v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

moved nixos to a dir

Browse source
This commit is contained in:
Vivian 2021-11-21 13:34:39 +01:00
parent adda14d3ca
commit 01438c1259
18 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/common.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, inputs, ... }:
{
imports = [
inputs.vault-secrets.nixosModules.vault-secrets
];
vault-secrets = {
vaultPrefix = "nixos/${config.networking.hostName}";
vaultAddress = "http://10.42.42.6:8200/";
approlePrefix = "olympus-${config.networking.hostName}";
};
}

41
nixos/common/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ pkgs, ... }:
{
imports = [
# User account definitions
./users
./services
];
# Clean /tmp on boot.
boot.cleanTmpDir = true;
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Nix Settings
nix = {
package = pkgs.nixUnstable;
autoOptimiseStore = true;
binaryCaches =
[ "https://cachix.cachix.org" "https://nix-community.cachix.org" "https://nixpkgs-review-bot.cachix.org" ];
binaryCachePublicKeys = [
"cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
];
trustedUsers = [ "root" "victor" ];
extraOptions = ''
experimental-features = nix-command flakes ca-references
'';
};
nixpkgs.config.allowUnfree = true;
# Limit the systemd journal to 100 MB of disk or the
# last 7 days of logs, whichever happens first.
services.journald.extraConfig = ''
SystemMaxUse=100M
MaxFileSec=7day
'';
}

9
nixos/common/generic-lxc.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
# See also: https://blog.xirion.net/posts/nixos-proxmox-lxc/
# Supress systemd services that don't work (correctly) on LXC
systemd.suppressedSystemUnits = [ "dev-mqueue.mount" "sys-kernel-debug.mount" "sys-fs-fuse-connections.mount" ];
# Enable SSH daemon support.
services.openssh.enable = true;
}

14
nixos/common/generic-vm.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, ... }: {
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = lib.mkDefault "yes";
# Enable qemu guest agent
services.qemuGuest.enable = true;
}

1
nixos/common/services/default.nix Normal file
View file

@ -0,0 +1 @@
{ config, lib, pkgs, ... }: { imports = [ ./flood.nix ./unpackerr.nix ./vmagent.nix ]; }

152
nixos/common/services/flood.nix Normal file
View file

@ -0,0 +1,152 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.services.flood;
in {
options.services.flood = {
enable = mkEnableOption "flood";
user = mkOption {
default = "flood";
type = types.str;
description = ''
User account under which flood runs.
'';
};
group = mkOption {
type = types.str;
default = "rtorrent";
description = ''
Group under which flood runs.
Flood needs to have the correct permissions if accessing rtorrent through the socket.
'';
};
package = mkOption {
type = types.package;
default = pkgs.flood;
defaultText = "pkgs.flood";
description = ''
The flood package to use.
'';
};
host = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Address flood binds to.
'';
};
port = mkOption {
type = types.port;
default = 3000;
description = ''
The flood web port.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open the firewall for the port in <option>services.flood.port</option>.
'';
};
rpcSocket = mkOption {
type = types.str;
readOnly = true;
default = "/run/rtorrent/rpc.sock";
description = ''
RPC socket path.
(Only used when auth=none).
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/flood";
description = ''
The directory where flood stores its data files.
'';
};
downloadDir = mkOption {
type = types.str;
default = "/var/lib/rtorrent/download";
description = ''
Root directory for downloaded files.
'';
};
authMode = mkOption {
type = types.str;
default = "none";
description = ''
Access control and user management method.
Either 'default' or 'none'.
'';
};
ssl = mkOption {
type = types.bool;
default = false;
description = ''
Enable SSL.
key.pem and fullchain.pem needed in runtime directory.
'';
};
baseURI = mkOption {
type = types.str;
default = "/";
description = ''
This URI will prefix all of Flood's HTTP requests
'';
};
};
config = mkIf cfg.enable {
# Create group if set to default
users.groups = mkIf (cfg.group == "rtorrent") { rtorrent = { }; };
# Create user if set to default
users.users = mkIf (cfg.user == "flood") {
flood = {
group = cfg.group;
shell = pkgs.bashInteractive;
home = cfg.dataDir;
description = "flood Daemon user";
isSystemUser = true;
};
};
# Open firewall if option is set to do so.
networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ cfg.port ];
# The actual service
systemd.services.flood = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "flood system service";
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
WorkingDirectory = cfg.dataDir;
ExecStart =
"${cfg.package}/bin/flood --baseuri ${cfg.baseURI} --rundir ${cfg.dataDir} --host ${cfg.host} --port ${
toString cfg.port
} ${
if cfg.ssl then "--ssl" else ""
} --auth ${cfg.authMode} --rtsocket ${cfg.rpcSocket} --allowedpath ${cfg.downloadDir}";
};
};
# This is needed to create the dataDir with the correct permissions.
systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ];
};
}

