v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

Merge branch 'main' of ssh://git.0x76.dev:42/v/infrastructure

Browse source
This commit is contained in:
Vivian 2023-12-26 16:17:01 +01:00
commit b3ff2a7268
16 changed files with 199 additions and 269 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -54,7 +54,6 @@
, nixos-generators , nixos-generators
, nur , nur
, attic , attic
, microvm
, ... , ...
}@inputs: }@inputs:
let let

5
nixos/common/default.nix
View file

@ -34,6 +34,8 @@
enableUserServices = true; enableUserServices = true;
}; };
security.polkit.enable = lib.mkDefault true;
# Nix Settings # Nix Settings
nix = { nix = {
registry.nixpkgs.flake = inputs.nixpkgs; registry.nixpkgs.flake = inputs.nixpkgs;
@ -74,9 +76,6 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages =
[ "nodejs-16.20.2" "nodejs-14.21.3" "openssl-1.1.1w" ];
# Limit the systemd journal to 100 MB of disk or the # Limit the systemd journal to 100 MB of disk or the
# last 7 days of logs, whichever happens first. # last 7 days of logs, whichever happens first.
services.journald.extraConfig = '' services.journald.extraConfig = ''

1
nixos/common/hm-modules/vscode.nix
View file

@ -70,6 +70,7 @@ in {
sumneko.lua sumneko.lua
davidlday.languagetool-linter davidlday.languagetool-linter
serayuzgur.crates serayuzgur.crates
skellock.just
]; ];
}; };

13
nixos/common/users/default.nix
View file

@ -1,11 +1,13 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ]; imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ];
programs = {
# Setup ZSH to use grml config # Setup ZSH to use grml config
programs.zsh = { zsh = {
enable = true; enable = true;
enableCompletion = true; enableCompletion = true;
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
autosuggestions.enable = true;
interactiveShellInit = '' interactiveShellInit = ''
source "${pkgs.grml-zsh-config}/etc/zsh/zshrc" source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow" export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
@ -17,15 +19,16 @@
promptInit = ""; promptInit = "";
}; };
environment.pathsToLink = [ "/share/zsh" ];
# Install Neovim and set it as alias for vi(m) # Install Neovim and set it as alias for vi(m)
programs.neovim = { neovim = {
enable = true; enable = true;
viAlias = true; viAlias = true;
vimAlias = true; vimAlias = true;
defaultEditor = true; defaultEditor = true;
}; };
};
environment.pathsToLink = [ "/share/zsh" ];
# Disable sudo prompt for `wheel` users. # Disable sudo prompt for `wheel` users.
security.sudo.wheelNeedsPassword = lib.mkDefault false; security.sudo.wheelNeedsPassword = lib.mkDefault false;
@ -41,11 +44,13 @@
# Setup packages available everywhere # Setup packages available everywhere
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
file
fzf fzf
git git
htop htop
ncdu ncdu
psmisc psmisc
helix
ripgrep ripgrep
rsync rsync
zoxide zoxide

5
nixos/hosts/hades/attic/configuration.nix
View file

@ -26,10 +26,7 @@ in {
ensureDatabases = [ "atticd" ]; ensureDatabases = [ "atticd" ];
ensureUsers = [{ ensureUsers = [{
name = "atticd"; name = "atticd";
ensurePermissions = { ensureDBOwnership = true;
"DATABASE atticd" = "ALL PRIVILEGES";
"schema public" = "ALL";
};
}]; }];
}; };

9
nixos/hosts/hades/bastion/configuration.nix
View file

@ -5,16 +5,7 @@
programs.mosh.enable = true; programs.mosh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cachix
clang
direnv
git-crypt
nix-update
pinentry-curses
ripgrep
rsync
rustup rustup
tmux
vault vault
]; ];

40
nixos/hosts/hades/default.nix
View file

@ -18,11 +18,7 @@
ip = "192.168.0.101"; ip = "192.168.0.101";
mac = "5a:00:b7:6c:d1:e2"; mac = "5a:00:b7:6c:d1:e2";
}; };
"plex" = { # ip = "192.168.0.102";
ip = "192.168.0.102";
mac = "00:0c:29:a1:4e:28";
nix = false;
};
"vault-0" = { "vault-0" = {
ip = "192.168.0.103"; ip = "192.168.0.103";
mac = "7A:14:15:ED:D1:E6"; mac = "7A:14:15:ED:D1:E6";
@ -60,16 +56,8 @@
profile = "dns"; profile = "dns";
tags = [ "networking" ]; tags = [ "networking" ];
}; };
"MariaDB" = { # ip = "192.168.0.109";
ip = "192.168.0.109"; # ip = "192.168.0.110";
mac = "00:0c:29:23:4f:12";
nix = false;
};
"bitwarden_rs" = {
ip = "192.168.0.110";
mac = "00:0c:29:f5:98:00";
nix = false;
};
"rtorrent" = { "rtorrent" = {
ip = "192.168.0.111"; ip = "192.168.0.111";
mac = "7a:5f:9b:62:49:91"; mac = "7a:5f:9b:62:49:91";
@ -139,15 +127,8 @@
mac = "5E:36:04:2D:38:DF"; mac = "5E:36:04:2D:38:DF";
type = "vm"; type = "vm";
}; };
"database" = { # ip = "192.168.0.126";
ip = "192.168.0.126"; # ip = "192.168.0.127";
mac = "82:e8:71:7f:37:b4";
};
"dn42" = {
ip = "192.168.0.127";
mac = "12:fa:24:02:65:e6";
nix = false;
};
"attic" = { "attic" = {
ip = "192.168.0.128"; ip = "192.168.0.128";
mac = "9E:AF:E9:FE:D4:D9"; mac = "9E:AF:E9:FE:D4:D9";
@ -165,15 +146,8 @@
}; };
nix = false; nix = false;
}; };
# "docker-registry" = { # ip = "192.168.0.130";
# ip = "192.168.0.130"attic, ; # ip = "192.168.0.131";
# mac = "5e:0e:a6:cf:64:70";
# };
"minecraft" = {
ip = "192.168.0.131";
mac = "00:0c:29:9b:e1:c4";
nix = false;
};
"tudelft" = { "tudelft" = {
ip = "192.168.0.132"; ip = "192.168.0.132";
mac = "AE:B3:93:4B:04:76"; mac = "AE:B3:93:4B:04:76";

26
nixos/hosts/hades/immich/configuration.nix
View file

@ -7,8 +7,7 @@ let
# https://github.com/immich-app/immich/releases # https://github.com/immich-app/immich/releases
# version = "1.55.1"; # version = "1.55.1";
dataDir = "/var/lib/immich"; dataDir = "/var/lib/immich";
in in {
{
imports = [ ]; imports = [ ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -22,31 +21,32 @@ in
# Additional packages # Additional packages
environment.systemPackages = with pkgs; [ ]; environment.systemPackages = with pkgs; [ ];
# TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich # TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage"; device = "storage:/mnt/storage";
fsType = "nfs"; fsType = "nfs";
}; };
ids = {
# Unused uid/gid snagged from this list: # Unused uid/gid snagged from this list:
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
ids.uids.immich = 911; uids.immich = 911;
ids.gids.immich = 911; gids.immich = 911;
};
users = {
groups = {
photos = { };
immich = { gid = config.ids.gids.immich; };
};
users.groups.photos = {}; users.immich = {
users.users.immich = {
isSystemUser = true; isSystemUser = true;
group = "photos"; group = "photos";
description = "Immich daemon user"; description = "Immich daemon user";
home = dataDir; home = dataDir;
uid = config.ids.uids.immich; uid = config.ids.uids.immich;
}; };
};
users.groups.immich = { gid = config.ids.gids.immich; };
# Postgres database configuration # Postgres database configuration
services.postgresql = { services.postgresql = {
@ -56,7 +56,7 @@ in
ensureUsers = [{ ensureUsers = [{
name = "immich"; name = "immich";
ensurePermissions = { "DATABASE immich" = "ALL PRIVILEGES"; }; ensureDBOwnership = true;
}]; }];
ensureDatabases = [ "immich" ]; ensureDatabases = [ "immich" ];

4
nixos/hosts/hades/lucy/configuration.nix
View file

@ -49,9 +49,9 @@ in {
allowedTCPPorts = [ 25565 ]; allowedTCPPorts = [ 25565 ];
}; };
users.groups.mc = { };
users.extraUsers.laura.extraGroups = [ "wheel" ]; users.extraUsers.laura.extraGroups = [ "wheel" ];
users.extraUsers.vivian.extraGroups = [ "mc" ]; users.extraUsers.vivian.extraGroups = [ "wheel" ];
users.groups.mc = { };
users.extraUsers.julia = { users.extraUsers.julia = {
isNormalUser = true; isNormalUser = true;

