From bdc6057689f33b456af0c59a20a54494f8d8f0be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 18:41:49 +0100 Subject: [PATCH] hosts: decommission ca host and remove labmon Remove the step-ca host and labmon flake input now that ACME has been migrated to OpenBao PKI. Removed: - hosts/ca/ - step-ca host configuration - services/ca/ - step-ca service module - labmon flake input and module (no longer used) Updated: - flake.nix - removed ca host and labmon references - flake.lock - removed labmon input - rebuild-all.sh - removed ca from host list - CLAUDE.md - updated documentation Note: secrets/ca/ should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 23 ++- flake.lock | 22 --- flake.nix | 16 -- hosts/ca/configuration.nix | 63 -------- hosts/ca/default.nix | 7 - rebuild-all.sh | 1 - services/ca/default.nix | 169 -------------------- services/ca/templates/ssh/ca.tpl | Bin 6656 -> 0 bytes services/ca/templates/ssh/config.tpl | 14 -- services/ca/templates/ssh/known_hosts.tpl | 4 - services/ca/templates/ssh/sshd_config.tpl | 4 - services/ca/templates/ssh/step_config.tpl | 11 -- services/ca/templates/ssh/step_includes.tpl | 1 - 13 files changed, 10 insertions(+), 325 deletions(-) delete mode 100644 hosts/ca/configuration.nix delete mode 100644 hosts/ca/default.nix delete mode 100644 services/ca/default.nix delete mode 100644 services/ca/templates/ssh/ca.tpl delete mode 100644 services/ca/templates/ssh/config.tpl delete mode 100644 services/ca/templates/ssh/known_hosts.tpl delete mode 100644 services/ca/templates/ssh/sshd_config.tpl delete mode 100644 services/ca/templates/ssh/step_config.tpl delete mode 100644 services/ca/templates/ssh/step_includes.tpl diff --git a/CLAUDE.md b/CLAUDE.md index 4e89ad6..546507f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -92,7 +92,7 @@ Secrets are managed by OpenBao (Vault) using AppRole authentication. Most hosts `vault.secrets` option defined in `system/vault-secrets.nix` to fetch secrets at boot. Terraform manages the secrets and AppRole policies in `terraform/vault/`. -Legacy sops-nix is still present but only actively used by the `ca` host. Do not edit any +Legacy sops-nix is still present but no longer actively used. Do not edit any `.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary. ### Git Workflow @@ -210,7 +210,6 @@ The **lab-monitoring** MCP server can query Prometheus metrics via PromQL. The ` - `home-assistant` - Home automation metrics - `jellyfin` - Media server metrics - `loki` / `prometheus` / `grafana` - Monitoring stack self-metrics -- `step-ca` - Internal CA metrics - `pve-exporter` - Proxmox hypervisor metrics - `smartctl` - Disk SMART health (gunter) - `wireguard` - VPN metrics (http-proxy) @@ -316,14 +315,14 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `ns/` - DNS services (authoritative, resolver, zone generation) - `vault/` - OpenBao (Vault) secrets server - `actions-runner/` - GitHub Actions runner - - `http-proxy/`, `ca/`, `postgres/`, `nats/`, `jellyfin/`, etc. -- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, only used by ca) + - `http-proxy/`, `postgres/`, `nats/`, `jellyfin/`, etc. +- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, no longer used) - `/common/` - Shared configurations (e.g., VM guest agent) - `/docs/` - Documentation and plans - `plans/` - Future plans and proposals - `plans/completed/` - Completed plans (moved here when done) - `/playbooks/` - Ansible playbooks for fleet management -- `/.sops.yaml` - SOPS configuration with age keys (legacy, only used by ca) +- `/.sops.yaml` - SOPS configuration with age keys (legacy, no longer