added docs
This commit is contained in:
parent
f61d27d774
commit
8a1538dde9
|
@ -1,14 +1,12 @@
|
|||
# 0x76's Infrastructure [![NixOS](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml/badge.svg)](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml)
|
||||
This repository contains my IaC and GitOps code.
|
||||
This repository contains my fleet of VMs, Containers and Bare Metal machines.
|
||||
|
||||
## Directory Structure
|
||||
`flake.nix` is a NixOS flake which is the entrypoint for my NixOS config, it also contains a 'DevShell' containing all the tools needed
|
||||
to deploy the infrastructure, this can be accessed running `nix develop`.
|
||||
* **flux**: Kubernetes manifests as managed by [Flux]
|
||||
* **nixos**: Nix configurations for my NixOS LXCs and VMs, deployed using [colmena].
|
||||
* **terraform**: Terraform config for deploying said VMs and Containers onto Proxmox, using [terraform-provider-proxmox]
|
||||
|
||||
|
||||
[Flux]: https://github.com/fluxcd/flux2
|
||||
[deploy-rs]: https://colmena.cli.rs/unstable/
|
||||
[terraform-provider-proxmox]: https://github.com/Telmate/terraform-provider-proxmox
|
||||
|
|
12
flake.lock
12
flake.lock
|
@ -400,11 +400,11 @@
|
|||
"wlroots": "wlroots"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1664050038,
|
||||
"narHash": "sha256-Q+dLA0bPW0RqYs9ONiu5/KalJYVjoFX2kG6p9G/hzDc=",
|
||||
"lastModified": 1664130744,
|
||||
"narHash": "sha256-zM+4pgzsYKS0EuQ3i0Epaq6Gb9xLo4wzxK/WZAw+lpM=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "Hyprland",
|
||||
"rev": "fad5fc587d4281a5d399e61dc1243bc333d94d4d",
|
||||
"rev": "f70b57f360f8117ecca67d6d7f75c1f87b098794",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -637,11 +637,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1664101652,
|
||||
"narHash": "sha256-cgr3fHJxF59yz3zVMsQYf4PuGEnDOAOIPUltsMFNRWE=",
|
||||
"lastModified": 1664138822,
|
||||
"narHash": "sha256-5iwjo+UlQrT984yS+fz4f/JmpSZzJQnj99e7FhRCunk=",
|
||||
"owner": "NULLx76",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e64f013182bc9003121a03de0a0af30cf3ffe762",
|
||||
"rev": "6c63bf7a0a683985316bf415676ceb4a3a4edac4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
2
nixos/hosts/README.md
Normal file
2
nixos/hosts/README.md
Normal file
|
@ -0,0 +1,2 @@
|
|||
# NixOS Hosts
|
||||
Each folder here is a seperate geographical location, with `thalassa` being for roaming devices like laptops
|
|
@ -32,18 +32,29 @@ let vs = config.vault-secrets.secrets; in
|
|||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "mail.0x76.dev";
|
||||
domains = [ "0x76.dev" ];
|
||||
domains = [ "0x76.dev" "meowy.tech" ];
|
||||
certificateScheme = 3;
|
||||
|
||||
loginAccounts = {
|
||||
"v@0x76.dev" = {
|
||||
hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
|
||||
aliases = [ "v@meowy.tech" "postmaster@0x76.dev" "postmaster@meowy.tech" ];
|
||||
};
|
||||
"keycloak@0x76.dev" = {
|
||||
hashedPasswordFile = "${vs.mailserver}/keycloak@0x76.dev";
|
||||
sendOnly = true;
|
||||
};
|
||||
"gitea@0x76.dev" = {
|
||||
hashedPasswordFile = "${vs.mailserver}/gitea@0x76.dev";
|
||||
sendOnly = true;
|
||||
};
|
||||
"matrix@meowy.tech" = {
|
||||
hashedPasswordFile = "${vs.mailserver}/matrix@meowy.tech";
|
||||
sendOnly = true;
|
||||
};
|
||||
"outline@0x76.dev" = {
|
||||
hashedPasswordFile = "${vs.mailserver}/outline@0x76.dev";
|
||||
sendOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -68,8 +79,8 @@ let vs = config.vault-secrets.secrets; in
|
|||
package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
|
||||
plugins = [
|
||||
"archive"
|
||||
"enigma"
|
||||
"markasjunk"
|
||||
# "enigma"
|
||||
# "markasjunk"
|
||||
"persistent_login"
|
||||
];
|
||||
# this is the url of the vhost, not necessarily the same as the fqdn of
|
||||
|
|
|
@ -51,5 +51,14 @@ let vs = config.vault-secrets.secrets; in
|
|||
authUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/auth";
|
||||
clientSecretFile = "${vs.outline}/keycloakClientSecret";
|
||||
};
|
||||
smtp = rec {
|
||||
username = "outline@0x76.dev";
|
||||
fromEmail = username;
|
||||
replyEmail = username;
|
||||
secure = true;
|
||||
port = 465;
|
||||
host = "mail.0x76.dev";
|
||||
passwordFile = "${vs.outline}/mailPassword";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -41,58 +41,56 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
services.matrix-synapse =
|
||||
let
|
||||
extraConfig = builtins.toFile "extraConfig.yaml" ''
|
||||
registration_requires_token: true
|
||||
'';
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
withJemalloc = true;
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
withJemalloc = true;
|
||||
|
||||
extraConfigFiles = [
|
||||
"${vs.synapse}/macaroon_secret_key"
|
||||
"${vs.synapse}/registration_shared_secret"
|
||||
"${vs.synapse}/form_secret"
|
||||
"${vs.synapse}/turn_shared_secret"
|
||||
extraConfig
|
||||
];
|
||||
extraConfigFiles = [
|
||||
"${vs.synapse}/macaroon_secret_key"
|
||||
"${vs.synapse}/registration_shared_secret"
|
||||
"${vs.synapse}/form_secret"
|
||||
"${vs.synapse}/turn_shared_secret"
|
||||
"${vs.synapse}/email_password" # Also contains the rest of the email config
|
||||
];
|
||||
|
||||
settings =
|
||||
{
|
||||
server_name = "meowy.tech";
|
||||
enable_registration = true;
|
||||
public_baseurl = "https://chat.meowy.tech";
|
||||
enable_metrics = true;
|
||||
# max_upload_size = "100m";
|
||||
listeners = [
|
||||
{
|
||||
inherit port;
|
||||
bind_addresses = [ "0.0.0.0" ];
|
||||
type = "http";
|
||||
tls = false;
|
||||
x_forwarded = true;
|
||||
resources = [
|
||||
{
|
||||
names = [ "client" "federation" ];
|
||||
compress = true;
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
port = metricsPort;
|
||||
bind_addresses = [ "0.0.0.0" ];
|
||||
type = "metrics";
|
||||
tls = false;
|
||||
resources = [
|
||||
{
|
||||
names = [ "metrics" ];
|
||||
compress = false;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
settings =
|
||||
{
|
||||
server_name = "meowy.tech";
|
||||
enable_registration = true;
|
||||
public_baseurl = "https://chat.meowy.tech";
|
||||
enable_metrics = true;
|
||||
max_upload_size = "100M";
|
||||
registration_requires_token = true;
|
||||
media_retention = {
|
||||
remote_media_lifetime = "90d";
|
||||
};
|
||||
};
|
||||
listeners = [
|
||||
{
|
||||
inherit port;
|
||||
bind_addresses = [ "0.0.0.0" ];
|
||||
type = "http";
|
||||
tls = false;
|
||||
x_forwarded = true;
|
||||
resources = [
|
||||
{
|
||||
names = [ "client" "federation" ];
|
||||
compress = true;
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
port = metricsPort;
|
||||
bind_addresses = [ "0.0.0.0" ];
|
||||
type = "metrics";
|
||||
tls = false;
|
||||
resources = [
|
||||
{
|
||||
names = [ "metrics" ];
|
||||
compress = false;
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,2 +1,10 @@
|
|||
# null
|
||||
This folder contains the NixOS configuration for my laptop, with hostname `null`.
|
||||
This folder contains the NixOS configuration for my laptop, with hostname `null`.
