v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

added docs

Browse source
This commit is contained in:
Vivian 2022-09-25 23:49:26 +02:00
parent f61d27d774
commit 8a1538dde9
15 changed files with 120 additions and 630 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -1,14 +1,12 @@
# 0x76's Infrastructure [![NixOS](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml/badge.svg)](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml)
This repository contains my IaC and GitOps code.
This repository contains my fleet of VMs, Containers and Bare Metal machines.
## Directory Structure
`flake.nix` is a NixOS flake which is the entrypoint for my NixOS config, it also contains a 'DevShell' containing all the tools needed
to deploy the infrastructure, this can be accessed running `nix develop`.
* **flux**: Kubernetes manifests as managed by [Flux]
* **nixos**: Nix configurations for my NixOS LXCs and VMs, deployed using [colmena].
* **terraform**: Terraform config for deploying said VMs and Containers onto Proxmox, using [terraform-provider-proxmox]
[Flux]: https://github.com/fluxcd/flux2
[deploy-rs]: https://colmena.cli.rs/unstable/
[terraform-provider-proxmox]: https://github.com/Telmate/terraform-provider-proxmox

12
flake.lock
View file

@ -400,11 +400,11 @@
"wlroots": "wlroots"
},
"locked": {
"lastModified": 1664050038,
"narHash": "sha256-Q+dLA0bPW0RqYs9ONiu5/KalJYVjoFX2kG6p9G/hzDc=",
"lastModified": 1664130744,
"narHash": "sha256-zM+4pgzsYKS0EuQ3i0Epaq6Gb9xLo4wzxK/WZAw+lpM=",
"owner": "hyprwm",
"repo": "Hyprland",
"rev": "fad5fc587d4281a5d399e61dc1243bc333d94d4d",
"rev": "f70b57f360f8117ecca67d6d7f75c1f87b098794",
"type": "github"
},
"original": {
@ -637,11 +637,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1664101652,
"narHash": "sha256-cgr3fHJxF59yz3zVMsQYf4PuGEnDOAOIPUltsMFNRWE=",
"lastModified": 1664138822,
"narHash": "sha256-5iwjo+UlQrT984yS+fz4f/JmpSZzJQnj99e7FhRCunk=",
"owner": "NULLx76",
"repo": "nixpkgs",
"rev": "e64f013182bc9003121a03de0a0af30cf3ffe762",
"rev": "6c63bf7a0a683985316bf415676ceb4a3a4edac4",
"type": "github"
},
"original": {

2
nixos/hosts/README.md Normal file
View file

@ -0,0 +1,2 @@
# NixOS Hosts
Each folder here is a seperate geographical location, with `thalassa` being for roaming devices like laptops

17
nixos/hosts/olympus/mailserver/configuration.nix
View file

@ -32,18 +32,29 @@ let vs = config.vault-secrets.secrets; in
mailserver = {
enable = true;
fqdn = "mail.0x76.dev";
domains = [ "0x76.dev" ];
domains = [ "0x76.dev" "meowy.tech" ];
certificateScheme = 3;
loginAccounts = {
"v@0x76.dev" = {
hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
aliases = [ "v@meowy.tech" "postmaster@0x76.dev" "postmaster@meowy.tech" ];
};
"keycloak@0x76.dev" = {
hashedPasswordFile = "${vs.mailserver}/keycloak@0x76.dev";
sendOnly = true;
};
"gitea@0x76.dev" = {
hashedPasswordFile = "${vs.mailserver}/gitea@0x76.dev";
sendOnly = true;
};
"matrix@meowy.tech" = {
hashedPasswordFile = "${vs.mailserver}/matrix@meowy.tech";
sendOnly = true;
};
"outline@0x76.dev" = {
hashedPasswordFile = "${vs.mailserver}/outline@0x76.dev";
sendOnly = true;
};
};
@ -68,8 +79,8 @@ let vs = config.vault-secrets.secrets; in
package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
plugins = [
"archive"
"enigma"
"markasjunk"
# "enigma"
# "markasjunk"
"persistent_login"
];
# this is the url of the vhost, not necessarily the same as the fqdn of

9
nixos/hosts/olympus/outline/configuration.nix
View file

@ -51,5 +51,14 @@ let vs = config.vault-secrets.secrets; in
authUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/auth";
clientSecretFile = "${vs.outline}/keycloakClientSecret";
};
smtp = rec {
username = "outline@0x76.dev";
fromEmail = username;
replyEmail = username;
secure = true;
port = 465;
host = "mail.0x76.dev";
passwordFile = "${vs.outline}/mailPassword";
};
};
}

