in {
sops.secrets.deluge-auth = { sops.secrets.deluge-auth = {
inherit (cfg) group; inherit (cfg) group;
@ -35,9 +36,12 @@ in {
}; };
systemd.services = { systemd.services = {
deluged = { deluged = {
bindsTo = [
"${utils.escapeSystemdPath shadowDir}.mount"
];
unitConfig = { unitConfig = {
RequiresMountsFor = [ RequiresMountsFor = [
"/mnt/shadow" shadowDir
]; ];
}; };
}; };

10
tewi/mediatomb.nix
View file

@ -1,8 +1,7 @@
{ config, lib, ... }: with lib; let { config, utils, lib, ... }: with lib; let
cfg = config.services.mediatomb; cfg = config.services.mediatomb;
shadowDir = "/mnt/shadow"; shadowDir = "/mnt/shadow";
inherit (config.services) deluge; inherit (config.services) deluge;
delugeDir = "${shadowDir}/deluge";
in { in {
services.mediatomb = { services.mediatomb = {
enable = true; enable = true;
@ -16,7 +15,7 @@ in {
hidden-files = false; hidden-files = false;
} }
(mkIf deluge.enable { (mkIf deluge.enable {
path = delugeDir; path = builtins.dirOf deluge.config.download_location;
recursive = true; recursive = true;
hidden-files = false; hidden-files = false;
}) })
@ -24,6 +23,9 @@ in {
}; };
systemd.services.mediatomb = { systemd.services.mediatomb = {
confinement.enable = true; confinement.enable = true;
bindsTo = [
"${utils.escapeSystemdPath shadowDir}.mount"
];
unitConfig = { unitConfig = {
RequiresMountsFor = [ RequiresMountsFor = [
shadowDir shadowDir
@ -37,7 +39,7 @@ in {
"anime" "movies" "tv" "unsorted" "anime" "movies" "tv" "unsorted"
"music" "music-to-import" "music-raw" "music" "music-to-import" "music-raw"
]) ])
(mkIf deluge.enable [ "${delugeDir}/complete" ]) (mkIf deluge.enable [ deluge.config.move_completed_path ])
]; ];
}; };
}; };

51
tewi/nixos.nix
View file

@ -7,13 +7,17 @@
modulesPath, modulesPath,
... ...
}: let }: let
inherit (lib) mkIf;
hddopts = ["luks" "discard" "noauto" "nofail"]; hddopts = ["luks" "discard" "noauto" "nofail"];
md = { md = {
shadow = rec { shadow = rec {
name = "shadowlegend"; name = "shadowlegend";
device = "/dev/md/${name}"; device = "/dev/md/${name}";
unit = utils.escapeSystemdPath device; unit = utils.escapeSystemdPath device + ".device";
where = "/mnt/shadow";
mount = utils.escapeSystemdPath where + ".mount";
service = "md-shadow.service"; service = "md-shadow.service";
disk = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf";
cryptDisks = cryptDisks =
lib.flip lib.mapAttrs { lib.flip lib.mapAttrs {
seagate0 = { seagate0 = {
@ -91,6 +95,7 @@ in {
services.openiscsi = { services.openiscsi = {
enable = true; enable = true;
enableAutoLoginOut = true;
name = ""; name = "";
}; };
@ -102,14 +107,14 @@ in {
username = "systemd"; username = "systemd";
}; };
units = { units = {
"mnt-shadow.mount" = {}; ${md.shadow.mount} = {};
"mediatomb.service" = lib.mkIf config.services.mediatomb.enable {}; "mediatomb.service" = mkIf config.services.mediatomb.enable {};
}; };
}; };
environment.etc = { environment.etc = {
"iscsi/initiatorname.iscsi" = lib.mkForce { "iscsi/initiatorname.iscsi" = lib.mkForce {
source = config.sops.secrets.openscsi-config.path; source = config.sops.secrets.openiscsi-config.path;
}; };
crypttab.text = let crypttab.text = let
inherit (lib) concatStringsSep mapAttrsToList; inherit (lib) concatStringsSep mapAttrsToList;
@ -127,8 +132,8 @@ in {
}; };
sops.secrets = { sops.secrets = {
openscsi-config = {}; openiscsi-config = {};
openscsi-env = lib.mkIf config.services.openiscsi.enableAutoLoginOut { }; openiscsi-env = mkIf config.services.openiscsi.enableAutoLoginOut { };
systemd2mqtt-env = {}; systemd2mqtt-env = {};
}; };
@ -141,8 +146,8 @@ in {
device = "/dev/disk/by-uuid/85DC-72FA"; device = "/dev/disk/by-uuid/85DC-72FA";
fsType = "vfat"; fsType = "vfat";
}; };
"/mnt/shadow" = { ${md.shadow.where} = {
device = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf"; device = md.shadow.disk;
fsType = "xfs"; fsType = "xfs";
options = [ options = [
"x-systemd.automount" "x-systemd.automount"
@ -154,9 +159,12 @@ in {
}; };
}; };
systemd = let systemd = let
inherit (lib) getExe mapAttrsToList mapAttrs' nameValuePair; inherit (lib) getExe;
serviceName = lib.removeSuffix ".service"; serviceName = lib.removeSuffix ".service";
cryptServices = mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks; toSystemdIni = pkgs.lib.generators.toINI {
listsAsDuplicateKeys = true;
};
cryptServices = lib.mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks;
in { in {
services = { services = {
nfs-mountd = { nfs-mountd = {
@ -165,7 +173,8 @@ in {
mdmonitor.enable = false; mdmonitor.enable = false;
${serviceName md.shadow.service} = rec { ${serviceName md.shadow.service} = rec {
restartIfChanged = false; restartIfChanged = false;
wants = cryptServices; wants = cryptServices ++ [ "iscsi.service" ];
bindsTo = cryptServices;
after = wants; after = wants;
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -187,22 +196,34 @@ in {
}; };
iscsi = let iscsi = let
cfg = config.services.openiscsi; cfg = config.services.openiscsi;
in lib.mkIf cfg.enableAutoLoginOut { in mkIf cfg.enableAutoLoginOut rec {
wantedBy = cryptServices;
before = wantedBy;
serviceConfig = { serviceConfig = {
EnvironmentFile = [ config.sops.secrets.openscsi-env.path ]; EnvironmentFile = [ config.sops.secrets.openiscsi-env.path ];
ExecStartPre = [ ExecStartPre = [
"${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover" "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover"
]; ];
}; };
}; };
systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec { systemd2mqtt = mkIf config.services.systemd2mqtt.enable rec {
requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"]; requires = mkIf config.services.mosquitto.enable ["mosquitto.service"];
after = requires; after = requires;
serviceConfig.EnvironmentFile = [ serviceConfig.EnvironmentFile = [
config.sops.secrets.systemd2mqtt-env.path config.sops.secrets.systemd2mqtt-env.path
]; ];
}; };
}; };
units = {
${md.shadow.mount} = {
overrideStrategy = "asDropin";
text = toSystemdIni {
Unit.BindsTo = [
md.shadow.service
];
};
};
};
network = { network = {
networks.eno1 = { networks.eno1 = {
inherit (config.systemd.network.links.eno1) matchConfig; inherit (config.systemd.network.links.eno1) matchConfig;

8
tewi/secrets.yaml
View file

@ -5,8 +5,8 @@ z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHw
tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str] tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str] vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str] vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str] openiscsi-config: ENC[AES256_GCM,data:bt39RW/oELLuWkTSwD3xA8j+5SM4N5RAZ+qHKd1aOGxaIHSIxQnK9txJ/EDemQZ5uLGVMeYKGag9,iv:FJJYIH7qlxZFJHm9mqHf6erOyqimdSrSNHAp9FLo7zk=,tag:CTal+n+Vf5VZD8x2haayvw==,type:str]
openscsi-env: ENC[AES256_GCM,data:qOrDDPSnEJVHBPvrbqTOPx5hffqR2INn+ZuMpP/dplmPhKbJIyJo+w==,iv:lWeiAA1L24tL7VFFnXTcTKqYbkCd5i2WXlBKoEbyEPo=,tag:oBSSczca6OUEe5GhnvS5gA==,type:str] openiscsi-env: ENC[AES256_GCM,data:dSUZ/Iu5zabuM64a5WlXETRzSrN+QXMqLmDnw8CK1Ab5NLwbkIP2iA==,iv:z+dv1ddSRUah0RJXDjEtyOweIbT+q4OMzVlSUYXa69M=,tag:gK5iOW5PUthyFkunImLx1A==,type:str]
systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str] z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str] deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str]
@ -40,8 +40,8 @@ sops:
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-11T18:05:23Z" lastmodified: "2023-07-11T18:05:50Z"
mac: ENC[AES256_GCM,data:97lA3tTSp8jm8bFoDM/HiNY4mLOCDB5DxewXH49iUNshkGNylYjSb9I0L2m8Se1/yA6QKlHJKkSq2dtqFIXO/ANaHzRTTnR1D6jjh+2AYsbKZUhMXKLaC7HTSWoj/SkvHlgzznz1xSz8iWZXoIzRMpwRHk56TlPejbxJ+UzNWqc=,iv:y7VSWBQcV1fcdirtouQmpD6gxl6dkUddwnzKvG2dka0=,tag:elpRiXRvjmuIMgQexgMwWg==,type:str] mac: ENC[AES256_GCM,data:jVRqkX5DofE+y1epkrBwxGnFYt76XOqMYFJRFXDMSoH+6dHOxiaxqMF6vNrfaydOI24r+VpbMR+Q5rhTPKsrZjVj6dWfgNx0K/e99uXndOM1vzw1RJXvWMc1UreESjlYD75eMYEMNwu5+WmrO1K7Ht+9Cv6uNAmhS34KZzaOxak=,iv:+fgew7KHHXN76xK+N0SuQj/hRhgyIAFWMp008OUXaoM=,tag:bX0frWarHF4l+SJfXHfqSA==,type:str]
pgp: pgp:
- created_at: "2023-03-10T17:06:53Z" - created_at: "2023-03-10T17:06:53Z"
enc: | enc: |