added docs
This commit is contained in:
parent
f61d27d774
commit
8a1538dde9
|
@ -1,14 +1,12 @@
|
||||||
# 0x76's Infrastructure [![NixOS](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml/badge.svg)](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml)
|
# 0x76's Infrastructure [![NixOS](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml/badge.svg)](https://github.com/NULLx76/infrastructure/actions/workflows/nixos.yml)
|
||||||
This repository contains my IaC and GitOps code.
|
This repository contains my fleet of VMs, Containers and Bare Metal machines.
|
||||||
|
|
||||||
## Directory Structure
|
## Directory Structure
|
||||||
`flake.nix` is a NixOS flake which is the entrypoint for my NixOS config, it also contains a 'DevShell' containing all the tools needed
|
`flake.nix` is a NixOS flake which is the entrypoint for my NixOS config, it also contains a 'DevShell' containing all the tools needed
|
||||||
to deploy the infrastructure, this can be accessed running `nix develop`.
|
to deploy the infrastructure, this can be accessed running `nix develop`.
|
||||||
* **flux**: Kubernetes manifests as managed by [Flux]
|
* **flux**: Kubernetes manifests as managed by [Flux]
|
||||||
* **nixos**: Nix configurations for my NixOS LXCs and VMs, deployed using [colmena].
|
* **nixos**: Nix configurations for my NixOS LXCs and VMs, deployed using [colmena].
|
||||||
* **terraform**: Terraform config for deploying said VMs and Containers onto Proxmox, using [terraform-provider-proxmox]
|
|
||||||
|
|
||||||
|
|
||||||
[Flux]: https://github.com/fluxcd/flux2
|
[Flux]: https://github.com/fluxcd/flux2
|
||||||
[deploy-rs]: https://colmena.cli.rs/unstable/
|
[deploy-rs]: https://colmena.cli.rs/unstable/
|
||||||
[terraform-provider-proxmox]: https://github.com/Telmate/terraform-provider-proxmox
|
|
||||||
|
|
12
flake.lock
12
flake.lock
|
@ -400,11 +400,11 @@
|
||||||
"wlroots": "wlroots"
|
"wlroots": "wlroots"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1664050038,
|
"lastModified": 1664130744,
|
||||||
"narHash": "sha256-Q+dLA0bPW0RqYs9ONiu5/KalJYVjoFX2kG6p9G/hzDc=",
|
"narHash": "sha256-zM+4pgzsYKS0EuQ3i0Epaq6Gb9xLo4wzxK/WZAw+lpM=",
|
||||||
"owner": "hyprwm",
|
"owner": "hyprwm",
|
||||||
"repo": "Hyprland",
|
"repo": "Hyprland",
|
||||||
"rev": "fad5fc587d4281a5d399e61dc1243bc333d94d4d",
|
"rev": "f70b57f360f8117ecca67d6d7f75c1f87b098794",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -637,11 +637,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1664101652,
|
"lastModified": 1664138822,
|
||||||
"narHash": "sha256-cgr3fHJxF59yz3zVMsQYf4PuGEnDOAOIPUltsMFNRWE=",
|
"narHash": "sha256-5iwjo+UlQrT984yS+fz4f/JmpSZzJQnj99e7FhRCunk=",
|
||||||
"owner": "NULLx76",
|
"owner": "NULLx76",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e64f013182bc9003121a03de0a0af30cf3ffe762",
|
"rev": "6c63bf7a0a683985316bf415676ceb4a3a4edac4",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
2
nixos/hosts/README.md
Normal file
2
nixos/hosts/README.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# NixOS Hosts
|
||||||
|
Each folder here is a seperate geographical location, with `thalassa` being for roaming devices like laptops
|
|
@ -32,18 +32,29 @@ let vs = config.vault-secrets.secrets; in
|
||||||
mailserver = {
|
mailserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "mail.0x76.dev";
|
fqdn = "mail.0x76.dev";
|
||||||
domains = [ "0x76.dev" ];
|
domains = [ "0x76.dev" "meowy.tech" ];
|
||||||
certificateScheme = 3;
|
certificateScheme = 3;
|
||||||
|
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"v@0x76.dev" = {
|
"v@0x76.dev" = {
|
||||||
hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
|
hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
|
||||||
|
aliases = [ "v@meowy.tech" "postmaster@0x76.dev" "postmaster@meowy.tech" ];
|
||||||
};
|
};
|
||||||
"keycloak@0x76.dev" = {
|
"keycloak@0x76.dev" = {
|
||||||
hashedPasswordFile = "${vs.mailserver}/keycloak@0x76.dev";
|
hashedPasswordFile = "${vs.mailserver}/keycloak@0x76.dev";
|
||||||
|
sendOnly = true;
|
||||||
};
|
};
|
||||||
"gitea@0x76.dev" = {
|
"gitea@0x76.dev" = {
|
||||||
hashedPasswordFile = "${vs.mailserver}/gitea@0x76.dev";
|
hashedPasswordFile = "${vs.mailserver}/gitea@0x76.dev";
|
||||||
|
sendOnly = true;
|
||||||
|
};
|
||||||
|
"matrix@meowy.tech" = {
|
||||||
|
hashedPasswordFile = "${vs.mailserver}/matrix@meowy.tech";
|
||||||
|
sendOnly = true;
|
||||||
|
};
|
||||||
|
"outline@0x76.dev" = {
|
||||||
|
hashedPasswordFile = "${vs.mailserver}/outline@0x76.dev";
|
||||||
|
sendOnly = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -68,8 +79,8 @@ let vs = config.vault-secrets.secrets; in
|
||||||
package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
|
package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
|
||||||
plugins = [
|
plugins = [
|
||||||
"archive"
|
"archive"
|
||||||
"enigma"
|
# "enigma"
|
||||||
"markasjunk"
|
# "markasjunk"
|
||||||
"persistent_login"
|
"persistent_login"
|
||||||
];
|
];
|
||||||
# this is the url of the vhost, not necessarily the same as the fqdn of
|
# this is the url of the vhost, not necessarily the same as the fqdn of
|
||||||
|
|
|
@ -51,5 +51,14 @@ let vs = config.vault-secrets.secrets; in
|
||||||
authUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/auth";
|
authUrl = "https://id.0x76.dev/realms/master/protocol/openid-connect/auth";
|
||||||
clientSecretFile = "${vs.outline}/keycloakClientSecret";
|
clientSecretFile = "${vs.outline}/keycloakClientSecret";
|
||||||
};
|
};
|
||||||
|
smtp = rec {
|
||||||
|
username = "outline@0x76.dev";
|
||||||
|
fromEmail = username;
|
||||||
|
replyEmail = username;
|
||||||
|
secure = true;
|
||||||
|
port = 465;
|
||||||
|
host = "mail.0x76.dev";
|
||||||
|
passwordFile = "${vs.outline}/mailPassword";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,13 +41,7 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
services.matrix-synapse =
|
services.matrix-synapse = {
|
||||||
let
|
|
||||||
extraConfig = builtins.toFile "extraConfig.yaml" ''
|
|
||||||
registration_requires_token: true
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
enable = true;
|
enable = true;
|
||||||
withJemalloc = true;
|
withJemalloc = true;
|
||||||
|
|
||||||
|
@ -56,7 +50,7 @@ in
|
||||||
"${vs.synapse}/registration_shared_secret"
|
"${vs.synapse}/registration_shared_secret"
|
||||||
"${vs.synapse}/form_secret"
|
"${vs.synapse}/form_secret"
|
||||||
"${vs.synapse}/turn_shared_secret"
|
"${vs.synapse}/turn_shared_secret"
|
||||||
extraConfig
|
"${vs.synapse}/email_password" # Also contains the rest of the email config
|
||||||
];
|
];
|
||||||
|
|
||||||
settings =
|
settings =
|
||||||
|
@ -65,7 +59,11 @@ in
|
||||||
enable_registration = true;
|
enable_registration = true;
|
||||||
public_baseurl = "https://chat.meowy.tech";
|
public_baseurl = "https://chat.meowy.tech";
|
||||||
enable_metrics = true;
|
enable_metrics = true;
|
||||||
# max_upload_size = "100m";
|
max_upload_size = "100M";
|
||||||
|
registration_requires_token = true;
|
||||||
|
media_retention = {
|
||||||
|
remote_media_lifetime = "90d";
|
||||||
|
};
|
||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
inherit port;
|
inherit port;
|
||||||
|
|
|
@ -1,2 +1,10 @@
|
||||||
# null
|
# null
|
||||||
This folder contains the NixOS configuration for my laptop, with hostname `null`.
