kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 2 Releases Activity

dismantle all arch infrastructure

Browse source
This commit is contained in:
Franzi 2025-01-06 20:12:06 +01:00
parent 5df7bdf2da
commit 0b09537ba4
Signed by: kunsi
GPG key ID: 12E3D2136B818350
59 changed files with 21 additions and 1524 deletions
Download patch file Download diff file Expand all files Collapse all files

190
nodes/fkusei-locutus.py
View file

@ -1,190 +0,0 @@
nodes['fkusei-locutus'] = {
'dummy': True,
'hostname': '10.5.99.29',
'bundles': {
'arch-with-gui',
'bird',
'lldp',
'lm-sensors',
'nfs-client',
'systemd-boot',
'telegraf-battery-usage',
'wireguard',
'voc-tracker-worker',
'zfs',
},
'groups': {
'arch',
},
'metadata': {
'arch-with-gui': {
'autologin_as': 'fkunsmann',
},
'bird': {
'bgp_neighbors': {
'smedia': {
'local_as': 4200128002,
'local_ip': '10.200.128.2',
'neighbor_as': 64900,
'neighbor_ip': '10.200.128.1',
},
},
},
'firewall': {
'port_rules': {
# obs websocket thingie - just allow all RFC1918 ips here
#'4444': {
# '10.0.0.0/8',
# '172.16.0.0/12',
# '192.168.0.0/16',
#},
# For the occasional file-share using `python -m http.server`
'8000/tcp': {'*'},
},
},
'interfaces': {
'eth*': {
'dhcp': True,
},
# there is also wlan0, but that's managed by netctl
},
'location': 'home', # not actually true, but needed for static dhcp lease
'nfs-client': {
'mounts': {
'nas-storage': {
'mountpoint': '/mnt/nas',
'serverpath': '172.19.138.20:/storage/nas',
'mount_options': {
'retry=0',
'ro',
},
},
},
},
'openssh': {
'restrict-to': {
'rfc1918',
},
},
'pacman': {
'packages': {
'amd-ucode': {},
'xf86-video-amdgpu': {},
# all that other random stuff one needs
'apachedirectorystudio': {},
'direnv': {},
'freerdp': {},
'sdl_ttf': {}, # for compiling testcard
'thermald': {},
},
},
'sysctl': {
'options': {
# accept RA even though forwarding is enabled
'net.ipv4.conf.all.accept_ra': '2',
'net.ipv4.conf.wlan0.accept_ra': '2',
},
},
'systemd-boot': {
'default': 'arch',
'entries': {
'arch': {
'title': 'Arch Linux',
'linux': '/vmlinuz-linux',
'initrd': [
'/amd-ucode.img',
'/initramfs-linux.img',
],
'options': {
'net.ifnames=0',
'rw',
'zfs=zroot/system/root',
},
},
'arch-fallback': {
'title': 'Arch Linux (no ucode, fallback initramfs)',
'linux': '/vmlinuz-linux',
'initrd': [
'/initramfs-linux-fallback.img',
],
'options': {
'net.ifnames=0',
'rw',
'zfs=zroot/system/root',
},
},
},
},
'timezone': 'Europe/Berlin',
'users': {
'fkunsmann': {
'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='),
'shell': '/usr/bin/fish',
},
},
'voc-tracker-worker': {
'url': 'https://tracker.c3voc.de/rpc',
'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'),
'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'),
},
'wireguard': {
'privatekey': vault.decrypt('smedia$NotViaThisRepository'),
'peers': {
'smedia': {
'endpoint': 'wireguard.htz-cloud.kunbox.net:1194',
'their_ip': '10.200.128.1',
'my_ip': '10.200.128.2/20',
'my_port': 51820,
'endpoint': '185.122.180.82:51820',
'psk': vault.decrypt('smedia$NotViaThisRepository'),
'pubkey': vault.decrypt('smedia$NotViaThisRepository'),
},
},
},
'zfs': {
'pools': {
'zroot': {
'when_creating': {
'config': [],
},
},
},
'datasets': {
# this is not a complete list, but we can't create that
# structure using bundlewrap anyway, so there's no point
# in adding it here.
'zroot': {
'compression': 'lz4',
'relatime': 'on',
'xattr': 'sa',
'primarycache': 'metadata'
# encryption is enabled, too.
},
'zroot/system/journal': {
'mountpoint': '/var/log/journal',
'acltype': 'posix',
},
'zroot/system/root': {
'canmount': 'noauto',
'mountpoint': '/',
},
'zroot/user/fkunsmann': {
'mountpoint': '/home/fkunsmann',
},
},
'snapshots': {
'retain_per_dataset': {
'zroot/user/fkunsmann': {
# juuuuuuuust to be sure
'hourly': 100,
},
},
'snapshot_never': {
'zroot/system/journal',
},
},
},
},
'os': 'arch',
}