used) ### Configuration Inheritance @@ -340,7 +339,7 @@ All hosts automatically get: - Nix binary cache (nix-cache.home.2rjus.net) - SSH with root login enabled - OpenBao (Vault) secrets management via AppRole -- Internal ACME CA integration (ca.home.2rjus.net) +- Internal ACME CA integration (OpenBao PKI at vault.home.2rjus.net) - Daily auto-upgrades with auto-reboot - Prometheus node-exporter + Promtail (logs to monitoring01) - Monitoring scrape target auto-registration via `homelab.monitoring` options @@ -351,8 +350,7 @@ All hosts automatically get: Production servers: - `ns1`, `ns2` - Primary/secondary DNS servers (10.69.13.5/6) -- `ca` - Internal Certificate Authority -- `vault01` - OpenBao (Vault) secrets server +- `vault01` - OpenBao (Vault) secrets server + PKI CA - `ha1` - Home Assistant + Zigbee2MQTT + Mosquitto - `http-proxy` - Reverse proxy - `monitoring01` - Full observability stack (Prometheus, Grafana, Loki, Tempo, Pyroscope) @@ -371,7 +369,7 @@ Template hosts: - `nixpkgs` - NixOS 25.11 stable (primary) - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.`) -- `sops-nix` - Secrets management (legacy, only used by ca) +- `sops-nix` - Secrets management (legacy, no longer actively used) - `nixos-exporter` - NixOS module for exposing flake revision metrics (used to verify deployments) - `homelab-deploy` - NATS-based remote deployment tool for test-tier hosts - Custom packages from git.t-juice.club: @@ -399,10 +397,9 @@ Most hosts use OpenBao (Vault) for secrets: - Fallback to cached secrets in `/var/lib/vault/cache/` when Vault is unreachable - Provision AppRole credentials: `nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=` -Legacy SOPS (only used by `ca` host): +Legacy SOPS (no longer actively used): - SOPS with age encryption, keys in `.sops.yaml` -- Shared secrets: `/secrets/secrets.yaml` -- Per-host secrets: `/secrets//` +- Files in `/secrets/` are legacy and can be removed ### Auto-Upgrade System @@ -558,7 +555,7 @@ Prometheus scrape targets are automatically generated from host configurations, - **External targets**: Non-flake hosts defined in `/services/monitoring/external-targets.nix` - **Library**: `lib/monitoring.nix` provides `generateNodeExporterTargets` and `generateScrapeConfigs` -Service modules declare their scrape targets directly via `homelab.monitoring.scrapeTargets` (e.g., `services/ca/default.nix` declares step-ca on port 9000). The Prometheus config on monitoring01 auto-generates scrape configs from all hosts. See "Homelab Module Options" section for available options. +Service modules declare their scrape targets directly via `homelab.monitoring.scrapeTargets`. The Prometheus config on monitoring01 auto-generates scrape configs from all hosts. See "Homelab Module Options" section for available options. To add monitoring targets for non-NixOS hosts, edit `/services/monitoring/external-targets.nix`. diff --git a/flake.lock b/flake.lock index 0cdaf48..63dbb4c 100644 --- a/flake.lock +++ b/flake.lock @@ -42,27 +42,6 @@ "url": "https://git.t-juice.club/torjus/homelab-deploy" } }, - "labmon": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1748983975, - "narHash": "sha256-DA5mOqxwLMj/XLb4hvBU1WtE6cuVej7PjUr8N0EZsCE=", - "ref": "master", - "rev": "040a73e891a70ff06ec7ab31d7167914129dbf7d", - "revCount": 17, - "type": "git", - "url": "https://git.t-juice.club/torjus/labmon" - }, - "original": { - "ref": "master", - "type": "git", - "url": "https://git.t-juice.club/torjus/labmon" - } - }, "nixos-exporter": { "inputs": { "nixpkgs": [ @@ -119,7 +98,6 @@ "inputs": { "alerttonotify": "alerttonotify", "homelab-deploy": "homelab-deploy", - "labmon": "labmon", "nixos-exporter": "nixos-exporter", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", diff --git a/flake.nix b/flake.nix index fae0a17..1ccd4f0 100644 --- a/flake.nix +++ b/flake.nix @@ -13,10 +13,6 @@ url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - labmon = { - url = "git+https://git.t-juice.club/torjus/labmon?ref=master"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; nixos-exporter = { url = "git+https://git.t-juice.club/torjus/nixos-exporter"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -34,7 +30,6 @@ nixpkgs-unstable, sops-nix, alerttonotify, - labmon, nixos-exporter, homelab-deploy, ... @@ -50,7 +45,6 @@ commonOverlays = [ overlay-unstable alerttonotify.overlays.default - labmon.overlays.default ]; # Common modules applied to all hosts commonModules = [ @@ -131,15 +125,6 @@ ./hosts/http-proxy ]; }; - ca = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = { - inherit inputs self sops-nix; - }; - modules = commonModules ++ [ - ./hosts/ca - ]; - }; monitoring01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { @@ -147,7 +132,6 @@ }; modules = commonModules ++ [ ./hosts/monitoring01 - labmon.nixosModules.labmon ]; }; jelly01 = nixpkgs.lib.nixosSystem { diff --git a/hosts/ca/configuration.nix b/hosts/ca/configuration.nix deleted file mode 100644 index d20c608..0000000 --- a/hosts/ca/configuration.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - pkgs, - ... -}: - -{ - imports = [ - ../template/hardware-configuration.nix - - ../../system - ../../common/vm - ]; - - nixpkgs.config.allowUnfree = true; - # Use the systemd-boot EFI boot loader. - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - configurationLimit = 3; - }; - - networking.hostName = "ca"; - networking.domain = "home.2rjus.net"; - networking.useNetworkd = true; - networking.useDHCP = false; - services.resolved.enable = true; - networking.nameservers = [ - "10.69.13.5" - "10.69.13.6" - ]; - - systemd.network.enable = true; - systemd.network.networks."ens18" = { - matchConfig.Name = "ens18"; - address = [ - "10.69.13.12/24" - ]; - routes = [ - { Gateway = "10.69.13.1"; } - ]; - linkConfig.RequiredForOnline = "routable"; - }; - time.timeZone = "Europe/Oslo"; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nix.settings.tarball-ttl = 0; - environment.systemPackages = with pkgs; [ - vim - wget - git - ]; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/hosts/ca/default.nix b/hosts/ca/default.nix deleted file mode 100644 index 382bd43..0000000 --- a/hosts/ca/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ../../services/ca - ]; -} diff --git a/rebuild-all.sh b/rebuild-all.sh index a4fa0a4..5dc14ab 100755 --- a/rebuild-all.sh +++ b/rebuild-all.sh @@ -5,7 +5,6 @@ set -euo pipefail HOSTS=( "ns1" "ns2" - "ca" "ha1" "http-proxy" "jelly01" diff --git a/services/ca/default.nix b/services/ca/default.nix deleted file mode 100644 index b5759a0..0000000 --- a/services/ca/default.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ pkgs, unstable, ... }: -{ - homelab.monitoring.scrapeTargets = [{ - job_name = "step-ca"; - port = 9000; - }]; - sops.secrets."ca_root_pw" = { - sopsFile = ../../secrets/ca/secrets.yaml; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ca_root_pw"; - }; - sops.secrets."intermediate_ca_key" = { - sopsFile = ../../secrets/ca/keys/intermediate_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/intermediate_ca_key"; - }; - sops.secrets."root_ca_key" = { - sopsFile = ../../secrets/ca/keys/root_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/root_ca_key"; - }; - sops.secrets."ssh_host_ca_key" = { - sopsFile = ../../secrets/ca/keys/ssh_host_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ssh_host_ca_key"; - }; - sops.secrets."ssh_user_ca_key" = { - sopsFile = ../../secrets/ca/keys/ssh_user_ca_key; - format = "binary"; - owner = "step-ca"; - path = "/var/lib/step-ca/secrets/ssh_user_ca_key"; - }; - - services.step-ca = { - enable = true; - package = pkgs.step-ca; - intermediatePasswordFile = "/var/lib/step-ca/secrets/ca_root_pw"; - address = "0.0.0.0"; - port = 443; - settings = { - metricsAddress = ":9000"; - authority = { - provisioners = [ - { - claims = { - enableSSHCA = true; - maxTLSCertDuration = "3600h"; - defaultTLSCertDuration = "48h"; - }; - encryptedKey = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiY1lWOFJPb3lteXFLMWpzcS1WM1ZXQSJ9.WS8tPK-Q4gtnSsw7MhpTzYT_oi-SQx-CsRLh7KwdZnpACtd4YbcOYg.zeyDkmKRx8BIp-eB.OQ8c-KDW07gqJFtEMqHacRBkttrbJRRz0sYR47vQWDCoWhodaXsxM_Bj2pGvUrR26ij1t7irDeypnJoh6WXvUg3n_JaIUL4HgTwKSBrXZKTscXmY7YVmRMionhAb6oS9Jgus9K4QcFDHacC9_WgtGI7dnu3m0G7c-9Ur9dcDfROfyrnAByJp1rSZMzvriQr4t9bNYjDa8E8yu9zq6aAQqF0Xg_AxwiqYqesT-sdcfrxKS61appApRgPlAhW-uuzyY0wlWtsiyLaGlWM7WMfKdHsq-VqcVrI7Gi2i77vi7OqPEberqSt8D04tIri9S_sArKqWEDnBJsL07CC41IY.CqtYfbSa_wlmIsKgNj5u7g"; - key = { - alg = "ES256"; - crv = "P-256"; - kid = "CIjtIe7FNhsNQe1qKGD9Rpj-lrf2ExyTYCXAOd3YDjE"; - kty = "EC"; - use = "sig"; - x = "XRMX-BeobZ-R5-xb-E9YlaRjJUfd7JQxpscaF1NMgFo"; - y = "bF9xLp5-jywRD-MugMaOGbpbniPituWSLMlXRJnUUl0"; - }; - name = "ca@home.2rjus.net"; - type = "JWK"; - } - { - name = "acme"; - type = "ACME"; - claims = { - maxTLSCertDuration = "3600h"; - defaultTLSCertDuration = "1800h"; - }; - } - { - claims = { - enableSSHCA = true; - }; - name = "sshpop"; - type = "SSHPOP"; - } - ]; - }; - crt = "/var/lib/step-ca/certs/intermediate_ca.crt"; - db = { - badgerFileLoadingMode = ""; - dataSource = "/var/lib/step-ca/db"; - type = "badgerv2"; - }; - dnsNames = [ - "ca.home.2rjus.net" - "10.69.13.12" - ]; - federatedRoots = null; - insecureAddress = ""; - key = "/var/lib/step-ca/secrets/intermediate_ca_key"; - logger = { - format = "text"; - }; - root = "/var/lib/step-ca/certs/root_ca.crt"; - ssh = { - hostKey = "/var/lib/step-ca/secrets/ssh_host_ca_key"; - userKey = "/var/lib/step-ca/secrets/ssh_user_ca_key"; - }; - templates = { - ssh = { - host = [ - { - comment = "#"; - name = "sshd_config.tpl"; - path = "/etc/ssh/sshd_config"; - requires = [ - "Certificate" - "Key" - ]; - template = ./templates/ssh/sshd_config.tpl; - type = "snippet"; - } - { - comment = "#"; - name = "ca.tpl"; - path = "/etc/ssh/ca.pub"; - template = ./templates/ssh/ca.tpl; - type = "snippet"; - } - ]; - user = [ - { - comment = "#"; - name = "config.tpl"; - path = "~/.ssh/config"; - template = ./templates/ssh/config.tpl; - type = "snippet"; - } - { - comment = "#"; - name = "step_includes.tpl"; - path = "\${STEPPATH}/ssh/includes"; - template = ./templates/ssh/step_includes.tpl; - type = "prepend-line"; - } - { - comment = "#"; - name = "step_config.tpl"; - path = "ssh/config"; - template = ./templates/ssh/step_config.tpl; - type = "file"; - } - { - comment = "#"; - name = "known_hosts.tpl"; - path = "ssh/known_hosts"; - template = ./templates/ssh/known_hosts.tpl; - type = "file"; - } - ]; - }; - }; - tls = { - cipherSuites = [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - ]; - maxVersion = 1.3; - minVersion = 1.2; - renegotiation = false; - }; - }; - }; -} diff --git a/services/ca/templates/ssh/ca.tpl b/services/ca/templates/ssh/ca.tpl deleted file mode 100644 index 5b459eed893ebf348066427ecdf94b4bd602ad91..