|
This folder contains the NixOS configuration for my laptop, with hostname `null`.
|
||||||
|
|
||||||
|
## Information
|
||||||
|
* OS: NixOS
|
||||||
|
* WM: hyprland
|
||||||
|
* Terminal: foot
|
||||||
|
* Shell: zsh
|
||||||
|
* Theme: Captuccin Pink Dark
|
||||||
|
* Launcher: wofi
|
||||||
|
|
33
terraform/.gitignore
vendored
33
terraform/.gitignore
vendored
|
@ -1,33 +0,0 @@
|
||||||
# Local .terraform directories
|
|
||||||
**/.terraform/*
|
|
||||||
|
|
||||||
# .tfstate files
|
|
||||||
*.tfstate
|
|
||||||
*.tfstate.*
|
|
||||||
|
|
||||||
# Crash log files
|
|
||||||
crash.log
|
|
||||||
|
|
||||||
# Exclude all .tfvars files, which are likely to contain sentitive data, such as
|
|
||||||
# password, private keys, and other secrets. These should not be part of version
|
|
||||||
# control as they are data points which are potentially sensitive and subject
|
|
||||||
# to change depending on the environment.
|
|
||||||
#
|
|
||||||
*.tfvars
|
|
||||||
|
|
||||||
# Ignore override files as they are usually used to override resources locally and so
|
|
||||||
# are not checked in
|
|
||||||
override.tf
|
|
||||||
override.tf.json
|
|
||||||
*_override.tf
|
|
||||||
*_override.tf.json
|
|
||||||
|
|
||||||
# Include override files you do wish to add to version control using negated pattern
|
|
||||||
#
|
|
||||||
# !example_override.tf
|
|
||||||
|
|
||||||
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
|
||||||
# example: *tfplan*
|
|
||||||
|
|
||||||
# Ignore CLI configuration files
|
|
||||||
.terraformrc
|
|
|
@ -1,41 +0,0 @@
|
||||||
# This file is maintained automatically by "terraform init".
|
|
||||||
# Manual edits may be lost in future updates.
|
|
||||||
|
|
||||||
provider "registry.terraform.io/hashicorp/vault" {
|
|
||||||
version = "3.8.0"
|
|
||||||
constraints = "3.8.0"
|
|
||||||
hashes = [
|
|
||||||
"h1:7fwbqW8EpFSgGmp23JCn01OSzjp/bJA5jCXqaAMpfIs=",
|
|
||||||
"h1:8lg4gIGn8DCwvJHAJEFfQNVzYOZO7f6y7o4hEvvGZXM=",
|
|
||||||
"h1:AdhWQXOClR+vhEw086YTTfqGh2KrBwqZQQETTugQ2hA=",
|
|
||||||
"h1:F+1vJ14D9nNx3sNrCbKxvpJZ+QnVmD1p/ITbYPlkRg4=",
|
|
||||||
"h1:PpBRbK394epLJrYBANF5AsmqN3OPsDxk15NGS1Q2LIs=",
|
|
||||||
"h1:T4UoPuJbAio9ZML6vpNV4bIe5Tp6f5UFGTRBtkEv/vM=",
|
|
||||||
"h1:WL4JpK+LTxmTaNNXKprpHrMMzENYyQTBLal0fHVweE4=",
|
|
||||||
"h1:eHd28140YcjNCU9HtdZ8M1Mdb17XroVUoI2UIyqo7hE=",
|
|
||||||
"h1:luFm8DTlv6WPReGc3LDMCwt6LfBuHXJL4AV2ET4gNJQ=",
|
|
||||||
"h1:vsEgjE+Rad+XqL1Xav3WJyw1+A4dxl30pWwX2+y4I9k=",
|
|
||||||
"h1:yUcSQPjRUtow4vSEjM3a7ZhxAXXuehBXMQE4X2BKk3w=",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "registry.terraform.io/telmate/proxmox" {
|
|
||||||
version = "2.9.10"
|
|
||||||
constraints = "2.9.10"
|
|
||||||
hashes = [
|
|
||||||
"h1:/5Yci1cg4jZL2aya/cG8evNOgHwonYuuC6p1O07FhTc=",
|
|
||||||
"h1:/A5aHl/Ip3RkJ7abHIP33Hcf4kF2to3cA9PAp1f92Pk=",
|
|
||||||
"h1:/yUt/okb+f5dPxfaOUdvGikZhphX85kqGxzhPWHKQu0=",
|
|
||||||
"h1:87Zg9ZYrIh4Ed5KdsUPhGrXfeLQSZgU3OolWShQ2GXE=",
|
|
||||||
"h1:Al8lODr0F0ERJcwDNLTGzy0k8EidSZ5F/SYU9AfwtFU=",
|
|
||||||
"h1:VGqwHu3t75A4yup/Axvuh0X1mPTgh+TJn0ZGaObdne8=",
|
|
||||||
"h1:e1ncMGe7uwGibNXnt0h/M1SbIZGRiSHVFLzmrzQulYQ=",
|
|
||||||