|
||||
|
||||
## Information
|
||||
* OS: NixOS
|
||||
* WM: hyprland
|
||||
* Terminal: foot
|
||||
* Shell: zsh
|
||||
* Theme: Captuccin Pink Dark
|
||||
* Launcher: wofi
|
||||
|
|
33
terraform/.gitignore
vendored
33
terraform/.gitignore
vendored
|
@ -1,33 +0,0 @@
|
|||
# Local .terraform directories
|
||||
**/.terraform/*
|
||||
|
||||
# .tfstate files
|
||||
*.tfstate
|
||||
*.tfstate.*
|
||||
|
||||
# Crash log files
|
||||
crash.log
|
||||
|
||||
# Exclude all .tfvars files, which are likely to contain sentitive data, such as
|
||||
# password, private keys, and other secrets. These should not be part of version
|
||||
# control as they are data points which are potentially sensitive and subject
|
||||
# to change depending on the environment.
|
||||
#
|
||||
*.tfvars
|
||||
|
||||
# Ignore override files as they are usually used to override resources locally and so
|
||||
# are not checked in
|
||||
override.tf
|
||||
override.tf.json
|
||||
*_override.tf
|
||||
*_override.tf.json
|
||||
|
||||
# Include override files you do wish to add to version control using negated pattern
|
||||
#
|
||||
# !example_override.tf
|
||||
|
||||
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
||||
# example: *tfplan*
|
||||
|
||||
# Ignore CLI configuration files
|
||||
.terraformrc
|
|
@ -1,41 +0,0 @@
|
|||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/vault" {
|
||||
version = "3.8.0"
|
||||
constraints = "3.8.0"
|
||||
hashes = [
|
||||
"h1:7fwbqW8EpFSgGmp23JCn01OSzjp/bJA5jCXqaAMpfIs=",
|
||||
"h1:8lg4gIGn8DCwvJHAJEFfQNVzYOZO7f6y7o4hEvvGZXM=",
|
||||
"h1:AdhWQXOClR+vhEw086YTTfqGh2KrBwqZQQETTugQ2hA=",
|
||||
"h1:F+1vJ14D9nNx3sNrCbKxvpJZ+QnVmD1p/ITbYPlkRg4=",
|
||||
"h1:PpBRbK394epLJrYBANF5AsmqN3OPsDxk15NGS1Q2LIs=",
|
||||
"h1:T4UoPuJbAio9ZML6vpNV4bIe5Tp6f5UFGTRBtkEv/vM=",
|
||||
"h1:WL4JpK+LTxmTaNNXKprpHrMMzENYyQTBLal0fHVweE4=",
|
||||
"h1:eHd28140YcjNCU9HtdZ8M1Mdb17XroVUoI2UIyqo7hE=",
|
||||
"h1:luFm8DTlv6WPReGc3LDMCwt6LfBuHXJL4AV2ET4gNJQ=",
|
||||
"h1:vsEgjE+Rad+XqL1Xav3WJyw1+A4dxl30pWwX2+y4I9k=",
|
||||
"h1:yUcSQPjRUtow4vSEjM3a7ZhxAXXuehBXMQE4X2BKk3w=",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/telmate/proxmox" {
|
||||
version = "2.9.10"
|
||||
constraints = "2.9.10"
|
||||
hashes = [
|
||||
"h1:/5Yci1cg4jZL2aya/cG8evNOgHwonYuuC6p1O07FhTc=",
|
||||
"h1:/A5aHl/Ip3RkJ7abHIP33Hcf4kF2to3cA9PAp1f92Pk=",
|
||||
"h1:/yUt/okb+f5dPxfaOUdvGikZhphX85kqGxzhPWHKQu0=",
|
||||
"h1:87Zg9ZYrIh4Ed5KdsUPhGrXfeLQSZgU3OolWShQ2GXE=",
|
||||
"h1:Al8lODr0F0ERJcwDNLTGzy0k8EidSZ5F/SYU9AfwtFU=",
|
||||
"h1:VGqwHu3t75A4yup/Axvuh0X1mPTgh+TJn0ZGaObdne8=",
|
||||
"h1:e1ncMGe7uwGibNXnt0h/M1SbIZGRiSHVFLzmrzQulYQ=",
|
||||
"h1:mKgUaboSiulLR8RAHHr7w/VapyEKyQFzj8G+LjOjaLs=",
|
||||
"h1:nd095azyjqcSPMfzFereNWKMBrBlnN12IYfOVt3eMR4=",
|
||||
"h1:qkLV8lRnu69eYjBfaXeBRVCNqZnMdoLnsdxK3zEnacY=",
|
||||
"h1:skq+tLPQ7FF2olylHwmYYxsj/lIoGrbiNjpOjYBlfQI=",
|
||||
"h1:uOEAJ+AFin0XMlo0IcdKH5RVvTs1E8FCUPPnTWp+sbs=",
|
||||
"h1:xZ731FmD4jCWlS2ralf1BX1pu/NKnM8u8zpBeFOhvnk=",
|
||||
"h1:yPqHOIhTyxt8c1WVWB6Qv2TZfG2R5NCQdnLGKAQZox0=",
|
||||
]
|
||||
}
|
|
@ -1,73 +0,0 @@
|
|||
{
|
||||
"hosts": {
|
||||
"WoolooTV": {
|
||||
"mac": "74:40:be:48:85:a4"
|
||||
},
|
||||
"bastion": {
|
||||
"mac": "82:F0:7C:CB:BD:6D"
|
||||
},
|
||||
"consul": {
|
||||
"mac": "D6:DE:07:41:73:81"
|
||||
},
|
||||
"dhcp": {
|
||||
"mac": "3E:2D:E8:AA:E2:81"
|
||||
},
|
||||
"dns-1": {
|
||||
"mac": "5E:F6:36:23:16:E3"