314
nixos/common/services/unpackerr.nix Normal file
View file

@ -0,0 +1,314 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.unpackerr;
mkStarrOptions = { name, url }: {
url = mkOption {
type = types.str;
default = "";
example = "${url}";
description = ''
The URL to access ${name}
'';
};
apiKey = mkOption {
type = types.str;
default = "";
description = ''
The API key for accessing ${name}
'';
};
paths = mkOption {
type = types.str;
default = "";
example = "/downloads,/moreDownloads";
description = ''
List of paths where content is downloaded for ${name}
'';
};
protocols = mkOption {
type = types.str;
default = "torrent";
example = "torrent,usenet";
description = ''
Protocols to process
'';
};
timeout = mkOption {
type = types.str;
default = "10s";
description = ''
How long to wait for ${name} to respond
'';
};
deleteOrginal = mkOption {
type = types.bool;
default = false;
description = ''
Delete archives after import?
Recommend not setting this to true
'';
};
deleteDelay = mkOption {
type = types.str;
default = "5m";
description = ''
Extracts are deleted this long after import. `-1` to disable.
'';
};
};
in {
options.services.unpackerr = {
enable = mkEnableOption "unpackerr";
user = mkOption {
default = "unpackerr";
type = types.str;
description = ''
User account under which unpackerr runs.
'';
};
group = mkOption {
type = types.str;
default = "unpackerr";
description = ''
Group under which unpackerr runs.
'';
};
package = mkOption {
type = types.package;
default = pkgs.unpackerr;
defaultText = "pkgs.unpackerr";
description = ''
The unpackerr package to use.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = ''
Turns on more logs.
'';
};
interval = mkOption {
type = types.str;
default = "2m";
description = ''
How often apps are polled, recommended 1m to 5m
'';
};
startDelay = mkOption {
type = types.str;
default = "1m";
description = ''
Files are queued at least this long before extraction
'';
};
retryDelay = mkOption {
type = types.str;
default = "5m";
description = ''
Failed extractions are retried after at least this long
'';
};
maxRetries = mkOption {
type = types.int;
default = 3;
description = ''
Times to retry failed extractions. `0` = unlimited.
'';
};
parallel = mkOption {
type = types.int;
default = 1;
description = ''
Concurrent extractions, 1 is recommended.
'';
};
fileMode = mkOption {
type = types.str;
default = "0644";
description = ''
Extracted files are written with this mode
'';
};
dirMode = mkOption {
type = types.str;
default = "0755";
description = ''
Extracted folders are written with this mode
'';
};
sonarr = mkStarrOptions {
name = "Sonarr";
url = "http://localhost:8989";
};
radarr = mkStarrOptions {
name = "Radarr";
url = "http://localhost:7878";
};
lidarr = mkStarrOptions {
name = "Lidarr";
url = "http://localhost:8686";
};
readarr = mkStarrOptions {
name = "Readarr";
url = "http://localhost:8787";
};
folder = {
path = mkOption {
type = types.str;
default = "";
description = ''
folder path, not for Starr apps.
'';
};
extractPath = mkOption {
type = types.str;
default = "";
description = ''
Where to extract to, Defaults to <option>services.unpackerr.folder.path</option>.
'';
};
deleteAfter = mkOption {
type = types.str;
default = "";
example = "10m";
description = ''
Delete extracted files and/or archives after this duration, `0` to disable.
'';
};
deleteOrginal = mkOption {