"h1:mKgUaboSiulLR8RAHHr7w/VapyEKyQFzj8G+LjOjaLs=",
|
|
||||||
"h1:nd095azyjqcSPMfzFereNWKMBrBlnN12IYfOVt3eMR4=",
|
|
||||||
"h1:qkLV8lRnu69eYjBfaXeBRVCNqZnMdoLnsdxK3zEnacY=",
|
|
||||||
"h1:skq+tLPQ7FF2olylHwmYYxsj/lIoGrbiNjpOjYBlfQI=",
|
|
||||||
"h1:uOEAJ+AFin0XMlo0IcdKH5RVvTs1E8FCUPPnTWp+sbs=",
|
|
||||||
"h1:xZ731FmD4jCWlS2ralf1BX1pu/NKnM8u8zpBeFOhvnk=",
|
|
||||||
"h1:yPqHOIhTyxt8c1WVWB6Qv2TZfG2R5NCQdnLGKAQZox0=",
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,73 +0,0 @@
|
||||||
{
|
|
||||||
"hosts": {
|
|
||||||
"WoolooTV": {
|
|
||||||
"mac": "74:40:be:48:85:a4"
|
|
||||||
},
|
|
||||||
"bastion": {
|
|
||||||
"mac": "82:F0:7C:CB:BD:6D"
|
|
||||||
},
|
|
||||||
"consul": {
|
|
||||||
"mac": "D6:DE:07:41:73:81"
|
|
||||||
},
|
|
||||||
"dhcp": {
|
|
||||||
"mac": "3E:2D:E8:AA:E2:81"
|
|
||||||
},
|
|
||||||
"dns-1": {
|
|
||||||
"mac": "5E:F6:36:23:16:E3"
|
|
||||||
},
|
|
||||||
"dns-2": {
|
|
||||||
"mac": "B6:04:0B:CD:0F:9F"
|
|
||||||
},
|
|
||||||
"edgerouter": {
|
|
||||||
"mac": "B4:FB:E4:53:9C:0A"
|
|
||||||
},
|
|
||||||
"eevee": {
|
|
||||||
"mac": "34:97:f6:93:9A:AA"
|
|
||||||
},
|
|
||||||
"gitea": {
|
|
||||||
"mac": "DE:5F:B0:83:6F:34"
|
|
||||||
},
|
|
||||||
"home-assistant": {
|
|
||||||
"mac": "9E:60:78:ED:81:B4"
|
|
||||||
},
|
|
||||||
"k3s-node1": {
|
|
||||||
"mac": "2E:F8:55:23:D9:9B"
|
|
||||||
},
|
|
||||||
"minecraft": {
|
|
||||||
"mac": "EA:30:73:E4:B6:69"
|
|
||||||
},
|
|
||||||
"minio": {
|
|
||||||
"mac": "0A:06:5E:E7:9A:0C"
|
|
||||||
},
|
|
||||||
"mosquitto": {
|
|
||||||
"mac": "C6:F9:8B:3D:9E:37"
|
|
||||||
},
|
|
||||||
"nginx": {
|
|
||||||
"mac": "6A:C2:89:85:CF:A6"
|
|
||||||
},
|
|
||||||
"nuc": {
|
|
||||||
"mac": "1C:69:7A:62:30:88"
|
|
||||||
},
|
|
||||||
"plausible": {
|
|
||||||
"mac": "82:34:70:FA:44:6F"
|
|
||||||
},
|
|
||||||
"unifi": {
|
|
||||||
"mac": "1A:88:A0:B0:65:B4"
|
|
||||||
},
|
|
||||||
"unifi-ap": {
|
|
||||||
"mac": "b4:fb:e4:f3:ff:1b"
|
|
||||||
},
|
|
||||||
"vault": {
|
|
||||||
"mac": "16:2B:87:55:0C:0C"
|
|
||||||
},
|
|
||||||
"victoriametrics": {
|
|
||||||
"mac": "9E:91:61:35:84:1F"
|
|
||||||
},
|
|
||||||
"wireguard": {
|
|
||||||
"mac": "1E:ED:97:2C:C3:9D"
|
|
||||||
},
|
|
||||||
"zmeura": {
|
|
||||||
"mac": "b8:27:eb:d5:e0:f5"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,34 +0,0 @@
|
||||||
terraform {
|
|
||||||
backend "s3" {
|
|
||||||
bucket = "terraform"
|
|
||||||
key = "terraform.tfstate"
|
|
||||||
region = "us-east-1"
|
|
||||||
endpoint = "http://minio:9000"
|
|
||||||
force_path_style = true
|
|
||||||
skip_requesting_account_id = true
|
|
||||||
skip_credentials_validation = true
|
|
||||||
skip_get_ec2_platforms = true
|
|
||||||
skip_metadata_api_check = true
|
|
||||||
skip_region_validation = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "proxmox" {
|
|
||||||
pm_api_url = "https://10.42.42.42:8006/api2/json"
|
|
||||||
pm_user = data.vault_generic_secret.proxmox_auth.data["user"]
|
|
||||||
pm_password = data.vault_generic_secret.proxmox_auth.data["pass"]
|
|
||||||
pm_tls_insecure = true
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "vault" {
|
|
||||||
address = "http://vault:8200"
|
|
||||||
skip_tls_verify = true
|
|
||||||
}
|
|
||||||
|
|
||||||
# Proxmox authentication for terraform
|
|
||||||
data "vault_generic_secret" "proxmox_auth" {
|
|
||||||
path = "secrets/terraform/proxmox_credentials"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Imported from hosts.auto.tfvars.json
|
|
||||||
variable "hosts" { }
|
|
|
@ -1,277 +0,0 @@
|
||||||
# For full info see: https://blog.xirion.net/posts/nixos-proxmox-lxc/
|
|
||||||
resource "proxmox_lxc" "nixos-template" {
|
|
||||||
target_node = "nuc"
|
|
||||||
description = "NixOS LXC Template"
|
|
||||||
hostname = "nixos-template"
|
|
||||||
ostemplate = "local:vztmpl/nixos-unstable-default_156198829_amd64.tar.xz"
|
|
||||||
ostype = "unmanaged"
|
|
||||||
unprivileged = true
|
|
||||||
vmid = 101
|
|
||||||
template = true
|
|
||||||
|
|
||||||
memory = 1024
|
|
||||||
|
|
||||||
features {
|
|
||||||
nesting = true
|
|
||||||
}
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = "22:D7:C1:FF:9D:5F"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "nixos-template-2" {
|
|
||||||
target_node = "nuc"
|
|
||||||
description = "NixOS LXC Template"
|
|
||||||
hostname = "nixos-template"
|
|
||||||
ostype = "unmanaged"
|
|
||||||
unprivileged = true
|
|
||||||
vmid = 108
|
|
||||||
template = true
|
|
||||||
cores = 1
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
features {
|
|
||||||
nesting = true
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = "FA:71:3F:31:34:41"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "vault" {
|
|
||||||
target_node = "nuc"
|
|
||||||
description = "Vault Secrets Management"
|
|
||||||
hostname = "vault"
|
|
||||||
unprivileged = false # needed for mlock
|
|
||||||
vmid = 102
|
|
||||||
clone = "101"
|
|
||||||
onboot = true
|
|
||||||
|
|
||||||
memory = 1024
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.vault.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "mosquitto" {
|
|
||||||
target_node = "nuc"
|
|
||||||
description = "mosquitto mqtt broker"
|
|
||||||
hostname = "mosquitto"
|
|
||||||
vmid = 104
|
|
||||||
clone = 101
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
|
|
||||||
memory = 1024
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.mosquitto.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "nginx" {
|
|
||||||
target_node = "nuc"
|
|
||||||
hostname = "nginx"
|
|
||||||
vmid = 106
|
|
||||||
clone = 101
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.nginx.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "consul" {
|
|
||||||
target_node = "nuc"
|
|
||||||
description = "consul service mesh"
|
|
||||||
hostname = "consul"
|
|
||||||
vmid = 107
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.consul.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "dns-1" {
|
|
||||||
target_node = "nuc"
|
|
||||||
hostname = "dns"
|
|
||||||
vmid = 109
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
startup = "order=1"
|
|
||||||
cores = 1
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.dns-1.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "dns-2" {
|
|
||||||
target_node = "nuc"
|
|
||||||
hostname = "dns"
|
|
||||||