59
nodes/htz-cloud.aurto.toml
View file

@ -1,59 +0,0 @@
hostname = "2a01:4f9:c010:95fa::2"
bundles = ["backup-client"]
groups = [
"arch",
"webserver",
]
[metadata]
description = [
"When adding packages to aurto, please also add those packages to ~/PACKAGES",
"Wenn Pakete zu aurto hinzugefügt werden, trage sie bitte auch in ~/PACKAGES ein",
]
[metadata.icinga_options]
period = "daytime"
[metadata.backups]
paths = [
"/var/cache/pacman/aurto",
]
[metadata.interfaces.enp1s0]
ips = ["2a01:4f9:c010:95fa::2/64"]
gateway6 = "fe80::1"
[metadata.interfaces.enp7s0]
ips = ["172.19.137.4/32"]
gateway4 = "172.19.137.1"
[metadata.nginx.vhosts.aurto]
domain = "aurto.kunbox.net"
webroot = "/var/cache/pacman/aurto"
extras = true
[metadata.pacman]
enable_aurto = false
additional_config = [
"Include = /etc/pacman.d/aurto",
]
[metadata.pacman.unattended-upgrades]
is_enabled = true
[metadata.sudo.extra_configs]
50_aurto_passwordless = [
"%wheel ALL=(ALL) NOPASSWD: /usr/bin/arch-nspawn",
"%wheel ALL=(ALL) NOPASSWD: /usr/bin/pacsync aurto",
"%wheel ALL=(ALL) NOPASSWD:SETENV: /usr/bin/makechrootpkg",
]
[metadata.users.aurto]
groups = ["wheel"]
ssh_pubkey = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", # kunsi work
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", # kunsi privat
]
[metadata.users.kunsi]
groups = ["wheel"]