100
nixos/hosts/olympus/synapse/configuration.nix
View file

@ -41,58 +41,56 @@ in
'';
};
services.matrix-synapse =
let
extraConfig = builtins.toFile "extraConfig.yaml" ''
registration_requires_token: true
'';
in
{
enable = true;
withJemalloc = true;
services.matrix-synapse = {
enable = true;
withJemalloc = true;
extraConfigFiles = [
"${vs.synapse}/macaroon_secret_key"
"${vs.synapse}/registration_shared_secret"
"${vs.synapse}/form_secret"
"${vs.synapse}/turn_shared_secret"
extraConfig
];
extraConfigFiles = [
"${vs.synapse}/macaroon_secret_key"
"${vs.synapse}/registration_shared_secret"
"${vs.synapse}/form_secret"
"${vs.synapse}/turn_shared_secret"
"${vs.synapse}/email_password" # Also contains the rest of the email config
];
settings =
{
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
# max_upload_size = "100m";
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [
{
names = [ "metrics" ];
compress = false;
}
];
}
];
settings =
{
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
max_upload_size = "100M";
registration_requires_token = true;
media_retention = {
remote_media_lifetime = "90d";
};
};
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [
{
names = [ "metrics" ];
compress = false;
}
];
}
];
};
};
}

10
nixos/hosts/thalassa/null/README.md
View file

@ -1,2 +1,10 @@
# null
This folder contains the NixOS configuration for my laptop, with hostname `null`.
This folder contains the NixOS configuration for my laptop, with hostname `null`.
## Information
* OS: NixOS
* WM: hyprland
* Terminal: foot
* Shell: zsh
* Theme: Captuccin Pink Dark
* Launcher: wofi

33
terraform/.gitignore vendored
View file

@ -1,33 +0,0 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Exclude all .tfvars files, which are likely to contain sentitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
#
*.tfvars
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc

41
terraform/.terraform.lock.hcl
View file

@ -1,41 +0,0 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/vault" {
version = "3.8.0"
constraints = "3.8.0"
hashes = [
"h1:7fwbqW8EpFSgGmp23JCn01OSzjp/bJA5jCXqaAMpfIs=",
"h1:8lg4gIGn8DCwvJHAJEFfQNVzYOZO7f6y7o4hEvvGZXM=",
"h1:AdhWQXOClR+vhEw086YTTfqGh2KrBwqZQQETTugQ2hA=",
"h1:F+1vJ14D9nNx3sNrCbKxvpJZ+QnVmD1p/ITbYPlkRg4=",
"h1:PpBRbK394epLJrYBANF5AsmqN3OPsDxk15NGS1Q2LIs=",
"h1:T4UoPuJbAio9ZML6vpNV4bIe5Tp6f5UFGTRBtkEv/vM=",
"h1:WL4JpK+LTxmTaNNXKprpHrMMzENYyQTBLal0fHVweE4=",
"h1:eHd28140YcjNCU9HtdZ8M1Mdb17XroVUoI2UIyqo7hE=",
"h1:luFm8DTlv6WPReGc3LDMCwt6LfBuHXJL4AV2ET4gNJQ=",
"h1:vsEgjE+Rad+XqL1Xav3WJyw1+A4dxl30pWwX2+y4I9k=",
"h1:yUcSQPjRUtow4vSEjM3a7ZhxAXXuehBXMQE4X2BKk3w=",
]
}
provider "registry.terraform.io/telmate/proxmox" {
version = "2.9.10"
constraints = "2.9.10"
hashes = [
"h1:/5Yci1cg4jZL2aya/cG8evNOgHwonYuuC6p1O07FhTc=",
"h1:/A5aHl/Ip3RkJ7abHIP33Hcf4kF2to3cA9PAp1f92Pk=",
"h1:/yUt/okb+f5dPxfaOUdvGikZhphX85kqGxzhPWHKQu0=",
"h1:87Zg9ZYrIh4Ed5KdsUPhGrXfeLQSZgU3OolWShQ2GXE=",
"h1:Al8lODr0F0ERJcwDNLTGzy0k8EidSZ5F/SYU9AfwtFU=",
"h1:VGqwHu3t75A4yup/Axvuh0X1mPTgh+TJn0ZGaObdne8=",
"h1:e1ncMGe7uwGibNXnt0h/M1SbIZGRiSHVFLzmrzQulYQ=",
"h1:mKgUaboSiulLR8RAHHr7w/VapyEKyQFzj8G+LjOjaLs=",
"h1:nd095azyjqcSPMfzFereNWKMBrBlnN12IYfOVt3eMR4=",
"h1:qkLV8lRnu69eYjBfaXeBRVCNqZnMdoLnsdxK3zEnacY=",
"h1:skq+tLPQ7FF2olylHwmYYxsj/lIoGrbiNjpOjYBlfQI=",
"h1:uOEAJ+AFin0XMlo0IcdKH5RVvTs1E8FCUPPnTWp+sbs=",
"h1:xZ731FmD4jCWlS2ralf1BX1pu/NKnM8u8zpBeFOhvnk=",
"h1:yPqHOIhTyxt8c1WVWB6Qv2TZfG2R5NCQdnLGKAQZox0=",
]
}

73
terraform/hosts.auto.tfvars.json
View file

@ -1,73 +0,0 @@
{
"hosts": {
"WoolooTV": {
"mac": "74:40:be:48:85:a4"
},
"bastion": {
"mac": "82:F0:7C:CB:BD:6D"
},
"consul": {
"mac": "D6:DE:07:41:73:81"
},
"dhcp": {
"mac": "3E:2D:E8:AA:E2:81"
},
"dns-1": {
"mac": "5E:F6:36:23:16:E3"
},
"dns-2": {
"mac": "B6:04:0B:CD:0F:9F"
},
"edgerouter": {
"mac": "B4:FB:E4:53:9C:0A"
},
"eevee": {
"mac": "34:97:f6:93:9A:AA"
},
"gitea": {
"mac": "DE:5F:B0:83:6F:34"
},
"home-assistant": {
"mac": "9E:60:78:ED:81:B4"
},
"k3s-node1": {
"mac": "2E:F8:55:23:D9:9B"
},
"minecraft": {
"mac": "EA:30:73:E4:B6:69"
},
"minio": {
"mac": "0A:06:5E:E7:9A:0C"
},
"mosquitto": {
"mac": "C6:F9:8B:3D:9E:37"
},
"nginx": {
"mac": "6A:C2:89:85:CF:A6"
},
"nuc": {
"mac": "1C:69:7A:62:30:88"
},
"plausible": {
"mac": "82:34:70:FA:44:6F"
},
"unifi": {
"mac": "1A:88:A0:B0:65:B4"
},
"unifi-ap": {
"mac": "b4:fb:e4:f3:ff:1b"
},
"vault": {
"mac": "16:2B:87:55:0C:0C"
},
"victoriametrics": {
"mac": "9E:91:61:35:84:1F"
},
"wireguard": {
"mac": "1E:ED:97:2C:C3:9D"
},
"zmeura": {
"mac": "b8:27:eb:d5:e0:f5"
}
}
}

34
terraform/main.tf
View file

@ -1,34 +0,0 @@
terraform {
backend "s3" {
bucket = "terraform"
key = "terraform.tfstate"
region = "us-east-1"
endpoint = "http://minio:9000"
force_path_style = true
skip_requesting_account_id = true
skip_credentials_validation = true
skip_get_ec2_platforms = true
skip_metadata_api_check = true
skip_region_validation = true
}
}
provider "proxmox" {
pm_api_url = "https://10.42.42.42:8006/api2/json"
pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
pm_tls_insecure = true
}
provider "vault" {
address = "http://vault:8200"
skip_tls_verify = true
}
# Proxmox authentication for terraform
data "vault_generic_secret" "proxmox_auth" {
path = "secrets/terraform/proxmox_credentials"
}
# Imported from hosts.auto.tfvars.json
variable "hosts" { }

277
terraform/proxmox_lxc.tf
View file

@ -1,277 +0,0 @@
# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
resource "proxmox_lxc" "nixos-template" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
ostype = "unmanaged"
unprivileged = true
vmid = 101
template = true
memory = 1024
features {
nesting = true
}
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "22:D7:C1:FF:9D:5F"
}
}
resource "proxmox_lxc" "nixos-template-2" {
target_node = "nuc"
description = "NixOS LXC Template"
hostname = "nixos-template"
ostype = "unmanaged"
unprivileged = true
vmid = 108
template = true
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
features {
nesting = true
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = "FA:71:3F:31:34:41"
}
}
resource "proxmox_lxc" "vault" {
target_node = "nuc"
description = "Vault Secrets Management"
hostname = "vault"
unprivileged = false # needed for mlock
vmid = 102
clone = "101"
onboot = true
memory = 1024
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.vault.mac
}
}
resource "proxmox_lxc" "mosquitto" {
target_node = "nuc"
description = "mosquitto mqtt broker"
hostname = "mosquitto"
vmid = 104
clone = 101
unprivileged = true
onboot = true
memory = 1024
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.mosquitto.mac
}
}
resource "proxmox_lxc" "nginx" {
target_node = "nuc"
hostname = "nginx"
vmid = 106
clone = 101
unprivileged = true
onboot = true
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.nginx.mac
}
}
resource "proxmox_lxc" "consul" {
target_node = "nuc"
description = "consul service mesh"
hostname = "consul"
vmid = 107
unprivileged = true
onboot = true
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.consul.mac
}
}
resource "proxmox_lxc" "dns-1" {
target_node = "nuc"
hostname = "dns"
vmid = 109
unprivileged = true
onboot = true
startup = "order=1"
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.dns-1.mac
}
}
resource "proxmox_lxc" "dns-2" {
target_node = "nuc"
hostname = "dns"
vmid = 110
unprivileged = true
onboot = true
startup = "order=1"
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.dns-2.mac
}
}
resource "proxmox_lxc" "minio" {
target_node = "nuc"
hostname = "minio"
vmid = 111
unprivileged = true
onboot = true
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
ip = "dhcp"
ip6 = "auto"
hwaddr = var.hosts.minio.mac
}
}
resource "proxmox_lxc" "dhcp" {
target_node = "nuc"
hostname = "dhcp"
vmid = 112
unprivileged = true
onboot = true
cores = 1
memory = 512
rootfs {
storage = "local-zfs"
size = "8G"
}
network {
name = "eth0"
bridge = "vmbr0"
hwaddr = var.hosts.dhcp.mac
}
}
# resource "proxmox_lxc" "victoriametrics" {
# target_node = "nuc"
# hostname = "victoriametrics"
# vmid = 113
# clone = 108
# unprivileged = true
# onboot = true
# cores = 1
# memory = 512
# rootfs {
# storage = "local-zfs"
# size = "25G"
# }
# network {
# name = "eth0"
# bridge = "vmbr0"
# hwaddr = var.hosts.victoriametrics.mac
# }
# }

77
terraform/proxmox_vm_qemu.tf
View file

@ -1,77 +0,0 @@
resource "proxmox_vm_qemu" "bastion" {
name = "bastion"
vmid = 100
target_node = "nuc"
onboot = true
tablet = false
full_clone = false
memory = 4096
cores = 4
agent = 1
boot = "order=scsi0;ide2;net0"
disk {
size = "64G"
storage = "local-zfs"
type = "scsi"
ssd = 1
}
network {
model = "virtio"
macaddr = var.hosts.bastion.mac
bridge = "vmbr0"
}
}
resource "proxmox_vm_qemu" "k3s-node1" {
name = "k3s-node1"
target_node = "nuc"
vmid = 103
clone = "bastion"
tablet = false
onboot = true
memory = 8192
cores = 4
agent = 1
boot = "order=scsi0;ide2;net0"
network {
model = "virtio"
macaddr = var.hosts.k3s-node1.mac
bridge = "vmbr0"
}
disk {
type = "scsi"
storage = "local-zfs"
size = "64G"
ssd = 1
}
}
resource "proxmox_vm_qemu" "home-assistant" {
name = "home-assistant"
vmid = 105
target_node = "nuc"
onboot = true
tablet = false
full_clone = false
bios = "ovmf"
memory = 2048
cores = 4
agent = 1
boot = "order=sata0"
network {
model = "virtio"
macaddr = var.hosts.home-assistant.mac
bridge = "vmbr0"
}
}

12
terraform/versions.tf
View file

@ -1,12 +0,0 @@
terraform {
required_providers {
proxmox = {
source = "telmate/proxmox"
version = "2.9.10"
}
vault = {
source = "hashicorp/vault"
version = "3.8.0"
}
}
}

49
util.nix
View file

@ -2,32 +2,43 @@
let
inherit (nixpkgs) lib;
inherit (builtins) filter mapAttrs attrValues concatLists;
import_cases = {
"lxc" = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./nixos/common/generic-lxc.nix
];
"vm" = [
./nixos/common/generic-vm.nix
];
"local" = [
home-manager.nixosModules.home-manager
hyprland.nixosModules.default
];
};
resolve_imports = { hostname, realm, profile ? hostname, type ? "lxc", ... }: [
mailserver.nixosModules.mailserver
./nixos/common
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
] ++ import_cases.${type};
# Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)
resolve_imports =
let
# lookup table
import_cases = {
"lxc" = [
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
./nixos/common/generic-lxc.nix
];
"vm" = [
./nixos/common/generic-vm.nix
];
"local" = [
home-manager.nixosModules.home-manager
hyprland.nixosModules.default
];
};
in
{ hostname, realm, profile ? hostname, type ? "lxc", ... }: [
mailserver.nixosModules.mailserver
./nixos/common
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
] ++ import_cases.${type};
in
rec {
{
# Add to whatever realm a host belong to its list of tags
add_realm_to_tags = realm: hosts: map ({ tags ? [ ], ... }@host: host // { tags = [ realm ] ++ tags; inherit realm; }) hosts;
# Flatten all hosts to a single list
flatten_hosts = hosts: concatLists (attrValues hosts);
# Filter out all hosts which aren't nixos
filter_nix_hosts = hosts: filter ({ nix ? true, ... }: nix) hosts;
# Helper function to build a colmena host definition
mkColmenaHost = { ip ? null, hostname, tags, realm, type ? "lxc", ... }@host:
let
# this makes local apply work a bit nicer
name = if realm == "thalassa" then hostname else "${hostname}.${realm}";
in
{