vmid = 110
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
startup = "order=1"
|
|
||||||
cores = 1
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.dns-2.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "minio" {
|
|
||||||
target_node = "nuc"
|
|
||||||
hostname = "minio"
|
|
||||||
vmid = 111
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
cores = 1
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
ip = "dhcp"
|
|
||||||
ip6 = "auto"
|
|
||||||
hwaddr = var.hosts.minio.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_lxc" "dhcp" {
|
|
||||||
target_node = "nuc"
|
|
||||||
hostname = "dhcp"
|
|
||||||
vmid = 112
|
|
||||||
unprivileged = true
|
|
||||||
onboot = true
|
|
||||||
cores = 1
|
|
||||||
|
|
||||||
memory = 512
|
|
||||||
|
|
||||||
rootfs {
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "8G"
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
name = "eth0"
|
|
||||||
bridge = "vmbr0"
|
|
||||||
hwaddr = var.hosts.dhcp.mac
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# resource "proxmox_lxc" "victoriametrics" {
|
|
||||||
# target_node = "nuc"
|
|
||||||
# hostname = "victoriametrics"
|
|
||||||
# vmid = 113
|
|
||||||
# clone = 108
|
|
||||||
# unprivileged = true
|
|
||||||
# onboot = true
|
|
||||||
# cores = 1
|
|
||||||
|
|
||||||
# memory = 512
|
|
||||||
|
|
||||||
# rootfs {
|
|
||||||
# storage = "local-zfs"
|
|
||||||
# size = "25G"
|
|
||||||
# }
|
|
||||||
|
|
||||||
# network {
|
|
||||||
# name = "eth0"
|
|
||||||
# bridge = "vmbr0"
|
|
||||||
# hwaddr = var.hosts.victoriametrics.mac
|
|
||||||
# }
|
|
||||||
# }
|
|
|
@ -1,77 +0,0 @@
|
||||||
resource "proxmox_vm_qemu" "bastion" {
|
|
||||||
name = "bastion"
|
|
||||||
vmid = 100
|
|
||||||
target_node = "nuc"
|
|
||||||
onboot = true
|
|
||||||
tablet = false
|
|
||||||
full_clone = false
|
|
||||||
|
|
||||||
memory = 4096
|
|
||||||
cores = 4
|
|
||||||
|
|
||||||
agent = 1
|
|
||||||
boot = "order=scsi0;ide2;net0"
|
|
||||||
|
|
||||||
disk {
|
|
||||||
size = "64G"
|
|
||||||
storage = "local-zfs"
|
|
||||||
type = "scsi"
|
|
||||||
ssd = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
network {
|
|
||||||
model = "virtio"
|
|
||||||
macaddr = var.hosts.bastion.mac
|
|
||||||
bridge = "vmbr0"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_vm_qemu" "k3s-node1" {
|
|
||||||
name = "k3s-node1"
|
|
||||||
target_node = "nuc"
|
|
||||||
vmid = 103
|
|
||||||
clone = "bastion"
|
|
||||||
tablet = false
|
|
||||||
onboot = true
|
|
||||||
|
|
||||||
memory = 8192
|
|
||||||
cores = 4
|
|
||||||
|
|
||||||
agent = 1
|
|
||||||
boot = "order=scsi0;ide2;net0"
|
|
||||||
|
|
||||||
network {
|
|
||||||
model = "virtio"
|
|
||||||
macaddr = var.hosts.k3s-node1.mac
|
|
||||||
bridge = "vmbr0"
|
|
||||||
}
|
|
||||||
|
|
||||||
disk {
|
|
||||||
type = "scsi"
|
|
||||||
storage = "local-zfs"
|
|
||||||
size = "64G"
|
|
||||||
ssd = 1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "proxmox_vm_qemu" "home-assistant" {
|
|
||||||
name = "home-assistant"
|
|
||||||
vmid = 105
|
|
||||||
target_node = "nuc"
|
|
||||||
onboot = true
|
|
||||||
tablet = false
|
|
||||||
full_clone = false