|
||||
},
|
||||
"dns-2": {
|
||||
"mac": "B6:04:0B:CD:0F:9F"
|
||||
},
|
||||
"edgerouter": {
|
||||
"mac": "B4:FB:E4:53:9C:0A"
|
||||
},
|
||||
"eevee": {
|
||||
"mac": "34:97:f6:93:9A:AA"
|
||||
},
|
||||
"gitea": {
|
||||
"mac": "DE:5F:B0:83:6F:34"
|
||||
},
|
||||
"home-assistant": {
|
||||
"mac": "9E:60:78:ED:81:B4"
|
||||
},
|
||||
"k3s-node1": {
|
||||
"mac": "2E:F8:55:23:D9:9B"
|
||||
},
|
||||
"minecraft": {
|
||||
"mac": "EA:30:73:E4:B6:69"
|
||||
},
|
||||
"minio": {
|
||||
"mac": "0A:06:5E:E7:9A:0C"
|
||||
},
|
||||
"mosquitto": {
|
||||
"mac": "C6:F9:8B:3D:9E:37"
|
||||
},
|
||||
"nginx": {
|
||||
"mac": "6A:C2:89:85:CF:A6"
|
||||
},
|
||||
"nuc": {
|
||||
"mac": "1C:69:7A:62:30:88"
|
||||
},
|
||||
"plausible": {
|
||||
"mac": "82:34:70:FA:44:6F"
|
||||
},
|
||||
"unifi": {
|
||||
"mac": "1A:88:A0:B0:65:B4"
|
||||
},
|
||||
"unifi-ap": {
|
||||
"mac": "b4:fb:e4:f3:ff:1b"
|
||||
},
|
||||
"vault": {
|
||||
"mac": "16:2B:87:55:0C:0C"
|
||||
},
|
||||
"victoriametrics": {
|
||||
"mac": "9E:91:61:35:84:1F"
|
||||
},
|
||||
"wireguard": {
|
||||
"mac": "1E:ED:97:2C:C3:9D"
|
||||
},
|
||||
"zmeura": {
|
||||
"mac": "b8:27:eb:d5:e0:f5"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
terraform {
|
||||
backend "s3" {
|
||||
bucket = "terraform"
|
||||
key = "terraform.tfstate"
|
||||
region = "us-east-1"
|
||||
endpoint = "http://minio:9000"
|
||||
force_path_style = true
|
||||
skip_requesting_account_id = true
|
||||
skip_credentials_validation = true
|
||||
skip_get_ec2_platforms = true
|
||||
skip_metadata_api_check = true
|
||||
skip_region_validation = true
|
||||
}
|
||||
}
|
||||
|
||||
provider "proxmox" {
|
||||
pm_api_url = "https://10.42.42.42:8006/api2/json"
|
||||
pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
|
||||
pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
|
||||
pm_tls_insecure = true
|
||||
}
|
||||
|
||||
provider "vault" {
|
||||
address = "http://vault:8200"
|
||||
skip_tls_verify = true
|
||||
}
|
||||
|
||||
# Proxmox authentication for terraform
|
||||
data "vault_generic_secret" "proxmox_auth" {
|
||||
path = "secrets/terraform/proxmox_credentials"
|
||||
}
|
||||
|
||||
# Imported from hosts.auto.tfvars.json
|
||||
variable "hosts" { }
|
|
@ -1,277 +0,0 @@
|
|||
# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
|
||||
resource "proxmox_lxc" "nixos-template" {
|
||||
target_node = "nuc"
|
||||
description = "NixOS LXC Template"
|
||||
hostname = "nixos-template"
|
||||
ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
|
||||
ostype = "unmanaged"
|
||||
unprivileged = true
|
||||
vmid = 101
|
||||
template = true
|
||||
|
||||
memory = 1024
|
||||
|
||||
features {
|
||||
nesting = true
|
||||
}
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = "22:D7:C1:FF:9D:5F"
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "nixos-template-2" {
|
||||
target_node = "nuc"
|
||||
description = "NixOS LXC Template"
|
||||
hostname = "nixos-template"
|
||||
ostype = "unmanaged"
|
||||
unprivileged = true
|
||||
vmid = 108
|
||||
template = true
|
||||
cores = 1
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
features {
|
||||
nesting = true
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = "FA:71:3F:31:34:41"
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "vault" {
|
||||
target_node = "nuc"
|
||||
description = "Vault Secrets Management"
|
||||
hostname = "vault"
|
||||
unprivileged = false # needed for mlock
