nixos: cleanup
This commit is contained in:
parent
a967b6ab05
commit
8f0eb95dda
7 changed files with 31 additions and 44 deletions
|
@ -10,7 +10,6 @@
|
||||||
hostname = "nuc";
|
hostname = "nuc";
|
||||||
ip = "10.42.42.42";
|
ip = "10.42.42.42";
|
||||||
mac = "1C:69:7A:62:30:88";
|
mac = "1C:69:7A:62:30:88";
|
||||||
ip6 = "";
|
|
||||||
nix = false;
|
nix = false;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
|
|
@ -32,6 +32,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
nixpkgs.overlays = [ (import ../pkgs) ];
|
||||||
|
|
||||||
# Limit the systemd journal to 100 MB of disk or the
|
# Limit the systemd journal to 100 MB of disk or the
|
||||||
# last 7 days of logs, whichever happens first.
|
# last 7 days of logs, whichever happens first.
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
{ config, pkgs, hosts, ... }:
|
{ config, pkgs, hosts, ... }:
|
||||||
let
|
let
|
||||||
|
inherit (builtins) filter hasAttr;
|
||||||
localdomain = "olympus";
|
localdomain = "olympus";
|
||||||
ipv6Hosts = builtins.filter (builtins.hasAttr ip6) hosts;
|
ipv6Hosts = filter (hasAttr "ip6") hosts;
|
||||||
|
|
||||||
localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
|
localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
|
||||||
local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
|
local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
|
||||||
|
@ -21,13 +22,14 @@ in {
|
||||||
system.stateVersion = "21.11"; # Did you read the comment?
|
system.stateVersion = "21.11"; # Did you read the comment?
|
||||||
|
|
||||||
# Additional packages
|
# Additional packages
|
||||||
environment.systemPackages = with pkgs; [ dig ];
|
environment.systemPackages = with pkgs; [ dig dog drill ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||||
|
|
||||||
services.unbound = {
|
services.unbound = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = pkgs.v.unbound;
|
||||||
settings = {
|
settings = {
|
||||||
server = {
|
server = {
|
||||||
use-syslog = "yes";
|
use-syslog = "yes";
|
||||||
|
@ -37,7 +39,7 @@ in {
|
||||||
|
|
||||||
local-zone = ''"${localdomain}." transparent'';
|
local-zone = ''"${localdomain}." transparent'';
|
||||||
local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
|
local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
|
||||||
local-data-ptr = (map ptrData hosts);
|
local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts);
|
||||||
|
|
||||||
access-control = [
|
access-control = [
|
||||||
"127.0.0.1/32 allow_snoop"
|
"127.0.0.1/32 allow_snoop"
|
||||||
|
@ -61,10 +63,6 @@ in {
|
||||||
"fe80::/10"
|
"fe80::/10"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
# forward-zone = {
|
|
||||||
# name = ''"."'';
|
|
||||||
# forward-addr = [ "8.8.8.8" "9.9.9.9" ];
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,8 +5,7 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let mosquittoPort = 1883;
|
let mosquittoPort = 1883;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [ ];
|
||||||
];
|
|
||||||
|
|
||||||
networking.hostName = "mosquitto";
|
networking.hostName = "mosquitto";
|
||||||
|
|
||||||
|
@ -56,5 +55,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
|
networking.firewall.allowedTCPPorts =
|
||||||
|
[ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,20 +1,16 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
k8s_proxy = {
|
proxy = url: {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://10.42.42.150:8000/";
|
proxyPass = url;
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
k8s_proxy = proxy "http://10.42.42.150:8000/";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [ ];
|
||||||
];
|
|
||||||
|
|
||||||
networking.hostName = "nginx";
|
networking.hostName = "nginx";
|
||||||
|
|
||||||
|
@ -36,23 +32,9 @@ in {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
virtualHosts."ha.0x76.dev" = {
|
# Reverse Proxies
|
||||||
enableACME = true;
|
virtualHosts."ha.0x76.dev" = proxy "http://10.42.42.8:8123/";
|
||||||
forceSSL = true;
|
virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://10.42.43.28:8085/";
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://10.42.42.8:8123/";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualHosts."zookeeper-dev.0x76.dev" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://10.42.43.28:8085/";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Kubernetes endpoints
|
# Kubernetes endpoints
|
||||||
virtualHosts."0x76.dev" = k8s_proxy;
|
virtualHosts."0x76.dev" = k8s_proxy;
|
||||||
|
|
|
@ -3,11 +3,8 @@
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
let port = 8200;
|
||||||
{
|
in {
|
||||||
imports = [
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.hostName = "vault";
|
networking.hostName = "vault";
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
|
@ -22,13 +19,13 @@
|
||||||
environment.systemPackages = with pkgs; [ ];
|
environment.systemPackages = with pkgs; [ ];
|
||||||
|
|
||||||
# Vault
|
# Vault
|
||||||
networking.firewall.allowedTCPPorts = [ 8200 ];
|
networking.firewall.allowedTCPPorts = [ port ];
|
||||||
|
|
||||||
services.vault = {
|
services.vault = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# bin version includes the UI
|
# bin version includes the UI
|
||||||
package = pkgs.vault-bin;
|
package = pkgs.vault-bin;
|
||||||
address = "0.0.0.0:8200";
|
address = "0.0.0.0:${toString port}";
|
||||||
storageBackend = "file";
|
storageBackend = "file";
|
||||||
storagePath = "/var/lib/vault";
|
storagePath = "/var/lib/vault";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
|
10
nixos/pkgs/default.nix
Normal file
10
nixos/pkgs/default.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
final: prev: {
|
||||||
|
v = {
|
||||||
|
unbound = prev.unbound.override {
|
||||||
|
withSystemd = true;
|
||||||
|
withDoH = true;
|
||||||
|
withDNSCrypt = true;
|
||||||
|
withTFO = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue