v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

initial rewrite

Browse source
This commit is contained in:
Vivian 2024-01-03 11:33:00 +01:00
parent 1142c6acac
commit 3d63c94742
42 changed files with 234 additions and 8780 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
common/default.nix Normal file
View file

@ -0,0 +1,76 @@
{ lib, inputs, pkgs, ... }: {
virtualisation.oci-containers.backend = lib.mkDefault "podman";
# Set your time zone.
time.timeZone = lib.mkDefault "Europe/Amsterdam";
# Systemd OOMd
# Fedora enables these options by default. See the 10-oomd-* files here:
# https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
systemd.oomd = {
enableRootSlice = true;
enableUserServices = true;
};
# security.polkit.enable = lib.mkDefault true;
boot.tmp.useTmpfs = lib.mkDefault true;
# Nix Settings
nix = {
registry.nixpkgs.flake = inputs.nixpkgs;
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
package = pkgs.nixUnstable;
settings = {
auto-optimise-store = true;
trusted-users = [ "root" "vivian" ];
substituters = [
"https://nix-community.cachix.org"
"https://nixpkgs-review-bot.cachix.org"
"https://cachix.cachix.org"
];
trusted-public-keys = [
"cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE="
];
};
optimise = {
automatic = true;
dates = [ "weekly" ];
};
gc = {
automatic = true;
dates = "weekly";
randomizedDelaySec = "3h";
options = "--delete-older-than 7d";
};
extraOptions = ''
experimental-features = nix-command flakes
'';
};
# Limit the systemd journal to 100 MB of disk or the
# last 7 days of logs, whichever happens first.
services.journald.extraConfig = ''
SystemMaxUse=100M
MaxFileSec=7day
'';
# Enable SSH
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = lib.mkDefault false;
PermitRootLogin = lib.mkDefault "no";
};
};
# Debloat
documentation = {
enable = lib.mkForce false;
doc.enable = lib.mkForce false;
man.enable = lib.mkForce false;
info.enable = lib.mkForce false;
nixos.enable = lib.mkForce false;
};
}

96
flake.nix
View file

@ -41,7 +41,8 @@
}; };
vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git"; vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git";
gnome-autounlock-keyring.url = "git+https://git.0x76.dev/v/gnome-autounlock-keyring.git"; gnome-autounlock-keyring.url =
"git+https://git.0x76.dev/v/gnome-autounlock-keyring.git";
attic.url = "github:zhaofengli/attic"; attic.url = "github:zhaofengli/attic";
@ -49,24 +50,11 @@
essentials.url = "github:jdonszelmann/essentials"; essentials.url = "github:jdonszelmann/essentials";
}; };
outputs = outputs = { self, nixpkgs, nixpkgs_stable, vault-secrets, colmena, nur, attic
{ self , deploy, ... }@inputs:
, nixpkgs
, nixpkgs_stable
, vault-secrets
, colmena
, nixos-generators
, nur
, attic
, deploy
, ...
}@inputs:
let let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
util = import ./nixos/util.nix inputs;
inherit (util) hosts flat_hosts nixHosts;
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
@ -80,9 +68,6 @@
config.allowUnfree = true; config.allowUnfree = true;
}; };
# Define args each module gets access to (access to hosts is useful for DNS/DHCP)
specialArgs = { inherit hosts flat_hosts inputs pkgs_stable; };
# Script to apply local colmena deployments # Script to apply local colmena deployments
apply-local = pkgs.writeShellScriptBin "apply-local" '' apply-local = pkgs.writeShellScriptBin "apply-local" ''
"${ "${
@ -94,69 +79,50 @@
source /etc/set-environment source /etc/set-environment
nix repl --file "${./.}/repl.nix" $@ nix repl --file "${./.}/repl.nix" $@
''; '';
in in {
{ nixosConfigurations."bastion.olympus" = lib.nixosSystem {
# Make the nixosConfigurations for compat reasons (e.g. vault) inherit system pkgs;
nixosConfigurations = specialArgs = { inherit inputs; };
(import (inputs.colmena + "/src/nix/hive/eval.nix") { modules = [ ./common ./hosts/olympus/bastion ];
rawFlake = self; };
colmenaOptions =
import (inputs.colmena + "/src/nix/hive/options.nix");
colmenaModules =
import (inputs.colmena + "/src/nix/hive/modules.nix");
}).nodes;
# Make the colmena configuration deploy = {
colmena = lib.foldr (el: acc: acc // util.mkColmenaHost el) user = "root";
{
meta = { nodes."bastion.olympus" = {
inherit specialArgs; hostname = "olympus.0x76.dev";
nixpkgs = pkgs; fastConnection = true;
remoteBuild = true;
profiles = {
system = {
path = deploy.lib.x86_64-linux.activate.nixos
self.nixosConfigurations."bastion.olympus";
};
}; };
}
nixHosts;
packages.${system} = {
inherit apply-local;
default = colmena.packages.${system}.colmena;
proxmox-lxc = nixos-generators.nixosGenerate {
inherit system specialArgs;
format = "proxmox-lxc";
modules = util.base_imports
++ [ (import ./nixos/templates/proxmox-lxc.nix) ];
};
# Broken
proxmox-vm = nixos-generators.nixosGenerate {
inherit system specialArgs;
format = "proxmox";
modules = util.base_imports
++ [ (import ./nixos/templates/proxmox-vm.nix) ];
}; };
}; };
checks = builtins.mapAttrs
(system: deployLib: deployLib.deployChecks self.deploy) deploy.lib;
# Use by running `nix develop` # Use by running `nix develop`
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
VAULT_ADDR = "http://vault.olympus:8200/"; VAULT_ADDR = "http://vault.olympus:8200/";
buildInputs = with pkgs; [ packages = with pkgs; [
attic.packages.${pkgs.system}.attic attic.packages.${pkgs.system}.attic
apply-local apply-local
colmena.packages.${system}.colmena
deploy.packages.${system}.deploy-rs deploy.packages.${system}.deploy-rs
cachix
deadnix deadnix
statix statix
nixfmt # nixfmt
nixpkgs-fmt # nixpkgs-fmt
nixUnstable nixUnstable
nil # nil
vault vault
yamllint yamllint
jq jq
(vault-push-approle-envs self { }) # (vault-push-approle-envs self { })
(vault-push-approles self { }) # (vault-push-approles self { })
fast-repl fast-repl
]; ];
}; };

1
flux/.gitignore vendored
View file

@ -1 +0,0 @@
old_cluster

12
flux/README.md
View file

@ -1,12 +0,0 @@
# Kubernetes Cluster
This is my personal Kubernetes Cluster. [Flux] watches this git repo and reconciles and changes made to the cluster.
## Bootstrap
```sh
flux bootstrap git --url ssh://gitea@git.0x76.dev:42/v/infrastructure.git --branch=main --path=flux/olympus/base --ssh-key-algorithm=ed25519
```
## References
Heavily inspired by: [onedr0p's cluster](https://github.com/onedr0p/home-cluster)
[Flux]: https://github.com/fluxcd/flux2

15
flux/olympus/apps/flux-system/external-secret.yaml
View file

@ -1,15 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: weave-gitops
namespace: flux-system
spec:
refreshInterval: "5m"
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: oidc-auth
dataFrom:
- extract:
key: flux-system/weave-gitops

6
flux/olympus/apps/flux-system/kustomization.yaml
View file

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- rbac.yaml
- external-secret.yaml
- weave-gitops-dashboard.yaml

76
flux/olympus/apps/flux-system/rbac.yaml
View file

@ -1,76 +0,0 @@
---
# Admin cluster role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: weave-admin
rules:
# Flux Resources
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
resources: ["kustomizations"]
verbs: ["get", "list", "patch"]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: ["helmreleases"]
verbs: ["get", "list", "patch"]
- apiGroups: ["source.toolkit.fluxcd.io"]
resources:
[
"buckets",
"helmcharts",
"gitrepositories",
"helmrepositories",
"ocirepositories",
]
verbs: ["get", "list", "patch"]
- apiGroups: ["notification.toolkit.fluxcd.io"]
resources: ["providers", "alerts"]
verbs: ["get", "list"]
- apiGroups: ["infra.contrib.fluxcd.io"]
resources: ["terraforms"]
verbs: ["get", "list", "patch"]
# Resources managed via Flux
- apiGroups: [""]
resources:
[
"configmaps",
"secrets",
"pods",
"services",
"namespaces",
"persistentvolumes",
"persistentvolumeclaims",
]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings"]
verbs: ["get", "list"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list"]
# Feedback
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list"]
---
# Bind the cluster admin role to admins
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: weave-admin
subjects:
- kind: User
name: "victor@xirion.net"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: weave-admin
apiGroup: rbac.authorization.k8s.io

48
flux/olympus/apps/flux-system/weave-gitops-dashboard.yaml
View file

@ -1,48 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
annotations:
metadata.weave.works/description: This is the source location for the Weave GitOps
Dashboard's helm chart.
labels:
app.kubernetes.io/component: ui
app.kubernetes.io/created-by: weave-gitops-cli
app.kubernetes.io/name: weave-gitops-dashboard
app.kubernetes.io/part-of: weave-gitops
name: ww-gitops
namespace: flux-system
spec:
interval: 1h0m0s
type: oci
url: oci://ghcr.io/weaveworks/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
annotations:
metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides
a simple way to get insights into your GitOps workloads.
name: ww-gitops
namespace: flux-system
spec:
chart:
spec:
chart: weave-gitops
sourceRef:
kind: HelmRepository
name: ww-gitops
interval: 1h0m0s
values:
ingress:
enabled: true
hosts:
- host: flux.0x76.dev
paths:
- path: /
pathType: ImplementationSpecific
adminUser:
create: true
passwordHash: $2a$10$uIY/YYe.CcRerpVvfk04muX86hLfXRH.K6jATZaVPqp.bnUIu/bsC
username: admin

6
flux/olympus/apps/kustomization.yaml
View file

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- flux-system
- services
- websites

4
flux/olympus/apps/services/kustomization.yaml
View file

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- renovate

57
flux/olympus/apps/services/renovate/config.yaml
View file

@ -1,57 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: renovate
namespace: services
data:
config.js: |-
module.exports = {
"binarySource": "install",
"repositories": ["v/infrastructure"],
"flux": {
"fileMatch": ["flux/.+\\.ya?ml$"]
},
"helm-values": {
"fileMatch": ["flux/.+\\.ya?ml$"]
},
"kubernetes": {
"fileMatch": ["flux/.+\\.ya?ml$"]
},
"hostRules": [
{
"hostType": "docker",
"matchHost": "ghcr.io",
"username": "NULLx76",
"password": process.env.GITHUB_COM_TOKEN
}
],
"packageRules": [
{
"automerge": true,
"automergeType": "branch",
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"matchPackageNames": [
"renovate/renovate"
],
"matchPackagePrefixes": [
"git.0x76.dev"
]
}
],
// ignore individual fluxcd images
"ignoreDeps": [
"ghcr.io/fluxcd/helm-controller",
"ghcr.io/fluxcd/image-automation-controller",
"ghcr.io/fluxcd/image-reflector-controller",
"ghcr.io/fluxcd/kustomize-controller",
"ghcr.io/fluxcd/notification-controller",
"ghcr.io/fluxcd/source-controller"
],
"regexManagers": [
{
"fileMatch": [".+\\.nix"],
"matchStrings": ["image\\s*=\\s*\"(?<depName>.*?):(?<currentValue>.*?)\"\\s*;\\s*"],
"datasourceTemplate": "docker"
}
]
};

46
flux/olympus/apps/services/renovate/cronjob.yaml
View file

@ -1,46 +0,0 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate
namespace: services
spec:
# Run every 8 hours
schedule: "0 */8 * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
volumes:
- name: config-volume
configMap:
name: renovate
- name: work-volume
emptyDir: {}
containers:
- name: renovate
image: renovate/renovate:37.67.3
volumeMounts:
- name: config-volume
mountPath: /opt/renovate/
- name: work-volume
mountPath: /tmp/renovate/
env:
- name: LOG_LEVEL
value: debug
- name: RENOVATE_ENDPOINT
value: "https://git.0x76.dev/api/v1/"
- name: RENOVATE_PLATFORM
value: gitea
- name: RENOVATE_AUTODISCOVER
value: "false"
- name: RENOVATE_GIT_AUTHOR
value: "Renovate Bot <renovate@xirion.net>"
- name: RENOVATE_CONFIG_FILE
value: "/opt/renovate/config.js"
- name: RENOVATE_BASE_DIR
value: "/tmp/renovate"
envFrom:
- secretRef:
name: renovate
restartPolicy: Never