|
||||
vmid = 102
|
||||
clone = "101"
|
||||
onboot = true
|
||||
|
||||
memory = 1024
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.vault.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "mosquitto" {
|
||||
target_node = "nuc"
|
||||
description = "mosquitto mqtt broker"
|
||||
hostname = "mosquitto"
|
||||
vmid = 104
|
||||
clone = 101
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
|
||||
memory = 1024
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.mosquitto.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "nginx" {
|
||||
target_node = "nuc"
|
||||
hostname = "nginx"
|
||||
vmid = 106
|
||||
clone = 101
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.nginx.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "consul" {
|
||||
target_node = "nuc"
|
||||
description = "consul service mesh"
|
||||
hostname = "consul"
|
||||
vmid = 107
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.consul.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "dns-1" {
|
||||
target_node = "nuc"
|
||||
hostname = "dns"
|
||||
vmid = 109
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
startup = "order=1"
|
||||
cores = 1
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.dns-1.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "dns-2" {
|
||||
target_node = "nuc"
|
||||
hostname = "dns"
|
||||
vmid = 110
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
startup = "order=1"
|
||||
cores = 1
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.dns-2.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "minio" {
|
||||
target_node = "nuc"
|
||||
hostname = "minio"
|
||||
vmid = 111
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
cores = 1
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
ip = "dhcp"
|
||||
ip6 = "auto"
|
||||
hwaddr = var.hosts.minio.mac
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_lxc" "dhcp" {
|
||||
target_node = "nuc"
|
||||
hostname = "dhcp"
|
||||
vmid = 112
|
||||
unprivileged = true
|
||||
onboot = true
|
||||
cores = 1
|
||||
|
||||
memory = 512
|
||||
|
||||
rootfs {
|
||||
storage = "local-zfs"
|
||||
size = "8G"
|
||||
}
|
||||
|
||||
network {
|
||||
name = "eth0"
|
||||
bridge = "vmbr0"
|
||||
hwaddr = var.hosts.dhcp.mac
|
||||
}
|
||||
}
|
||||
|
||||
# resource "proxmox_lxc" "victoriametrics" {
|
||||
# target_node = "nuc"
|
||||
# hostname = "victoriametrics"
|
||||
# vmid = 113
|
||||
# clone = 108
|
||||
# unprivileged = true
|
||||
# onboot = true
|
||||
# cores = 1
|
||||
|
||||
# memory = 512
|
||||
|
||||
# rootfs {
|
||||
# storage = "local-zfs"
|
||||
# size = "25G"
|
||||
# }
|
||||
|
||||
# network {
|
||||
# name = "eth0"
|
||||
# bridge = "vmbr0"
|
||||
# hwaddr = var.hosts.victoriametrics.mac
|
||||
# }
|
||||
# }
|
|
@ -1,77 +0,0 @@
|
|||
resource "proxmox_vm_qemu" "bastion" {
|
||||
name = "bastion"
|
||||
vmid = 100
|
||||
target_node = "nuc"
|
||||
onboot = true
|
||||
tablet = false
|
||||
full_clone = false
|
||||
|
||||
memory = 4096
|
||||
cores = 4
|
||||
|
||||
agent = 1
|
||||
boot = "order=scsi0;ide2;net0"
|
||||
|
||||
disk {
|
||||
size = "64G"
|
||||
storage = "local-zfs"
|
||||
type = "scsi"
|
||||
ssd = 1
|
||||
}
|
||||
|
||||
network {
|
||||
model = "virtio"
|
||||
macaddr = var.hosts.bastion.mac
|
||||
bridge = "vmbr0"
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_vm_qemu" "k3s-node1" {
|
||||
name = "k3s-node1"
|
||||
target_node = "nuc"
|
||||
vmid = 103
|
||||
clone = "bastion"
|
||||
tablet = false
|
||||
onboot = true
|
||||
|
||||
memory = 8192
|
||||
cores = 4
|
||||
|
||||
agent = 1
|
||||
boot = "order=scsi0;ide2;net0"
|
||||
|
||||
network {
|
||||
model = "virtio"
|
||||
macaddr = var.hosts.k3s-node1.mac
|
||||
bridge = "vmbr0"
|
||||
}
|
||||
|
||||
disk {
|
||||
type = "scsi"
|
||||
storage = "local-zfs"
|
||||
size = "64G"
|
||||
ssd = 1
|
||||
}
|
||||
}
|
||||
|
||||
resource "proxmox_vm_qemu" "home-assistant" {
|
||||
name = "home-assistant"
|
||||
vmid = 105
|
||||
target_node = "nuc"
|
||||
onboot = true
|
||||
tablet = false
|
||||
full_clone = false
|
||||
bios = "ovmf"
|
||||
|
||||
memory = 2048
|
||||
cores = 4
|
||||
|
||||
agent = 1
|
||||
boot = "order=sata0"
|
||||
|
||||
network {
|
||||
model = "virtio"
|
||||
macaddr = var.hosts.home-assistant.mac
|
||||
bridge = "vmbr0"
|
||||
}
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
terraform {
|
||||
required_providers {
|
||||
proxmox = {
|
||||
source = "telmate/proxmox"
|
||||
version = "2.9.10"
|
||||
}
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "3.8.0"
|
||||
}
|
||||
}
|
||||
}
|
49
util.nix
49
util.nix
|
@ -2,32 +2,43 @@
|
|||
let
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (builtins) filter mapAttrs attrValues concatLists;
|
||||
import_cases = {
|
||||
"lxc" = [
|
||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
||||
./nixos/common/generic-lxc.nix
|
||||
];
|
||||
"vm" = [
|
||||
./nixos/common/generic-vm.nix
|
||||
];
|
||||
"local" = [
|
||||
home-manager.nixosModules.home-manager
|
||||
hyprland.nixosModules.default
|
||||
];
|
||||
};
|
||||
resolve_imports = { hostname, realm, profile ? hostname, type ? "lxc", ... }: [
|
||||
mailserver.nixosModules.mailserver
|
||||
./nixos/common
|
||||
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
|
||||
] ++ import_cases.${type};
|
||||
|
||||
# Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)
|
||||
resolve_imports =
|
||||
let
|
||||
# lookup table
|
||||
import_cases = {
|
||||
"lxc" = [
|
||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
||||
./nixos/common/generic-lxc.nix
|
||||
];
|
||||
"vm" = [
|
||||
./nixos/common/generic-vm.nix
|
||||
];
|
||||
"local" = [
|
||||
home-manager.nixosModules.home-manager
|
||||
hyprland.nixosModules.default
|
||||
];
|
||||
};
|
||||
in
|
||||
{ hostname, realm, profile ? hostname, type ? "lxc", ... }: [
|
||||
mailserver.nixosModules.mailserver
|
||||
./nixos/common
|
||||
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
|
||||
] ++ import_cases.${type};
|
||||
in
|
||||
rec {
|
||||
{
|
||||
# Add to whatever realm a host belong to its list of tags
|
||||
add_realm_to_tags = realm: hosts: map ({ tags ? [ ], ... }@host: host // { tags = [ realm ] ++ tags; inherit realm; }) hosts;
|
||||
# Flatten all hosts to a single list
|
||||
flatten_hosts = hosts: concatLists (attrValues hosts);
|
||||
# Filter out all hosts which aren't nixos
|
||||
filter_nix_hosts = hosts: filter ({ nix ? true, ... }: nix) hosts;
|
||||
|
||||
# Helper function to build a colmena host definition
|
||||
mkColmenaHost = { ip ? null, hostname, tags, realm, type ? "lxc", ... }@host:
|
||||
let
|
||||
# this makes local apply work a bit nicer
|
||||
name = if realm == "thalassa" then hostname else "${hostname}.${realm}";
|
||||
in
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue