v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

start set up for multi-location nixos flake

Browse source
This commit is contained in:
Vivian 2022-07-30 22:16:44 +02:00
parent fa09f75ac6
commit 4b7d60c090
23 changed files with 26 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

24
nixos/hosts/olympus/_template/configuration.nix Normal file
View file

@ -0,0 +1,24 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports = [ ];
networking.hostName = "template";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ ];
}

68
nixos/hosts/olympus/bastion/configuration.nix Normal file
View file

@ -0,0 +1,68 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }:
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}
# Check if vscode-server dir exists
if [[ -d "$HOME/.vscode-server/bin" ]]; then
# For every bin folder within
for versiondir in "$HOME"/.vscode-server/bin/*; do
# Remove bundled node (dynamic links are borked for nix)
rm "$versiondir/node"
# symlink node form the nixpkg
ln -s "${pkgs.nodejs-16_x}/bin/node" "$versiondir/node"
done
fi
'';
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "bastion";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
virtualisation.podman = {
enable = true;
};
# Additional packages
environment.systemPackages = with pkgs; [
binutils
fix-vscode
fluxcd
k9s
kubectl
kubectx
nix-prefetch-git
nixpkgs-fmt
nixpkgs-review
ripgrep
rnix-lsp
rsync
tmux
vault
vim
];
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
}

21
nixos/hosts/olympus/bastion/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
fsType = "ext4";
};
swapDevices = [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

42
nixos/hosts/olympus/database/configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
databases = [ "authentik" "umami" "drone" ];
in
{
imports = [ ];
networking.hostName = "database";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
services.postgresql =
{
enable = true;
package = pkgs.postgresql_14;
ensureDatabases = databases;
enableTCPIP = true;
# Allow all hosts on the server subnet, should probably lock this down more in the future
authentication = "host all all 10.42.42.0/24 trust";
ensureUsers = map
(name: {
inherit name;
ensurePermissions = { "DATABASE ${name}" = "ALL PRIVILEGES"; };
})
databases;
};
}

153
nixos/hosts/olympus/default.nix Normal file
View file

@ -0,0 +1,153 @@
[
{
hostname = "edgerouter";
ip = "10.42.42.1";
ip6 = "2001:41f0:9639:1:b6fb:e4ff:fe53:9c0";
mac = "B4:FB:E4:53:9C:0A";
nix = false;
}
{
hostname = "unifi-ap";
ip = "10.42.42.2";
mac = "b4:fb:e4:f3:ff:1b";
nix = false;
}
{
hostname = "dhcp";
ip = "10.42.42.3";
mac = "3E:2D:E8:AA:E2:81";
}
{
hostname = "bastion";
ip = "10.42.42.4";
ip6 = "2001:41f0:9639:1:80f0:7cff:fecb:bd6d";
mac = "82:F0:7C:CB:BD:6D";
lxc = false;
}
{
hostname = "vault";
ip = "10.42.42.6";
mac = "16:2B:87:55:0C:0C";
}
{
hostname = "mosquitto";
ip = "10.42.42.7";
mac = "C6:F9:8B:3D:9E:37";
}
{
hostname = "home-assistant";
ip = "10.42.42.8";
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
mac = "9E:60:78:ED:81:B4";
nix = false;
}
{
hostname = "nginx";
ip = "10.42.42.9";
ip6 = "2001:41f0:9639:1:68c2:89ff:fe85:cfa6";
mac = "6A:C2:89:85:CF:A6";
tags = [ "web" ];
}
{
hostname = "k3s-node1";
profile = "k3s";
ip = "10.42.42.10";
mac = "2E:F8:55:23:D9:9B";
lxc = false;
}
{
hostname = "WoolooTV";
ip = "10.42.42.13";
mac = "74:40:be:48:85:a4";
nix = false;
}
# {
# ip = "10.42.42.14";
# }
{
hostname = "dns-1";
profile = "dns";
ip = "10.42.42.15";
mac = "5E:F6:36:23:16:E3";
}
{
hostname = "dns-2";
profile = "dns";
ip = "10.42.42.16";
mac = "B6:04:0B:CD:0F:9F";
}
{
hostname = "minio";
ip = "10.42.42.17";
mac = "0A:06:5E:E7:9A:0C";
}
# {
# ip = "10.42.42.18";
# }
{
hostname = "victoriametrics";
ip = "10.42.42.19";
mac = "9E:91:61:35:84:1F";
}
{
hostname = "unifi";
ip = "10.42.42.20";
mac = "1A:88:A0:B0:65:B4";
}
{
hostname = "minecraft";
ip = "10.42.42.21";
mac = "EA:30:73:E4:B6:69";
}
{
hostname = "gitea";
ip = "10.42.42.22";
mac = "DE:5F:B0:83:6F:34";
}
{
hostname = "hedgedoc";
ip = "10.42.42.23";
mac = "86:BC:0C:18:BC:9B";
}
{
hostname = "zmeura";
ip = "10.42.42.24";
mac = "b8:27:eb:d5:e0:f5";
nix = false;
}
{
hostname = "wireguard";
ip = "10.42.42.25";
mac = "1E:ED:97:2C:C3:9D";
}
{
hostname = "database";
ip = "10.42.42.26";
mac = "CE:6E:96:87:18:1B";
}
{
hostname = "bookwyrm";
ip = "10.42.42.27";
mac = "9E:8A:6C:39:27:DE";
nix = false;
}
{
hostname = "synapse";
ip = "10.42.42.28";
mac = "9E:86:D3:46:EE:AE";
}
{
hostname = "nuc";
ip = "10.42.42.42";
ip6 = "2001:41f0:9639:1::42";
mac = "1C:69:7A:62:30:88";
nix = false;
}
{
hostname = "eevee";
ip = "10.42.42.69";
ip6 = "2001:41f0:9639:1:a83:e416:dc99:5ed3";
mac = "34:97:f6:93:9A:AA";
nix = false;
}
]

53
nixos/hosts/olympus/dhcp/configuration.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, pkgs, hosts, ... }:
let
hostToDhcp = { hostname, mac, ip, ... }: {
ethernetAddress = mac;
hostName = hostname;
ipAddress = ip;
};
hosts' = hosts.olympus;
in {
imports = [ ];
networking = {
hostName = "dhcp";
defaultGateway = "10.42.42.1";
nameservers = [ "10.42.42.15" "10.42.42.16" ];
interfaces.eth0 = {
useDHCP = false; # It turns out the barber just doesn't shave
ipv4.addresses = [{
address = "10.42.42.3";
prefixLength = 23;
}];
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedUDPPorts = [ 67 ];
services.dhcpd4 = {
enable = true;
extraConfig = ''
option subnet-mask 255.255.254.0;
option broadcast-address 10.42.43.255;
option routers 10.42.42.1;
option domain-name-servers 10.42.42.15, 10.42.42.16;
option domain-name "olympus";
option domain-search "olympus";
subnet 10.42.42.0 netmask 255.255.254.0 {
range 10.42.43.1 10.42.43.254;
}
'';
machines = map hostToDhcp hosts';
};
}

70
nixos/hosts/olympus/dns/configuration.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, pkgs, hosts, ... }:
let
inherit (builtins) filter hasAttr;
localdomain = "olympus";
# TODO: use location attr in hosts
hosts' = hosts.${localdomain};
ipv6Hosts = filter (hasAttr "ip6") hosts';
localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
ptrData = { hostname, ip, ... }: ''"${ip} ${hostname}.${localdomain}"'';
ptr6Data = { hostname, ip6, ... }: ''"${ip6} ${hostname}.${localdomain}"'';
in {
imports = [ ];
networking.hostName = "dns";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ dig dog drill ];
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
services.unbound = {
enable = true;
package = pkgs.v.unbound;
settings = {
server = {
use-syslog = "yes";
module-config = ''"validator iterator"'';
interface-automatic = "yes";
interface = [ "0.0.0.0" "::0" ];
local-zone = ''"${localdomain}." transparent'';
local-data = (map localData hosts') ++ (map local6Data ipv6Hosts);
local-data-ptr = (map ptrData hosts') ++ (map ptr6Data ipv6Hosts);
access-control = [
"127.0.0.1/32 allow_snoop"
"::1 allow_snoop"
"10.42.0.0/16 allow"
"127.0.0.0/8 allow"
"192.168.2.0/24 allow"
"::1/128 allow"
];
private-address = [
"127.0.0.0/8"
"10.0.0.0/8"
"::ffff:a00:0/104"
"172.16.0.0/12"
"::ffff:ac10:0/108"
"169.254.0.0/16"
"::ffff:a9fe:0/112"
"192.168.0.0/16"
"::ffff:c0a8:0/112"
"fd00::/8"
"fe80::/10"
];
};
};
};
}