58
nixos/hosts/hades/mastodon/configuration.nix
View file

@ -2,36 +2,33 @@
let let
vs = config.vault-secrets.secrets; vs = config.vault-secrets.secrets;
cfg = config.services.mastodon; cfg = config.services.mastodon;
in in {
{
system.stateVersion = "21.05"; system.stateVersion = "21.05";
# Use DHCP with static leases # Use DHCP with static leases
networking.interfaces.eth0.useDHCP = true; networking.interfaces.eth0.useDHCP = true;
# Better cache hits # Better cache hits
environment.noXlibs = lib.mkForce false; environment.noXlibs = lib.mkForce false;
services = {
services.elasticsearch = { elasticsearch = {
enable = true; enable = true;
cluster_name = "mastodon-es"; cluster_name = "mastodon-es";
package = pkgs.elasticsearch7; package = pkgs.elasticsearch7;
}; };
vault-secrets.secrets.mastodon = { postgresql = {
services = [ "mastodon-init-dirs" "mastodon" "mastodon-media-autoremove" ]; enable = true;
inherit (cfg) user group; package = pkgs.postgresql_16;
settings = {
shared_preload_libraries = "pg_stat_statements";
"pg_stat_statements.track" = "all";
"pg_stat_statements.max" = 10000;
track_activity_query_size = 2048;
};
# The rest of the database setup is handled by mastodon
}; };
# Append the init-dirs script to add AWS/Minio secrets mastodon = {
systemd.services.mastodon-init-dirs.script = ''
cat >> /var/lib/mastodon/.secrets_env <<EOF
AWS_ACCESS_KEY_ID="$(cat ${vs.mastodon}/garageKeyId)"
AWS_SECRET_ACCESS_KEY="$(cat ${vs.mastodon}/garageSecretKey)"
DEEPL_API_KEY="$(cat ${vs.mastodon}/deeplAPIKey)"
EOF
'';
services.mastodon = {
enable = true; enable = true;
package = pkgs.v.glitch-soc; package = pkgs.v.glitch-soc;
streamingProcesses = 3; streamingProcesses = 3;
@ -54,14 +51,7 @@ in
inherit (config.services.elasticsearch) port; inherit (config.services.elasticsearch) port;
}; };
database = { database.createLocally = true;
createLocally = false;
user = "mastodon";
passwordFile = "${vs.mastodon}/db-password";
port = 5432;
name = "mastodon";
host = "192.168.0.126";
};
smtp = { smtp = {
createLocally = false; createLocally = false;
@ -100,8 +90,22 @@ in
DEEPL_PLAN = "free"; DEEPL_PLAN = "free";
}; };
}; };
};
networking.firewall = vault-secrets.secrets.mastodon = {
let cfg = config.services.mastodon; services = [ "mastodon-init-dirs" "mastodon" "mastodon-media-autoremove" ];
inherit (cfg) user group;
};
# Append the init-dirs script to add AWS/Minio secrets
systemd.services.mastodon-init-dirs.script = ''
cat >> /var/lib/mastodon/.secrets_env <<EOF
AWS_ACCESS_KEY_ID="$(cat ${vs.mastodon}/garageKeyId)"
AWS_SECRET_ACCESS_KEY="$(cat ${vs.mastodon}/garageSecretKey)"
DEEPL_API_KEY="$(cat ${vs.mastodon}/deeplAPIKey)"
EOF
'';
networking.firewall = let cfg = config.services.mastodon;
in { allowedTCPPorts = [ cfg.webPort ]; }; in { allowedTCPPorts = [ cfg.webPort ]; };
} }

14
nixos/hosts/hades/nginx/configuration.nix
View file

@ -12,8 +12,7 @@ let
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
in in {
{
imports = [ ]; imports = [ ];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -46,22 +45,25 @@ in
"xirion.net" = { "xirion.net" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations = {
"/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8'; add_header Content-Type 'text/html; charset=UTF-8';
return 200 'Hello, World!'; return 200 'Hello, World!';
''; '';
# Mastodon federation # Mastodon federation
locations."= /.well-known/host-meta".extraConfig = '' "= /.well-known/host-meta".extraConfig = ''
return 301 https://fedi.xirion.net$request_uri; return 301 https://fedi.xirion.net$request_uri;
''; '';
locations."/.well-known/webfinger".extraConfig = '' "/.well-known/webfinger".extraConfig = ''
add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Origin '*';
return 301 https://fedi.xirion.net$request_uri; return 301 https://fedi.xirion.net$request_uri;
''; '';
}; };
};
"peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already! "peepeepoopoo.xirion.net" = proxy
"http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
"plex.xirion.net" = { "plex.xirion.net" = {
# Since we want a secure connection, we force SSL # Since we want a secure connection, we force SSL

