v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

Merge branch 'main' of ssh://git.0x76.dev:42/v/infrastructure
Some checks failed
Lint / lint (push) Failing after 1m39s
Details
Plex Update / update (push) Successful in 1m49s
Details

Browse source
This commit is contained in:
Vivian 2023-12-26 16:17:01 +01:00
commit 6322f2236a
16 changed files with 199 additions and 269 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nixos/hosts/hades/attic/configuration.nix
View file

@ -26,10 +26,7 @@ in {
ensureDatabases = [ "atticd" ];
ensureUsers = [{
name = "atticd";
ensurePermissions = {
"DATABASE atticd" = "ALL PRIVILEGES";
"schema public" = "ALL";
};
ensureDBOwnership = true;
}];
};

9
nixos/hosts/hades/bastion/configuration.nix
View file

@ -5,16 +5,7 @@
programs.mosh.enable = true;
environment.systemPackages = with pkgs; [
cachix
clang
direnv
git-crypt
nix-update
pinentry-curses
ripgrep
rsync
rustup
tmux
vault
];

40
nixos/hosts/hades/default.nix
View file

@ -18,11 +18,7 @@
ip = "192.168.0.101";
mac = "5a:00:b7:6c:d1:e2";
};
"plex" = {
ip = "192.168.0.102";
mac = "00:0c:29:a1:4e:28";
nix = false;
};
# ip = "192.168.0.102";
"vault-0" = {
ip = "192.168.0.103";
mac = "7A:14:15:ED:D1:E6";
@ -60,16 +56,8 @@
profile = "dns";
tags = [ "networking" ];
};
"MariaDB" = {
ip = "192.168.0.109";
mac = "00:0c:29:23:4f:12";
nix = false;
};
"bitwarden_rs" = {
ip = "192.168.0.110";
mac = "00:0c:29:f5:98:00";
nix = false;
};
# ip = "192.168.0.109";
# ip = "192.168.0.110";
"rtorrent" = {
ip = "192.168.0.111";
mac = "7a:5f:9b:62:49:91";
@ -139,15 +127,8 @@
mac = "5E:36:04:2D:38:DF";
type = "vm";
};
"database" = {
ip = "192.168.0.126";
mac = "82:e8:71:7f:37:b4";
};
"dn42" = {
ip = "192.168.0.127";
mac = "12:fa:24:02:65:e6";
nix = false;
};
# ip = "192.168.0.126";
# ip = "192.168.0.127";
"attic" = {
ip = "192.168.0.128";
mac = "9E:AF:E9:FE:D4:D9";
@ -165,15 +146,8 @@
};
nix = false;
};
# "docker-registry" = {
# ip = "192.168.0.130"attic, ;
# mac = "5e:0e:a6:cf:64:70";
# };
"minecraft" = {
ip = "192.168.0.131";
mac = "00:0c:29:9b:e1:c4";
nix = false;
};
# ip = "192.168.0.130";
# ip = "192.168.0.131";
"tudelft" = {
ip = "192.168.0.132";
mac = "AE:B3:93:4B:04:76";

40
nixos/hosts/hades/immich/configuration.nix
View file

@ -7,8 +7,7 @@ let
# https://github.com/immich-app/immich/releases
# version = "1.55.1";
dataDir = "/var/lib/immich";
in
{
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -22,31 +21,32 @@ in
# Additional packages
environment.systemPackages = with pkgs; [ ];
# TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich
fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage";
fsType = "nfs";
};
# Unused uid/gid snagged from this list:
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
ids.uids.immich = 911;
ids.gids.immich = 911;
users.groups.photos = {};
users.users.immich = {
isSystemUser = true;
group = "photos";
description = "Immich daemon user";
home = dataDir;
uid = config.ids.uids.immich;
ids = {
# Unused uid/gid snagged from this list:
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
uids.immich = 911;
gids.immich = 911;
};
users = {
groups = {
photos = { };
immich = { gid = config.ids.gids.immich; };
};
users.groups.immich = { gid = config.ids.gids.immich; };
users.immich = {
isSystemUser = true;
group = "photos";
description = "Immich daemon user";
home = dataDir;
uid = config.ids.uids.immich;
};
};
# Postgres database configuration
services.postgresql = {
@ -56,7 +56,7 @@ in
ensureUsers = [{
name = "immich";
ensurePermissions = { "DATABASE immich" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
ensureDatabases = [ "immich" ];

10
nixos/hosts/hades/lucy/configuration.nix
View file

@ -49,17 +49,17 @@ in {
allowedTCPPorts = [ 25565 ];
};
users.groups.mc = { };
users.extraUsers.laura.extraGroups = [ "wheel" ];
users.extraUsers.vivian.extraGroups = [ "mc" ];
users.extraUsers.vivian.extraGroups = [ "wheel" ];
users.groups.mc = { };
users.extraUsers.julia = {
isNormalUser = true;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
];
extraGroups = [ "mc" "wheel" ];
};

162
nixos/hosts/hades/mastodon/configuration.nix
View file

@ -2,19 +2,94 @@
let
vs = config.vault-secrets.secrets;
cfg = config.services.mastodon;
in
{
in {
system.stateVersion = "21.05";
# Use DHCP with static leases
networking.interfaces.eth0.useDHCP = true;
# Better cache hits
environment.noXlibs = lib.mkForce false;
services = {
elasticsearch = {
enable = true;
cluster_name = "mastodon-es";
package = pkgs.elasticsearch7;
};
services.elasticsearch = {
enable = true;
cluster_name = "mastodon-es";
package = pkgs.elasticsearch7;
postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
shared_preload_libraries = "pg_stat_statements";
"pg_stat_statements.track" = "all";
"pg_stat_statements.max" = 10000;
track_activity_query_size = 2048;
};
# The rest of the database setup is handled by mastodon
};
mastodon = {
enable = true;
package = pkgs.v.glitch-soc;
streamingProcesses = 3;
webPort = 55001;
enableUnixSocket = false;
localDomain = "xirion.net";
trustedProxy = "192.168.0.122";
mediaAutoRemove = {
enable = true;
olderThanDays = 30;
startAt = "daily";
};
configureNginx = false;
redis.createLocally = true;
elasticsearch = {
host = "127.0.0.1";
inherit (config.services.elasticsearch) port;
};
database.createLocally = true;
smtp = {
createLocally = false;
fromAddress = "mastodon@xirion.net";
host = "mail.0x76.dev";
user = "mastodon@xirion.net";
authenticate = true;
port = 587;
passwordFile = "${vs.mastodon}/smtp-password";
};
extraConfig = {
BIND = "0.0.0.0";
SINGLE_USER_MODE = "false";
EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
DEFAULT_LOCALE = "en";
WEB_DOMAIN = "fedi.xirion.net";
ALTERNATE_DOMAINS = "meowy.tech";
SMTP_AUTH_METHOD = "plain";
SMTP_OPENSSL_VERIFY_MODE = "none";
RAILS_SERVE_STATIC_FILES = "false";
AUTHORIZED_FETCH = "true";
# https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
# https://shivering-isles.com/Mastodon-and-Amazon-S3
S3_ENABLED = "true";
S3_REGION = "hades";
S3_BUCKET = "mastodon";
S3_ENDPOINT = "http://garage.hades:3900";
S3_ALIAS_HOST = "fedi-media.xirion.net";
DEEPL_PLAN = "free";
};
};
};
vault-secrets.secrets.mastodon = {
@ -31,77 +106,6 @@ in
EOF
'';
services.mastodon = {
enable = true;
package = pkgs.v.glitch-soc;
streamingProcesses = 3;
webPort = 55001;
enableUnixSocket = false;
localDomain = "xirion.net";
trustedProxy = "192.168.0.122";
mediaAutoRemove = {
enable = true;
olderThanDays = 30;
startAt = "daily";
};
configureNginx = false;
redis.createLocally = true;
elasticsearch = {
host = "127.0.0.1";
inherit (config.services.elasticsearch) port;
};
database = {
createLocally = false;
user = "mastodon";
passwordFile = "${vs.mastodon}/db-password";
port = 5432;
name = "mastodon";
host = "192.168.0.126";
};
smtp = {
createLocally = false;
fromAddress = "mastodon@xirion.net";
host = "mail.0x76.dev";
user = "mastodon@xirion.net";
authenticate = true;
port = 587;
passwordFile = "${vs.mastodon}/smtp-password";
};
extraConfig = {
BIND = "0.0.0.0";
SINGLE_USER_MODE = "false";
EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
DEFAULT_LOCALE = "en";
WEB_DOMAIN = "fedi.xirion.net";
ALTERNATE_DOMAINS = "meowy.tech";
SMTP_AUTH_METHOD = "plain";
SMTP_OPENSSL_VERIFY_MODE = "none";
RAILS_SERVE_STATIC_FILES = "false";
AUTHORIZED_FETCH = "true";
# https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
# https://shivering-isles.com/Mastodon-and-Amazon-S3
S3_ENABLED = "true";
S3_REGION = "hades";
S3_BUCKET = "mastodon";
S3_ENDPOINT = "http://garage.hades:3900";
S3_ALIAS_HOST = "fedi-media.xirion.net";
DEEPL_PLAN = "free";
};
};
networking.firewall =
let cfg = config.services.mastodon;
in { allowedTCPPorts = [ cfg.webPort ]; };
networking.firewall = let cfg = config.services.mastodon;
in { allowedTCPPorts = [ cfg.webPort ]; };
}

32
nixos/hosts/hades/nginx/configuration.nix
View file

@ -12,8 +12,7 @@ let
proxyWebsockets = true;
};
};
in
{
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -46,22 +45,25 @@ in
"xirion.net" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 'Hello, World!';
'';
locations = {
"/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 'Hello, World!';
'';
# Mastodon federation
locations."= /.well-known/host-meta".extraConfig = ''
return 301 https://fedi.xirion.net$request_uri;
'';
locations."/.well-known/webfinger".extraConfig = ''
add_header Access-Control-Allow-Origin '*';
return 301 https://fedi.xirion.net$request_uri;
'';
# Mastodon federation
"= /.well-known/host-meta".extraConfig = ''
return 301 https://fedi.xirion.net$request_uri;
'';
"/.well-known/webfinger".extraConfig = ''
add_header Access-Control-Allow-Origin '*';
return 301 https://fedi.xirion.net$request_uri;
'';
};
};
"peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
"peepeepoopoo.xirion.net" = proxy
"http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
"plex.xirion.net" = {
# Since we want a secure connection, we force SSL

63
nixos/hosts/hades/rtorrent/configuration.nix
View file

@ -2,13 +2,40 @@
let vs = config.vault-secrets.secrets;
in {
imports = [ ./rtorrent.nix ];
networking = {
interfaces.eth0.useDHCP = true;
firewall = {
allowedTCPPorts = [ config.services.rtorrent.port ];
allowedUDPPorts = [ config.services.rtorrent.port ];
};
networking.interfaces.eth0.useDHCP = true;
wg-quick.interfaces = let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in {
wg0 = {
address =
[ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}];
};
};
};
system.stateVersion = "22.05";
networking.firewall.allowedTCPPorts = [ config.services.rtorrent.port ];
networking.firewall.allowedUDPPorts = [ config.services.rtorrent.port ];
fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage";
fsType = "nfs";
@ -22,32 +49,4 @@ in {
};
vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; };
networking.wg-quick.interfaces =
let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in
{
wg0 = {
address = [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}
];
};
};
}