51
nixos/hosts/olympus/gitea/configuration.nix Normal file
View file

@ -0,0 +1,51 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, ... }:
{
imports = [ ];
networking.hostName = "gitea";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ config.services.gitea.httpPort ];
services.openssh.startWhenNeeded = false;
services.fail2ban = {
enable = true;
maxretry = 3;
};
services.gitea = {
enable = true;
domain = "git.0x76.dev";
rootUrl = "https://git.0x76.dev";
lfs.enable = true;
dump.type = "tar.gz";
database.type = "postgres";
ssh.clonePort = 42;
disableRegistration = true;
cookieSecure = true;
settings = {
ui = {
DEFAULT_THEME = "arc-green";
USE_SERVICE_WORKER = true;
};
};
};
}

96
nixos/hosts/olympus/hedgedoc/configuration.nix Normal file
View file

@ -0,0 +1,96 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, inputs, ... }:
let
db_name = "hedgedoc";
db_user = "hedgedoc";
vs = config.vault-secrets.secrets;
in
{
imports = [ ];
networking.hostName = "hedgedoc";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ config.services.hedgedoc.settings.port ];
vault-secrets.secrets.hedgedoc = { };
services.postgresql =
{
enable = true;
package = pkgs.postgresql_13;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; };
}
];
};
services.hedgedoc = {
enable = true;
environmentFile = "${vs.hedgedoc}/environment";
settings = {
host = "0.0.0.0";
port = 3000;
sessionSecret = "$SESSION_SECRET";
domain = "md.0x76.dev";
protocolUseSSL = true;
hsts.enable = true;
allowOrigin = [
config.services.hedgedoc.settings.domain
"hedgedoc"
];
allowAnonymous = false;
allowEmailRegister = false;
allowAnonymousEdits = true;
allowFreeURL = true;
requireFreeURLAuthentication = true;
imageUploadType = "minio";
db = {
dialect = "postgres";
username = db_user;
database = db_name;
host = "/run/postgresql";
};
s3bucket = "hedgedoc";
minio = {
secure = true;
endPoint = "o.0x76.dev";
port = 443;
accessKey = "$MINIO_ACCESS_KEY";
secretKey = "$MINIO_SECRET_KEY";
};
email = true;
oauth2 = let url = "https://id.0x76.dev"; in
{
providerName = "authentik";
clientID = "$AUTHENTIK_CLIENTID";
clientSecret = "$AUTHENTIK_CLIENTSECRET";
scope = "openid email profile";
userProfileURL = "${url}/application/o/userinfo/";
tokenURL = "${url}/application/o/token/";
authorizationURL = "${url}/application/o/authorize/";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "name";
userProfileEmailAttr = "email";
};
};
};
}

52
nixos/hosts/olympus/k3s/configuration.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, pkgs, lib, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
boot.kernel.sysctl."fs.inotify.max_user_instances" = 2147483647; # INT_MAX, dynamically limited based on available memory
boot.kernel.sysctl."fs.inotify.max_user_watches" = 1048576;
networking.hostName = "k3s-node1";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ iptables vim ];
# Disable the firewall as we need all the ports
networking.firewall.enable = false;
# Force-enable Cgroupv2
systemd.enableUnifiedCgroupHierarchy = lib.mkForce true;
# Ensure `mount` and `grep` are available
systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ];
# Enable k3s as a master node
services.k3s = {
enable = true;
role = "server";
extraFlags = builtins.toString [
"--data-dir=/var/lib/k3s" # Set data dir to var lib
"--cluster-init" # Enable embedded etcd
"--disable=servicelb" # disable servicelb
"--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead)
"--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network
];
};
}

21
nixos/hosts/olympus/k3s/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e8427097-8545-4924-b033-2659fcf9adca";
fsType = "ext4";
};
swapDevices = [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

47
nixos/hosts/olympus/minecraft/configuration.nix Normal file
View file

@ -0,0 +1,47 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, inputs, ... }:
{
imports = [ ];
networking.hostName = "minecraft";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ ];
services.minecraft-server = {
enable = false;
package = pkgs.minecraftServers.purpur_1_18;
jvmOpts = "--add-modules=jdk.incubator.vector -Xmx2048M -Xms2048M";
declarative = true;
eula = true;
openFirewall = true;
serverProperties = {
server-port = 25565;
motd = "blahaj minecraft server!";
white-list = true;
enable-rcon = true;
"timings.enabled" = false;
};
whitelist = {
"0x76" = "5513404a-81a2-4c84-b952-18661b1803e7";
red_shifts = "e0afdee5-e776-49a9-a0cd-c8753faf4255";
iampilot = "4055515e-0567-4610-972e-8e530a5a9ccb";
};
};
}

36
nixos/hosts/olympus/minio/configuration.nix Normal file
View file

@ -0,0 +1,36 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
vs = config.vault-secrets.secrets;
listenPort = 9000;
consolePort = 9001;
in {
imports = [ ];
networking.hostName = "minio";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ listenPort consolePort ];
vault-secrets.secrets.minio = { };
services.minio = {
enable = true;
rootCredentialsFile = "${vs.minio}/environment";
listenAddress = ":${toString listenPort}";
consoleAddress = ":${toString consolePort}";
};
}

59
nixos/hosts/olympus/mosquitto/configuration.nix Normal file
View file

@ -0,0 +1,59 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let mosquittoPort = 1883;
in
{
imports = [ ];
networking.hostName = "mosquitto";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
services.mosquitto = {
enable = true;
listeners = [{
port = mosquittoPort;
settings.allow_anonymous = true;
acl = [ "topic readwrite #" ];
users = {
victor = { acl = [ "readwrite #" ]; };
zigbee2mqtt = { acl = [ "readwrite #" ]; };
};
}];
};
services.zigbee2mqtt = {
enable = true;
dataDir = "/var/lib/zigbee2mqtt";
settings = {
homeassistant = true;
permit_join = false;
serial = { port = "/dev/ttyUSB0"; };
mqtt = {
base_topic = "zigbee2mqtt";
server = "mqtt://localhost:${toString mosquittoPort}";
user = "zigbee2mqtt";
};
frontend = { port = 8080; };
};
};
networking.firewall.allowedTCPPorts =
[ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
}

130
nixos/hosts/olympus/nginx/configuration.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, pkgs, ... }:
let
proxy = url: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = url;
proxyWebsockets = true;
};
};
k8s_proxy = proxy "http://10.42.42.150:8000/";
clientConfig = {
"m.homeserver" = {
base_url = "https://chat.meowy.tech";
server_name = "meowy.tech";
};
"m.identity_server" = { };
};
serverConfig."m.server" = "chat.meowy.tech:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.hostName = "nginx";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
statusPage = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
package = pkgs.nginxMainline.override {
modules = with pkgs.nginxModules; [ brotli ];
};
# Reverse Proxies
virtualHosts."ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://eevee.olympus:8085/";
virtualHosts."md.0x76.dev" = proxy "http://hedgedoc.olympus:3000/";
virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000";
virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000";
virtualHosts."grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
# Meow
virtualHosts."meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 '<h1>meow</h1>';
'';
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
};
virtualHosts."chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 307 https://element.chat.meowy.tech;
'';
locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
};
virtualHosts."element.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
show_labs_settings = true;
brand = "chat.meowy.tech";
};
};
};
virtualHosts."admin.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.synapse-admin;
};
# Kubernetes endpoints
virtualHosts."0x76.dev" = k8s_proxy;
virtualHosts."drone.0x76.dev" = k8s_proxy;
virtualHosts."id.0x76.dev" = k8s_proxy;
virtualHosts."msg.0x76.dev" = k8s_proxy;
virtualHosts."zookeeper.0x76.dev" = k8s_proxy;
virtualHosts."wooloofan.club" = k8s_proxy;
virtualHosts."whoami.wooloofan.club" = k8s_proxy;
};
services.nginx.commonHttpConfig = ''
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
'';
security.acme.defaults.email = "victorheld12@gmail.com";
security.acme.acceptTerms = true;
security.acme.preliminarySelfsigned = true;
services.prometheus.exporters = {
nginx = {
enable = true;
openFirewall = true;
};
};
}

99
nixos/hosts/olympus/synapse/configuration.nix Normal file
View file

@ -0,0 +1,99 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
vs = config.vault-secrets.secrets;
port = 8008;
metricsPort = 9000;
in
{
imports = [ ];
networking.hostName = "synapse";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ port metricsPort ];
vault-secrets.secrets.synapse = {
user = "matrix-synapse";
group = "matrix-synapse";
services = [ "matrix-synapse" ];
};
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
services.matrix-synapse =
let
extraConfig = builtins.toFile "extraConfig.yaml" ''
registration_requires_token: true
'';
in
{
enable = true;
withJemalloc = true;
extraConfigFiles = [
"${vs.synapse}/macaroon_secret_key"
"${vs.synapse}/registration_shared_secret"
"${vs.synapse}/form_secret"
"${vs.synapse}/turn_shared_secret"
extraConfig
];
settings =
{
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [
{
names = [ "metrics" ];
compress = false;
}
];
}
];
};
};
}

32
nixos/hosts/olympus/unifi/configuration.nix Normal file
View file

@ -0,0 +1,32 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{
imports = [ ];
networking.hostName = "unifi";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ 8443 ];
environment.noXlibs = lib.mkForce false;
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi;
openFirewall = true;
};
}

35
nixos/hosts/olympus/vault/configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let port = 8200;
in {
networking.hostName = "vault";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
# Vault
networking.firewall.allowedTCPPorts = [ port ];
services.vault = {
enable = true;
# bin version includes the UI
package = pkgs.vault-bin;
address = "0.0.0.0:${toString port}";
storageBackend = "file";
storagePath = "/var/lib/vault";
extraConfig = ''
ui = true
'';
};
}

86
nixos/hosts/olympus/victoriametrics/configuration.nix Normal file
View file

@ -0,0 +1,86 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
vmPort = 8428;
vs = config.vault-secrets.secrets;
in
{
imports = [ ];
networking.hostName = "victoriametrics";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ vmPort config.services.grafana.port ];
networking.firewall.allowedUDPPorts = [ vmPort ];
services.victoriametrics = {
enable = true;
listenAddress = ":${toString vmPort}";
# Data Retention period in months
retentionPeriod = 12;
};
services.vmagent = {
enable = true;
openFirewall = true;
prometheusConfig = {
global = {
scrape_interval = "1m";
scrape_timeout = "30s";
};
scrape_configs = [
{
job_name = "nginx";
static_configs = [
{
targets = [ "nginx.olympus:9113" ];
labels.app = "nginx";
}
];
}
{
job_name = "synapse";
metrics_path = "/_synapse/metrics";
static_configs = [{
targets = [ "synapse.olympus:9000" ];
labels.app = "synapse";
}];
}
{
job_name = "wireguard";
static_configs = [{
targets = [ "wireguard.olympus:9586" ];
labels.app = "wireguard";
}];
}
];
};
};
vault-secrets.secrets.grafana = {
user = "grafana";
group = "grafana";
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
port = 2342;
domain = "grafana.0x76.dev";
rootUrl = "https://grafana.0x76.dev";
security.adminPasswordFile = "${vs.grafana}/password";
};
}

62
nixos/hosts/olympus/wireguard/configuration.nix Normal file
View file

@ -0,0 +1,62 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, inputs, ... }:
let vs = config.vault-secrets.secrets; in
{
imports = [ ];
networking.hostName = "wireguard";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ wireguard-tools ];
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedUDPPorts = [
config.networking.wireguard.interfaces.wg0.listenPort
];
vault-secrets.secrets.wireguard = {
services = [ "wireguard-wg0" ];
};
networking.nat = {
enable = true;
internalInterfaces = [ "wg0" ];
externalInterface = "eth0";
};
services.prometheus.exporters.wireguard = {
enable = true;
openFirewall = true;
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
privateKeyFile = "${vs.wireguard}/privateKey";
peers = [
{
# Phone
publicKey = "K+99mvSYs4urcclreQDLA1pekD4xtu/mpS2uVWw8Bws=";
allowedIPs = [ "10.100.0.2/32" ];
}
{
# Laura's laptop
publicKey = "ZWIaDGrASlTkEK75j10VeGCvrIGfpk4GPobmqcYX2D0=";
allowedIPs = [ "10.100.0.3/32" ];
}
];
};
}