21
flux/olympus/apps/services/renovate/external-secret.yaml
View file

@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: renovate
namespace: services
spec:
refreshInterval: "5m"
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: renovate
data:
- secretKey: RENOVATE_TOKEN
remoteRef:
key: gitops/renovate
property: gitea_token
- secretKey: GITHUB_COM_TOKEN
remoteRef:
key: gitops/renovate
property: github_token

6
flux/olympus/apps/services/renovate/kustomization.yaml
View file

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- external-secret.yaml
- config.yaml
- cronjob.yaml

52
flux/olympus/apps/websites/0x76.yaml
View file

@ -1,52 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: x76dev
namespace: websites
labels:
app: x76dev
spec:
replicas: 1
selector:
matchLabels:
app: x76dev
template:
metadata:
labels:
app: x76dev
spec:
containers:
- name: x76dev
image: git.0x76.dev/v/0x76.dev:5
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: x76dev
namespace: websites
spec:
selector:
app: x76dev
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: x76dev
namespace: websites
spec:
rules:
- host: "0x76.dev"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: x76dev
port:
number: 80

52
flux/olympus/apps/websites/blog.yaml
View file

@ -1,52 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: blog
namespace: websites
labels:
app: blog
spec:
replicas: 1
selector:
matchLabels:
app: blog
template:
metadata:
labels:
app: blog
spec:
containers:
- name: blog
image: git.0x76.dev/v/blog.xirion.net:5
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: blog
namespace: websites
spec:
selector:
app: blog
ports:
- protocol: TCP
port: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: blog
namespace: websites
spec:
rules:
- host: "blog.xirion.net"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: blog
port:
number: 8080

52
flux/olympus/apps/websites/internal.yaml
View file

@ -1,52 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: internal
namespace: websites
labels:
app: internal
spec:
replicas: 1
selector:
matchLabels:
app: internal
template:
metadata:
labels:
app: internal
spec:
containers:
- name: internal
image: git.0x76.dev/v/internal.xirion.net:1
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: internal
namespace: websites
spec:
selector:
app: internal
ports:
- protocol: TCP
port: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: internal
namespace: websites
spec:
rules:
- host: "internal.xirion.net"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: internal
port:
number: 8080

9
flux/olympus/apps/websites/kustomization.yaml
View file

@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
namespace: websites
resources:
- 0x76.yaml
- internal.yaml
- blog.yaml
- xirion.yaml

52
flux/olympus/apps/websites/xirion.yaml
View file

@ -1,52 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: xirion
namespace: websites
labels:
app: xirion
spec:
replicas: 1
selector:
matchLabels:
app: xirion
template:
metadata:
labels:
app: xirion
spec:
containers:
- name: xirion
image: git.0x76.dev/v/xirion.net:2
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: xirion
namespace: websites
spec:
selector:
app: xirion
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: xirion
namespace: websites
spec:
rules:
- host: "xirion.net"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: xirion
port:
number: 80

15
flux/olympus/base/apps.yaml
View file

@ -1,15 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: flux-system
spec:
interval: 10m0s
dependsOn:
- name: core
path: ./flux/olympus/apps
prune: true
sourceRef:
kind: GitRepository
name: flux-system

13
flux/olympus/base/core.yaml
View file

@ -1,13 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: core
namespace: flux-system
spec:
interval: 10m0s
path: ./flux/olympus/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system

8029
flux/olympus/base/flux-system/gotk-components.yaml
View file

File diff suppressed because it is too large Load diff

27
flux/olympus/base/flux-system/gotk-sync.yaml
View file

@ -1,27 +0,0 @@
# This manifest was generated by flux. DO NOT EDIT.
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: main
secretRef:
name: flux-system
url: ssh://gitea@git.0x76.dev:42/v/infrastructure.git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./flux/olympus/base
prune: true
sourceRef:
kind: GitRepository
name: flux-system

6
flux/olympus/base/flux-system/kustomization.yaml
View file

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- repositories

8
flux/olympus/base/flux-system/repositories/helm/external-secrets.yaml
View file

@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 1h
url: https://charts.external-secrets.io

5
flux/olympus/base/flux-system/repositories/helm/kustomization.yaml
View file

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- external-secrets.yaml

5
flux/olympus/base/flux-system/repositories/kustomization.yaml
View file

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm

1
flux/olympus/core/external-secrets/.gitignore vendored
View file

@ -1 +0,0 @@
vault-secret-id.yaml

29
flux/olympus/core/external-secrets/helm-release.yaml
View file

@ -1,29 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: external-secrets
namespace: security
spec:
interval: 30m
chart:
spec:
chart: external-secrets
version: 0.9.9
interval: 30m
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
values:
installCRDs: true
replicaCount: 1
leaderElect: true
# serviceMonitor:
# enabled: true
# webhook:
# serviceMonitor:
# enabled: true
# certController:
# serviceMonitor:
# enabled: true

5
flux/olympus/core/external-secrets/kustomization.yaml
View file

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- vault-secret-store.yaml

7
flux/olympus/core/external-secrets/vault-secret-id.example.yaml
View file

@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: vault-secret-id
namespace: security
data:
secret-id: XXXXXX # Obtain by `vault write -f auth/approle/role/external-secrets/secret-id`

27
flux/olympus/core/external-secrets/vault-secret-store.yaml
View file

@ -1,27 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
namespace: security
spec:
provider:
vault:
server: "http://vault.olympus:8200"
path: "k8s"
version: "v2"
auth:
# VaultAppRole authenticates with Vault using the
# App Role auth mechanism
# https://www.vaultproject.io/docs/auth/approle
appRole:
# Path where the App Role authentication backend is mounted
path: "approle"
# RoleID configured in the App Role authentication backend
# `vault read auth/approle/role/external-secrets/role-id`
roleId: "bb841a0e-45c1-9dab-36f0-f72647d6aff0"
# Reference to a key in a K8 Secret that contains the App Role SecretId
# (not commited in git)
secretRef:
name: "vault-secret-id"
namespace: "security"
key: "secret-id"

5
flux/olympus/core/kustomization.yaml
View file

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespaces
- external-secrets

6
flux/olympus/core/namespaces/kustomization.yaml
View file

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- websites.yaml
- security.yaml
- services.yaml

4
flux/olympus/core/namespaces/security.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: security

4
flux/olympus/core/namespaces/services.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: services

4
flux/olympus/core/namespaces/websites.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: websites

6
hosts/olympus/bastion/containers/common.nix Normal file
View file

@ -0,0 +1,6 @@
# common container config
{ lib, ... }: {
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
}

26
hosts/olympus/bastion/containers/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, ... }:
let
hostAddress = "10.42.99.1";
hostAddress6 = "fc00::1";
in {
# TODO: Loop over subdirs, create nixos container for each
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "ens18";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
forwardPorts = [
];
};
# Containers network is
# * 10.42.99.0/24
# * fc00:x
containers = {
};
}

38
hosts/olympus/bastion/default.nix Normal file
View file

@ -0,0 +1,38 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./containers
# ./vms.nix
];
programs.nix-ld.enable = true;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
virtualisation.podman.enable = true;
# Additional packages
environment.systemPackages = with pkgs; [ vault ];
networking.useNetworkd = true;
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
}

25
hosts/olympus/bastion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,25 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
fsType = "ext4";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

32
hosts/olympus/bastion/vms.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, pkgs, inputs, ... }: {
imports = [
inputs.microvm.nixosModules.host
];
microvm.vms = {
test-vm = {
inherit pkgs;
# (Optional) A set of special arguments to be passed to the MicroVM's NixOS modules.
#specialArgs = {};
# The configuration for the MicroVM.
# Multiple definitions will be merged as expected.
config = {
# It is highly recommended to share the host's nix-store
# with the VMs to prevent building huge images.
microvm.hypervisor = "crosvm";
microvm.shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}];
# Any other configuration for your MicroVM
# [...]
};
};
};
}