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6656 zcmeHL+iK%55Y21y6@#HKg*X?x3G``q1KlpAw2&_QVkoMt)TWN*m6UBlnt$)e%FRxi zOOvn^YzVQfnUQp?Gdd$FgBs;=FMPID5|vJJ)$wY%Zb|>+mH)4|S{J2;+io^n*y><= zqv^Qy64XyJnq1InU4 z1y)V>phVce7pxZ!!RlPg{55_Ia3#o-BmqtOP5gHn?HvCd*KHL1KjLTpFw{57gsPH( z3b+W>2+mO+2Mwb?1xdpCX=;Iw?xQ*M4H3Ai!_d(@%E|ZvY1XYg&^@W zgKW?%<}*PQ^D(+ayS2ku^t!zhW;pWUJd1|)2x$J}&wo6j2-wE|M%&Hv-??xL{;&UH z$9;QC6b*nxQKkGKPzy0%@Bf|enwL;xil+N8C3Z4+s+4s;=wQMKdm%;kE(|bfq`G0L zQA>eo{#doc@RP}LXHrD_3<4?tG2Q=1{x=+FmH${06#D-&A9PP2!+$np6f9(a0=OW6 z28_N`wIIwW;0})!8!A-EP_5#Akv_~t{-RYonf(~f0wdkAwlE1oXNgq9r#G{-p&zDd zVY-p;SCEu-fEz7ib;glbVU(61d2Q|C-tQ9>5S>f!k12D!?g-K7 zJ57)FeH-C{8ihGNiFTsK=|F@s?l_o#p$xI=(ikDg*wOsO9O$goGS~v~hO;DFEbRtO zn&vk^^R?z)h{0Xcz&!uYO6?O=fZOz6v$azHwVh^>|9Aa{huH0vXV;(X?0xQHN)0?7 l!fnDF=`01#=WL@t(-TVLaqJV2L(nUH3j_)T3Ix6`0`FCIy=?#h diff --git a/services/ca/templates/ssh/config.tpl b/services/ca/templates/ssh/config.tpl deleted file mode 100644 index 4b9ddf1..0000000 --- a/services/ca/templates/ssh/config.tpl +++ /dev/null @@ -1,14 +0,0 @@ -Host * -{{- if or .User.GOOS "none" | eq "windows" }} -{{- if .User.StepBasePath }} - Include "{{ .User.StepBasePath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" -{{- else }} - Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/includes" -{{- end }} -{{- else }} -{{- if .User.StepBasePath }} - Include "{{.User.StepBasePath}}/ssh/includes" -{{- else }} - Include "{{.User.StepPath}}/ssh/includes" -{{- end }} -{{- end }} \ No newline at end of file diff --git a/services/ca/templates/ssh/known_hosts.tpl b/services/ca/templates/ssh/known_hosts.tpl deleted file mode 100644 index 5354b38..0000000 --- a/services/ca/templates/ssh/known_hosts.tpl +++ /dev/null @@ -1,4 +0,0 @@ -@cert-authority * {{.Step.SSH.HostKey.Type}} {{.Step.SSH.HostKey.Marshal | toString | b64enc}} -{{- range .Step.SSH.HostFederatedKeys}} -@cert-authority * {{.Type}} {{.Marshal | toString | b64enc}} -{{- end }} diff --git a/services/ca/templates/ssh/sshd_config.tpl b/services/ca/templates/ssh/sshd_config.tpl deleted file mode 100644 index c8e4b88..0000000 --- a/services/ca/templates/ssh/sshd_config.tpl +++ /dev/null @@ -1,4 +0,0 @@ -Match all - TrustedUserCAKeys /etc/ssh/ca.pub - HostCertificate /etc/ssh/{{.User.Certificate}} - HostKey /etc/ssh/{{.User.Key}} \ No newline at end of file diff --git a/services/ca/templates/ssh/step_config.tpl b/services/ca/templates/ssh/step_config.tpl deleted file mode 100644 index a0521f2..0000000 --- a/services/ca/templates/ssh/step_config.tpl +++ /dev/null @@ -1,11 +0,0 @@ -Match exec "step ssh check-host{{- if .User.Context }} --context {{ .User.Context }}{{- end }} %h" -{{- if .User.User }} - User {{.User.User}} -{{- end }} -{{- if or .User.GOOS "none" | eq "windows" }} - UserKnownHostsFile "{{.User.StepPath}}\ssh\known_hosts" - ProxyCommand C:\Windows\System32\cmd.exe /c step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p -{{- else }} - UserKnownHostsFile "{{.User.StepPath}}/ssh/known_hosts" - ProxyCommand step ssh proxycommand{{- if .User.Context }} --context {{ .User.Context }}{{- end }}{{- if .User.Provisioner }} --provisioner {{ .User.Provisioner }}{{- end }} %r %h %p -{{- end }} diff --git a/services/ca/templates/ssh/step_includes.tpl b/services/ca/templates/ssh/step_includes.tpl deleted file mode 100644 index 5f79de6..0000000 --- a/services/ca/templates/ssh/step_includes.tpl +++ /dev/null @@ -1 +0,0 @@ -{{- if or .User.GOOS "none" | eq "windows" }}Include "{{ .User.StepPath | replace "\\" "/" | trimPrefix "C:" }}/ssh/config"{{- else }}Include "{{.User.StepPath}}/ssh/config"{{- end }} \ No newline at end of file