251
nodes/kunsi-p14s.py
View file

@ -1,251 +0,0 @@
nodes['kunsi-p14s'] = {
'hostname': 'localhost',
'bundles': {
'arch-with-gui',
'backup-client',
'lldp',
'lm-sensors',
'nfs-client',
'systemd-boot',
'telegraf-battery-usage',
'vmhost',
'wireguard',
'zfs',
},
'groups': {
'arch',
},
'metadata': {
'arch-with-gui': {
'autologin_as': 'kunsi',
},
'backup-client': {
'exclude_from_monitoring': False,
# only alert people if we're missing more than a week of backups
'one_backup_every_hours': 7 * 24,
},
'firewall': {
'port_rules': {
# obs websocket thingie - just allow all RFC1918 ips here
#'4444': {
# '10.0.0.0/8',
# '172.16.0.0/12',
# '192.168.0.0/16',
#},
# For the occasional file-share using `python -m http.server`
'8000/tcp': {'*'},
},
},
'interfaces': {
'br0': {
'ips': {'10.73.100.112/16'},
'gateway4': '10.73.0.254',
'dhcp': True,
},
# there is also wlp3s0, but that's managed by netctl
},
'nfs-client': {
'mounts': {
'nas-scansnap': {
'mountpoint': '/mnt/scansnap',
'serverpath': '172.19.138.20:/srv/scansnap',
'mount_options': {
'retry=0',
'rw',
},
},
'nas-storage': {
'mountpoint': '/mnt/nas',
'serverpath': '172.19.138.20:/storage/nas',
'mount_options': {
'retry=0',
'ro',
},
},
},
},
'nftables': {
'forward': {
'50-routing': [
'ct state { related, established } accept',
'oifname wlan0 accept',
],
},
'postrouting': {
'50-routing': [
'oifname wlan0 masquerade',
],
},
},
'openssh': {
'restrict-to': {
'rfc1918',
},
},
'pacman': {
'no_extract': {
'etc/sudoers.d/ctdb', # samba junk
},
'packages': {
# for hardware support
'amd-ucode': {},
'mesa': {},
# various video drivers
'libva-mesa-driver': {},
'mesa-vdpau': {},
'xf86-video-amdgpu': {},
# all that other random stuff one needs
#'abcde': {},
'claws-mail': {},
'claws-mail-themes': {},
'ferdium-bin': {},
'gumbo-parser': {}, # for claws litehtml
'inkstitch': {}, # for RZL embroidery machine
'obs-studio': {},
#'perl-musicbrainz-discid': {}, # for abcde
#'perl-webservice-musicbrainz': {}, # for abcde
'sdl_ttf': {}, # for compiling testcard
'x32edit': {},
},
},
'systemd-boot': {
'default': 'arch',
'entries': {
'arch': {
'title': 'Arch Linux',
'linux': '/vmlinuz-linux-lts',
'initrd': [
'/amd-ucode.img',
'/initramfs-linux-lts.img',
],
'options': {
'net.ifnames=0',
'rw',
'zfs=zroot/system/root',
},
},
'arch-fallback': {
'title': 'Arch Linux (no ucode, fallback initramfs)',
'linux': '/vmlinuz-linux-lts',
'initrd': [
'/initramfs-linux-lts-fallback.img',
],
'options': {
'net.ifnames=0',
'rw',
'zfs=zroot/system/root',
},
},
},
},
'sysctl': {
'options': {
'net.ipv4.conf.all.forwarding': '1',
},
},
'systemd-networkd': {
'bridges': {
'br0': {
'match': {
'en*',
'eth*',
},
},
},
},
'timezone': 'Europe/Berlin',
'users': {
'kunsi': {
'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='),
'shell': '/usr/bin/fish',
},
},
'wireguard': {
'peers': {
'htz-cloud.wireguard': {
'auto_connection': False,
'endpoint': 'wireguard.htz-cloud.kunbox.net:1194',
'my_ip': '172.19.136.65',
'my_port': 51819,
'their_ip': '172.19.136.64',
'routes': {
'10.73.0.0/16',
'172.19.128.0/20',
},
},
},
},
'zfs': {
'pools': {
'zroot': {
'when_creating': {
'config': [{
'devices': [
'/dev/disk/by-id/nvme-UMIS_RPETJ1T24MGE2QDQ_SS0L25218X3RC1BG1182-part2',
],
}],
'ashift': 12,
},
},
},
'datasets': {
# this is not a complete list, but we can't create that
# structure using bundlewrap anyway, so there's no point
# in adding it here.
'zroot': {
'compression': 'lz4',
'relatime': 'on',
'xattr': 'sa',
'primarycache': 'metadata'
# encryption is enabled, too.
},
'zroot/movies': {
'mountpoint': '/media/movies',
},
'zroot/nextcloud': {
'mountpoint': '/home/kunsi/nextcloud',
},
'zroot/system/journal': {
'mountpoint': '/var/log/journal',
'acltype': 'posix',
},
'zroot/system/libvirt': {
'mountpoint': '/var/lib/libvirt',
'needed_by': {
'bundle:vmhost',
},
},
'zroot/system/video': {
'mountpoint': '/video',
'needed_by': {
'bundle:voc-tracker-worker',
},
},
'zroot/system/root': {
'canmount': 'noauto',
'mountpoint': 'legacy',
},
'zroot/user/kunsi': {
'mountpoint': '/home/kunsi',
},
},
'snapshots': {
'retain_per_dataset': {
'zroot/user/kunsi': {
# juuuuuuuust to be sure
'hourly': 100,
},
},
'snapshot_never': {
'zroot/movies',
'zroot/nextcloud',
'zroot/system/journal',
'zroot/system/video',
},
},
},
},
'os': 'arch',
}