type = types.bool;
default = false;
description = ''
Delete archives after extraction
'';
};
deleteFiles = mkOption {
type = types.bool;
default = false;
description = ''
Delete extracted files after successful extraction
'';
};
moveBack = mkOption {
type = types.bool;
default = false;
description = ''
Move extracted items back into original folder
'';
};
};
extraConfig = mkOption {
type = types.attrs;
default = { };
description = ''
Extra environment variables
'';
example = { UN_WEBHOOK_0_URL = "http://example.com"; };
};
};
config = mkIf cfg.enable {
# Create group if set to default
users.groups = mkIf (cfg.group == "unpackerr") { unpackerr = { }; };
# Create user if set to default
users.users = mkIf (cfg.user == "unpackerr") {
unpackerr = {
group = cfg.group;
shell = pkgs.bashInteractive;
createHome = false;
description = "unpackerr Daemon user";
isSystemUser = true;
};
};
# The actual service
systemd.services.unpackerr = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "unpackerr system service";
# Filter out all unset variables else unpackerr complains
environment = filterAttrs (n: v: stringLength v > 0) {
# General options
UN_DEBUG = "${toString cfg.debug}";
UN_INTERVAL = "${cfg.interval}";
UN_START_DELAY = "${cfg.startDelay}";
UN_RETRY_DELAY = "${cfg.retryDelay}";
UN_MAX_RETRIES = "${toString cfg.maxRetries}";
UN_PARALLEL = "${toString cfg.parallel}";
UN_FILE_MODE = "${cfg.fileMode}";
UN_DIR_MODE = "${cfg.dirMode}";
# Sonarr
UN_SONARR_0_URL = "${cfg.sonarr.url}";
UN_SONARR_0_API_KEY = "${cfg.sonarr.apiKey}";
UN_SONARR_0_PATHS_0 = "${cfg.sonarr.paths}";
UN_SONARR_0_PROTOCOLS = "${cfg.sonarr.protocols}";
UN_SONARR_0_TIMEOUT = "${cfg.sonarr.timeout}";
UN_SONARR_0_DELETE_ORIG = "${toString cfg.sonarr.deleteOrginal}";
UN_SONARR_0_DELETE_DELAY = "${cfg.sonarr.deleteDelay}";
# Radarr
UN_RADARR_0_URL = "${cfg.radarr.url}";
UN_RADARR_0_API_KEY = "${cfg.radarr.apiKey}";
UN_RADARR_0_PATHS_0 = "${cfg.radarr.paths}";
UN_RADARR_0_PROTOCOLS = "${cfg.radarr.protocols}";
UN_RADARR_0_TIMEOUT = "${cfg.radarr.timeout}";
UN_RADARR_0_DELETE_ORIG = "${toString cfg.radarr.deleteOrginal}";
UN_RADARR_0_DELETE_DELAY = "${cfg.radarr.deleteDelay}";
# Lidarr
UN_LIDARR_0_URL = "${cfg.lidarr.url}";
UN_LIDARR_0_API_KEY = "${cfg.lidarr.apiKey}";
UN_LIDARR_0_PATHS_0 = "${cfg.lidarr.paths}";
UN_LIDARR_0_PROTOCOLS = "${cfg.lidarr.protocols}";
UN_LIDARR_0_TIMEOUT = "${cfg.lidarr.timeout}";
UN_LIDARR_0_DELETE_ORIG = "${toString cfg.lidarr.deleteOrginal}";
UN_LIDARR_0_DELETE_DELAY = "${cfg.lidarr.deleteDelay}";
# Readarr
UN_READARR_0_URL = "${cfg.readarr.url}";
UN_READARR_0_API_KEY = "${cfg.readarr.apiKey}";
UN_READARR_0_PATHS_0 = "${cfg.readarr.paths}";
UN_READARR_0_PROTOCOLS = "${cfg.readarr.protocols}";
UN_READARR_0_TIMEOUT = "${cfg.readarr.timeout}";
UN_READARR_0_DELETE_ORIG = "${toString cfg.readarr.deleteOrginal}";
UN_READARR_0_DELETE_DELAY = "${cfg.readarr.deleteDelay}";
# Folder
UN_FOLDER_0_PATH = "${cfg.folder.path}";
UN_FOLDER_0_EXTRACT_PATH = "${cfg.folder.extractPath}";
UN_FOLDER_0_DELETE_AFTER = "${cfg.folder.deleteAfter}";
UN_FOLDER_0_DELETE_ORIGINAL = "${toString cfg.folder.deleteOrginal}";
UN_FOLDER_0_DELETE_FILES = "${toString cfg.folder.deleteFiles}";
UN_FOLDER_0_MOVE_BACK = "${toString cfg.folder.moveBack}";
} // cfg.extraConfig;
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
ExecStart = "${cfg.package}/bin/unpackerr";
};
};
};
}

111
nixos/common/services/vmagent.nix Normal file
View file

@ -0,0 +1,111 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.services.vmagent;
in {
options.services.vmagent = {
enable = mkEnableOption "vmagent";
user = mkOption {
default = "vmagent";
type = types.str;
description = ''
User account under which vmagent runs.
'';
};
group = mkOption {
type = types.str;
default = "vmagent";
description = ''
Group under which vmagent runs.
'';
};
package = mkOption {
default = pkgs.v.vmagent;
defaultText = "pkgs.v.vmagent";
type = types.package;
description = ''
vmagent package to use.
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/vmagent";
description = ''
The directory where vmagent stores its data files.
'';
};
remoteWriteUrl = mkOption {
default = "http://localhost:8428/api/v1/write";
type = types.str;
description = ''
The remote storage endpoint such as VictoriaMetrics
'';
};
prometheusConfig = mkOption {
default = "";
type = types.str;
example = ''
global:
scrape_interval: 5s
scrape_configs:
- job_name: 'apache'
static_configs:
- targets: ['apache-exporter:9117']
'';
description = ''
Config for prometheus style metrics
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open the firewall for the default ports.
'';
};
};
config = mkIf cfg.enable {
# Create group if set to default
users.groups = mkIf (cfg.group == "vmagent") { vmagent = { }; };
# Create user if set to default
users.users = mkIf (cfg.user == "vmagent") {
vmagent = {
group = cfg.group;
shell = pkgs.bashInteractive;
description = "vmagent Daemon user";
home = cfg.dataDir;
isSystemUser = true;
};
};
# Open firewall if option is set to do so.
networking.firewall.allowedTCPPorts = mkIf (cfg.openFirewall) [ 8429 ];
# The actual service
systemd.services.vmagent = let prometheusConfig = pkgs.writeText "prometheus.yml" cfg.prometheusConfig;
in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "vmagent system service";
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
WorkingDirectory = cfg.dataDir;
ExecStart =
"${cfg.package}/bin/vmagent -remoteWrite.url=${cfg.remoteWriteUrl} -promscrape.config=${prometheusConfig}";
};
};
systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' 0755 ${cfg.user} ${cfg.group} -" ];
};
}

63
nixos/common/users/default.nix Normal file
View file

@ -0,0 +1,63 @@
# common/users/default.nix
# Inputs to this NixOS module, in this case we are
# using `pkgs` so we can have some user specific packages and config
# to configure the root ssh key.
{ config, pkgs, ... }:
{
# Setup ZSH to use grml config
programs.zsh = {
enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
interactiveShellInit = ''
source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
source "${pkgs.fzf}/share/fzf/key-bindings.zsh"
source "${pkgs.fzf}/share/fzf/completion.zsh"
eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
'';
# otherwise it'll override the grml prompt
promptInit = "";
};
environment.pathsToLink = [ "/share/zsh" ];
# Install Neovim and set it as alias for vi(m)
programs.neovim.enable = true;
programs.neovim.viAlias = true;
# Disable sudo prompt for `wheel` users.
security.sudo.wheelNeedsPassword = false;
# The block that specifies my user account.
users.extraUsers.victor = {
# This account is intended for a non-system user.
isNormalUser = true;
# My default shell
shell = pkgs.zsh;
# My SSH keys.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFuxekX5WzX4GjbshtjaGyQcvMUgClugnK6T+OYIxw9 victor@null"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8llUcEBHsLqotFZc++LNP2fjItuuzeUsu5ObXecYNj victor@eevee"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBhJAp7NWlHgwDYd2z6VNROy5RkeZHRINFLsFvwT4b3 victor@bastion"
];
# Make me admin
extraGroups = [ "wheel" ];
};
# Configure the root account
users.extraUsers.root = {
# Allow my SSH keys for logging in as root.
openssh.authorizedKeys.keys = config.users.users.victor.openssh.authorizedKeys.keys;
# Also use zsh for root
shell = pkgs.zsh;
};
# Setup packages available everywhere
environment.systemPackages = with pkgs; [ fzf git htop rsync ripgrep zoxide ];
}

59
nixos/hosts/bastion/configuration.nix Normal file
View file

@ -0,0 +1,59 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }:
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}
if [[ -d "$HOME/.vscode-server/bin" ]]; then
for versiondir in "$HOME"/.vscode-server/bin/*; do
rm "$versiondir/node"
ln -s "${pkgs.nodejs-14_x}/bin/node" "$versiondir/node"
done
fi
'';
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# Import common config
../../common/generic-vm.nix
../../common
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "bastion";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [
fix-vscode
fluxcd
k9s
kubectl
kubectx
nixfmt
ripgrep
rsync
tmux
vault
vim
];
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
}

21
nixos/hosts/bastion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
fsType = "ext4";
};
swapDevices = [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

28
nixos/hosts/consul/configuration.nix Normal file
View file

@ -0,0 +1,28 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
# Import common config
../../common/generic-lxc.nix
../../common
];
networking.hostName = "consul";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ ];
}

50
nixos/hosts/k3s/configuration.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, pkgs, lib, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# Import common config
../../common/generic-vm.nix
../../common
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "k3s-node1";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ iptables vim ];
# Disable the firewall as we need all the ports
networking.firewall.enable = false;
# Force-enable Cgroupv2
systemd.enableUnifiedCgroupHierarchy = lib.mkForce true;
# Ensure `mount` and `grep` are available
systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ];
# Enable k3s as a master node
services.k3s = {
enable = true;
role = "server";
extraFlags = builtins.toString [
"--data-dir=/var/lib/k3s" # Set data dir to var lib
"--cluster-init" # Enable embedded etcd
"--disable=servicelb" # disable servicelb
"--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead)
"--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network
];
};
}

21
nixos/hosts/k3s/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
fsType = "ext4";
};
swapDevices = [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

63
nixos/hosts/mosquitto/configuration.nix Normal file
View file

@ -0,0 +1,63 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let mosquittoPort = 1883;
in {
imports = [
# Import common config
../../common/generic-lxc.nix
../../common
];
networking.hostName = "mosquitto";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
services.mosquitto = {
enable = true;
listeners = [{
port = 1883;
settings.allow_anonymous = true;
acl = [ "topic readwrite #" ];
users = {
victor = { acl = [ "readwrite #" ]; };
zigbee2mqtt = { acl = [ "readwrite #" ]; };
};
}];
};
services.zigbee2mqtt = {
enable = true;
dataDir = "/var/lib/zigbee2mqtt";
settings = {
homeassistant = true;
permit_join = false;
serial = { port = "/dev/ttyUSB0"; };
mqtt = {
base_topic = "zigbee2mqtt";
server = "mqtt://localhost:${toString mosquittoPort}";
user = "zigbee2mqtt";
};
frontend = { port = 8080; };
};
};
networking.firewall.allowedTCPPorts = [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
}

70
nixos/hosts/nginx/configuration.nix Normal file
View file

@ -0,0 +1,70 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
k8s_proxy = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.42.42.150:8000/";
proxyWebsockets = true;
};
};
in {
imports = [
# Import common config
../../common/generic-lxc.nix
../../common
];
networking.hostName = "nginx";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."ha.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.42.42.8:8123/";
proxyWebsockets = true;
};
};
virtualHosts."zookeeper-dev.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.42.43.28:8085/";
proxyWebsockets = true;
};
};
# Kubernetes endpoints
virtualHosts."0x76.dev" = k8s_proxy;
virtualHosts."zookeeper.0x76.dev" = k8s_proxy;
virtualHosts."wooloofan.club" = k8s_proxy;
virtualHosts."whoami.wooloofan.club" = k8s_proxy;
};
security.acme.email = "victorheld12@gmail.com";
security.acme.acceptTerms = true;
security.acme.preliminarySelfsigned = false;
}

41
nixos/hosts/vault/configuration.nix Normal file
View file

@ -0,0 +1,41 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [
# Import common config
../../common/generic-lxc.nix
../../common
];
networking.hostName = "vault";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
# Vault
networking.firewall.allowedTCPPorts = [ 8200 ];
services.vault = {
enable = true;
# bin version includes the UI
package = pkgs.vault-bin;
address = "0.0.0.0:8200";
storageBackend = "file";
storagePath = "/var/lib/vault";
extraConfig = ''
ui = true
'';
};
}