63
nixos/hosts/hades/rtorrent/configuration.nix
View file

@ -2,13 +2,40 @@
let vs = config.vault-secrets.secrets; let vs = config.vault-secrets.secrets;
in { in {
imports = [ ./rtorrent.nix ]; imports = [ ./rtorrent.nix ];
networking = {
interfaces.eth0.useDHCP = true;
firewall = {
allowedTCPPorts = [ config.services.rtorrent.port ];
allowedUDPPorts = [ config.services.rtorrent.port ];
};
networking.interfaces.eth0.useDHCP = true; wg-quick.interfaces = let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in {
wg0 = {
address =
[ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}];
};
};
};
system.stateVersion = "22.05"; system.stateVersion = "22.05";
networking.firewall.allowedTCPPorts = [ config.services.rtorrent.port ];
networking.firewall.allowedUDPPorts = [ config.services.rtorrent.port ];
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {
device = "storage:/mnt/storage"; device = "storage:/mnt/storage";
fsType = "nfs"; fsType = "nfs";
@ -22,32 +49,4 @@ in {
}; };
vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; }; vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; };
networking.wg-quick.interfaces =
let
postUpScript = pkgs.writeScriptBin "post_up" ''
#!${pkgs.stdenv.shell}
${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
'';
in
{
wg0 = {
address = [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
mtu = 1320;
dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
privateKeyFile = "${vs.rtorrent}/wireguardKey";
postUp = "${postUpScript}/bin/post_up || true";
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "europe3.vpn.airdns.org:1637";
presharedKeyFile = "${vs.rtorrent}/presharedKey";
persistentKeepalive = 15;
}
];
};
};
} }

42
nixos/hosts/olympus/bastion/configuration.nix
View file

@ -2,36 +2,13 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }: { pkgs, ... }: {
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}
# Check if vscode-server dir exists
if [[ -d "$HOME/.vscode-server/bin" ]]; then
# For every bin folder within
for versiondir in "$HOME"/.vscode-server/bin/*; do
# Remove bundled node (dynamic links are borked for nix)
rm "$versiondir/node"
# symlink node form the nixpkg
ln -s "${pkgs.nodejs-16_x}/bin/node" "$versiondir/node"
done
fi
'';
in
{
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# This _should_ fix vscode errors as well
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
# environment.variables = {
# NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [
# pkgs.stdenv.cc.cc
# ];
# # NIX_LD = lib.fileContents "${pkgs.stdenv.cc}/nix-support/dynamic-linker";
# };
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -48,22 +25,7 @@ in
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
# Additional packages # Additional packages
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vault ];
binutils
fix-vscode
fluxcd
k9s
kubectl
kubectx
nix-prefetch-git
nixpkgs-fmt
nixpkgs-review
ripgrep
rsync
tmux
vault
vim
];
programs.gnupg.agent = { programs.gnupg.agent = {
enable = true; enable = true;

5
nixos/hosts/olympus/dex/configuration.nix
View file

@ -33,10 +33,7 @@ in {
ensureDatabases = [ db_name ]; ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = db_user; name = db_user;
ensurePermissions = { ensureDBOwnership = true;
"DATABASE ${db_name}" = "ALL PRIVILEGES";
"schema public" = "ALL";
};
}]; }];
}; };

2
nixos/hosts/olympus/hedgedoc/configuration.nix
View file

@ -32,7 +32,7 @@ in
ensureDatabases = [ db_name ]; ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = db_user; name = db_user;
ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; }; ensureDBOwnership = true;
}]; }];
}; };

2
nixos/pkgs/glitch-soc/source.nix
View file

@ -11,7 +11,7 @@ in
rev = "v${version}"; rev = "v${version}";
hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ="; hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ=";
}; };
patches = patches ++ []; inherit patches;
}) // { }) // {
inherit version; inherit version;
yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk="; yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk=";