|
|
||||||
bios = "ovmf"
|
|
||||||
|
|
||||||
memory = 2048
|
|
||||||
cores = 4
|
|
||||||
|
|
||||||
agent = 1
|
|
||||||
boot = "order=sata0"
|
|
||||||
|
|
||||||
network {
|
|
||||||
model = "virtio"
|
|
||||||
macaddr = var.hosts.home-assistant.mac
|
|
||||||
bridge = "vmbr0"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,12 +0,0 @@
|
||||||
terraform {
|
|
||||||
required_providers {
|
|
||||||
proxmox = {
|
|
||||||
source = "telmate/proxmox"
|
|
||||||
version = "2.9.10"
|
|
||||||
}
|
|
||||||
vault = {
|
|
||||||
source = "hashicorp/vault"
|
|
||||||
version = "3.8.0"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
15
util.nix
15
util.nix
|
@ -2,6 +2,11 @@
|
||||||
let
|
let
|
||||||
inherit (nixpkgs) lib;
|
inherit (nixpkgs) lib;
|
||||||
inherit (builtins) filter mapAttrs attrValues concatLists;
|
inherit (builtins) filter mapAttrs attrValues concatLists;
|
||||||
|
|
||||||
|
# Helper function to resolve what should be imported depending on the type of config (lxc, vm, bare metal)
|
||||||
|
resolve_imports =
|
||||||
|
let
|
||||||
|
# lookup table
|
||||||
import_cases = {
|
import_cases = {
|
||||||
"lxc" = [
|
"lxc" = [
|
||||||
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
"${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
|
||||||
|
@ -15,19 +20,25 @@ let
|
||||||
hyprland.nixosModules.default
|
hyprland.nixosModules.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
resolve_imports = { hostname, realm, profile ? hostname, type ? "lxc", ... }: [
|
in
|
||||||
|
{ hostname, realm, profile ? hostname, type ? "lxc", ... }: [
|
||||||
mailserver.nixosModules.mailserver
|
mailserver.nixosModules.mailserver
|
||||||
./nixos/common
|
./nixos/common
|
||||||
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
|
"${./.}/nixos/hosts/${realm}/${profile}/configuration.nix"
|
||||||
] ++ import_cases.${type};
|
] ++ import_cases.${type};
|
||||||
in
|
in
|
||||||
rec {
|
{
|
||||||
|
# Add to whatever realm a host belong to its list of tags
|
||||||
add_realm_to_tags = realm: hosts: map ({ tags ? [ ], ... }@host: host // { tags = [ realm ] ++ tags; inherit realm; }) hosts;
|
add_realm_to_tags = realm: hosts: map ({ tags ? [ ], ... }@host: host // { tags = [ realm ] ++ tags; inherit realm; }) hosts;
|
||||||
|
# Flatten all hosts to a single list
|
||||||
flatten_hosts = hosts: concatLists (attrValues hosts);
|
flatten_hosts = hosts: concatLists (attrValues hosts);
|
||||||
|
# Filter out all hosts which aren't nixos
|
||||||
filter_nix_hosts = hosts: filter ({ nix ? true, ... }: nix) hosts;
|
filter_nix_hosts = hosts: filter ({ nix ? true, ... }: nix) hosts;
|
||||||
|
|
||||||
|
# Helper function to build a colmena host definition
|
||||||
mkColmenaHost = { ip ? null, hostname, tags, realm, type ? "lxc", ... }@host:
|
mkColmenaHost = { ip ? null, hostname, tags, realm, type ? "lxc", ... }@host:
|
||||||
let
|
let
|
||||||
|
# this makes local apply work a bit nicer
|
||||||
name = if realm == "thalassa" then hostname else "${hostname}.${realm}";
|
name = if realm == "thalassa" then hostname else "${hostname}.${realm}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue