From ec0c2f466a54948e4882a1c343a4d511169eb22d Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 10 Nov 2023 23:35:26 +0100 Subject: [PATCH 01/12] add sccache --- nixos/common/desktop/home.nix | 2 +- nixos/common/hm-modules/default.nix | 2 +- nixos/common/hm-modules/rust.nix | 21 +++++++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 nixos/common/hm-modules/rust.nix diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index c63088a..e9b37d5 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -35,7 +35,6 @@ in plexamp spotify qmk - rustup solo2-cli tex unzip @@ -47,6 +46,7 @@ in programs = { v.vscode.enable = true; v.nvim.enable = true; + v.rust.enable = true; riff = { enable = true; diff --git a/nixos/common/hm-modules/default.nix b/nixos/common/hm-modules/default.nix index 29d2e44..2dbbe8f 100644 --- a/nixos/common/hm-modules/default.nix +++ b/nixos/common/hm-modules/default.nix @@ -1,3 +1,3 @@ { ... }: { - imports = [ ./catppuccin.nix ./nvim.nix ./riff.nix ./vscode.nix ./git.nix ]; + imports = [ ./catppuccin.nix ./nvim.nix ./riff.nix ./vscode.nix ./git.nix ./rust.nix ]; } diff --git a/nixos/common/hm-modules/rust.nix b/nixos/common/hm-modules/rust.nix new file mode 100644 index 0000000..836eeb4 --- /dev/null +++ b/nixos/common/hm-modules/rust.nix @@ -0,0 +1,21 @@ +{ pkgs, lib, config, ... }: +with lib; +let cfg = config.programs.v.rust; +in { + options.programs.v.rust = { enable = mkEnableOption "rust"; }; + config = mkIf cfg.enable { + home.packages = with pkgs; [ rustup ]; + + home.file = { + ".cargo/config.toml".text = '' + [registries.crates-io] + protocol = "sparse" + + [build] + rustc-wrapper = "${pkgs.sccache}/bin/sccache" + ''; + }; + + home.sessionPath = [ "$HOME/.cargo/bin" ]; + }; +} From 68cb70ee4dbb9a9c7ddeaffdb0d581b29312dd83 Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 10 Nov 2023 23:41:30 +0100 Subject: [PATCH 02/12] fix lint --- nixos/common/desktop/home.nix | 42 +++--- nixos/common/hm-modules/rust.nix | 22 +-- nixos/hosts/olympus/dex/configuration.nix | 163 +++++++++++----------- 3 files changed, 114 insertions(+), 113 deletions(-) diff --git a/nixos/common/desktop/home.nix b/nixos/common/desktop/home.nix index e9b37d5..033f235 100644 --- a/nixos/common/desktop/home.nix +++ b/nixos/common/desktop/home.nix @@ -5,8 +5,7 @@ let dnd-5e-latex-template = { pkgs = [ pkgs.v.dnd-5e-latex-template ]; }; }; my-python-packages = ps: with ps; [ pandas requests numpy ]; -in -{ +in { home.packages = with pkgs; [ (python3.withPackages my-python-packages) btop @@ -44,9 +43,11 @@ in # Enable my own hm modules themes.v.catppuccin.enable = true; programs = { - v.vscode.enable = true; - v.nvim.enable = true; - v.rust.enable = true; + v = { + vscode.enable = true; + nvim.enable = true; + rust.enable = true; + }; riff = { enable = true; @@ -72,26 +73,23 @@ in thunderbird = { enable = true; - profiles.default = { - isDefault = true; - }; + profiles.default = { isDefault = true; }; }; }; # Syncthing services.syncthing.enable = true; - xdg.userDirs = - let home = config.home.homeDirectory; - in { - enable = true; - createDirectories = true; - desktop = "${home}/.desktop"; - documents = "${home}/cloud/Documents"; - download = "${home}/dl"; - music = "${home}/cloud/Music"; - pictures = "${home}/cloud/Pictures"; - publicShare = "${home}/.publicShare"; - templates = "${home}/.templates"; - videos = "${home}/cloud/Videos"; - }; + xdg.userDirs = let home = config.home.homeDirectory; + in { + enable = true; + createDirectories = true; + desktop = "${home}/.desktop"; + documents = "${home}/cloud/Documents"; + download = "${home}/dl"; + music = "${home}/cloud/Music"; + pictures = "${home}/cloud/Pictures"; + publicShare = "${home}/.publicShare"; + templates = "${home}/.templates"; + videos = "${home}/cloud/Videos"; + }; } diff --git a/nixos/common/hm-modules/rust.nix b/nixos/common/hm-modules/rust.nix index 836eeb4..752ed04 100644 --- a/nixos/common/hm-modules/rust.nix +++ b/nixos/common/hm-modules/rust.nix @@ -4,18 +4,20 @@ let cfg = config.programs.v.rust; in { options.programs.v.rust = { enable = mkEnableOption "rust"; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ rustup ]; + home = { + packages = with pkgs; [ rustup ]; - home.file = { - ".cargo/config.toml".text = '' - [registries.crates-io] - protocol = "sparse" + file = { + ".cargo/config.toml".text = '' + [registries.crates-io] + protocol = "sparse" - [build] - rustc-wrapper = "${pkgs.sccache}/bin/sccache" - ''; + [build] + rustc-wrapper = "${pkgs.sccache}/bin/sccache" + ''; + }; + + sessionPath = [ "$HOME/.cargo/bin" ]; }; - - home.sessionPath = [ "$HOME/.cargo/bin" ]; }; } diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix index e70f16c..3105b95 100644 --- a/nixos/hosts/olympus/dex/configuration.nix +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -9,8 +9,7 @@ let db_name = "dex"; inherit (config.meta.exposes.dex) port; metricsPort = 5558; -in -{ +in { imports = [ ]; # This value determines the NixOS release from which the default @@ -23,91 +22,93 @@ in networking.firewall.allowedTCPPorts = [ port metricsPort ]; - services.postgresql = { - enable = true; - package = pkgs.postgresql_15; - ensureDatabases = [ db_name ]; - ensureUsers = [{ - name = db_user; - ensurePermissions = { - "DATABASE ${db_name}" = "ALL PRIVILEGES"; - "schema public" = "ALL"; - }; - }]; - }; - vault-secrets.secrets.dex = { }; + services = { - services.dex = { - enable = true; - settings = { - issuer = "https://dex.0x76.dev"; - storage = { - type = "postgres"; - config = { - host = "/var/run/postgresql"; - user = db_user; - database = db_name; - }; - }; - web.http = "0.0.0.0:${toString port}"; - telemetry.http = "0.0.0.0:${toString metricsPort}"; - - connectors = [{ - type = "gitea"; - id = "gitea"; - name = "Gitea"; - config = { - clientID = "$GITEA_CLIENT_ID"; - clientSecret = "$GITEA_CLIENT_SECRET"; - redirectURI = "https://dex.0x76.dev/callback"; - baseURL = "https://git.0x76.dev"; + postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ db_name ]; + ensureUsers = [{ + name = db_user; + ensurePermissions = { + "DATABASE ${db_name}" = "ALL PRIVILEGES"; + "schema public" = "ALL"; }; }]; - - staticClients = [ - { - id = "outline"; - name = "Outline"; - redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ]; - secretEnv = "OUTLINE_CLIENT_SECRET"; - } - { - id = "grafana"; - name = "Grafana"; - redirectURIs = [ "https://grafana.0x76.dev/login/generic_oauth" ]; - secretEnv = "GRAFANA_CLIENT_SECRET"; - } - { - id = "hedgedoc"; - name = "Hedgedoc"; - redirectURIs = [ "https://md.0x76.dev/auth/oauth2/callback" ]; - secretEnv = "HEDGEDOC_CLIENT_SECRET"; - } - { - id = "flux"; - name = "Weave Gitops Flux Dashboard"; - redirectURIs = [ "https://flux.0x76.dev/oauth2/callback" ]; - secretEnv = "FLUX_CLIENT_SECRET"; - } - { - id = "oauth2-proxy"; - name = "OAuth2 Proxy"; - redirectURIs = [ "https://o2p.0x76.dev/oauth2/callback" ]; - secretEnv = "O2P_CLIENT_SECRET"; - } - ]; }; - environmentFile = "${vs.dex}/environment"; - }; + dex = { + enable = true; + settings = { + issuer = "https://dex.0x76.dev"; + storage = { + type = "postgres"; + config = { + host = "/var/run/postgresql"; + user = db_user; + database = db_name; + }; + }; + web.http = "0.0.0.0:${toString port}"; + telemetry.http = "0.0.0.0:${toString metricsPort}"; - services.oauth2_proxy = { - enable = true; - provider = "oidc"; - redirectURL = "https://o2p.0x76.dev/oauth2/callback"; - cookie.secure = false; - httpAddress = "0.0.0.0:4180"; - keyFile = ""; + connectors = [{ + type = "gitea"; + id = "gitea"; + name = "Gitea"; + config = { + clientID = "$GITEA_CLIENT_ID"; + clientSecret = "$GITEA_CLIENT_SECRET"; + redirectURI = "https://dex.0x76.dev/callback"; + baseURL = "https://git.0x76.dev"; + }; + }]; + + staticClients = [ + { + id = "outline"; + name = "Outline"; + redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ]; + secretEnv = "OUTLINE_CLIENT_SECRET"; + } + { + id = "grafana"; + name = "Grafana"; + redirectURIs = [ "https://grafana.0x76.dev/login/generic_oauth" ]; + secretEnv = "GRAFANA_CLIENT_SECRET"; + } + { + id = "hedgedoc"; + name = "Hedgedoc"; + redirectURIs = [ "https://md.0x76.dev/auth/oauth2/callback" ]; + secretEnv = "HEDGEDOC_CLIENT_SECRET"; + } + { + id = "flux"; + name = "Weave Gitops Flux Dashboard"; + redirectURIs = [ "https://flux.0x76.dev/oauth2/callback" ]; + secretEnv = "FLUX_CLIENT_SECRET"; + } + { + id = "oauth2-proxy"; + name = "OAuth2 Proxy"; + redirectURIs = [ "https://o2p.0x76.dev/oauth2/callback" ]; + secretEnv = "O2P_CLIENT_SECRET"; + } + ]; + }; + + environmentFile = "${vs.dex}/environment"; + }; + + oauth2_proxy = { + enable = true; + provider = "oidc"; + redirectURL = "https://o2p.0x76.dev/oauth2/callback"; + cookie.secure = false; + httpAddress = "0.0.0.0:4180"; + keyFile = ""; + }; }; } From 14405c110904c4adf8194fe450b3ac04b590d98d Mon Sep 17 00:00:00 2001 From: Victor Date: Sat, 11 Nov 2023 00:03:17 +0100 Subject: [PATCH 03/12] fix bastion --- nixos/hosts/hades/bastion/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/hosts/hades/bastion/configuration.nix b/nixos/hosts/hades/bastion/configuration.nix index 5b529a5..0ca18a7 100644 --- a/nixos/hosts/hades/bastion/configuration.nix +++ b/nixos/hosts/hades/bastion/configuration.nix @@ -9,7 +9,6 @@ direnv git-crypt nix-update - nodejs-14_x pinentry-curses ripgrep rsync From 76f35ef704d3b22a6c05502e3dcae6084e992d55 Mon Sep 17 00:00:00 2001 From: Victor Date: Sun, 12 Nov 2023 13:14:41 +0100 Subject: [PATCH 04/12] updates --- flake.lock | 48 +++++++++++++------------- nixos/hosts/hades/overseerr/lidarr.nix | 1 + 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index 1357682..3c598c1 100644 --- a/flake.lock +++ b/flake.lock @@ -687,11 +687,11 @@ ] }, "locked": { - "lastModified": 1699368917, - "narHash": "sha256-nUtGIWf86BOkUbtksWtfglvCZ/otP0FTZlQH8Rzc7PA=", + "lastModified": 1699783872, + "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", "owner": "nix-community", "repo": "home-manager", - "rev": "6a8444467c83c961e2f5ff64fb4f422e303c98d3", + "rev": "280721186ab75a76537713ec310306f0eba3e407", "type": "github" }, "original": { @@ -713,11 +713,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1699469975, - "narHash": "sha256-TVYObcXFB6c3z5vF/aLZKDL7u+Rt0OZLWpvIdMcJZ4Q=", + "lastModified": 1699626196, + "narHash": "sha256-/arAIgFkEOTss4BsppCJn1DIBxvx1ESgWOj9CJqx4lQ=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "bc0fd4e1d9cbba5f8dce5df845246d77eb7c01d6", + "rev": "81975f3bc4a7f3f4c689c43645110c2e1aac56b2", "type": "github" }, "original": { @@ -898,11 +898,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1699159446, - "narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=", + "lastModified": 1699701045, + "narHash": "sha256-mDzUXK7jNO/utInWpSWEX1NgEEunVIpJg+LyPsDTfy0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "627bc9b88256379578885a7028c9e791c29fb581", + "rev": "b689465d0c5d88e158e7d76094fca08cc0223aad", "type": "github" }, "original": { @@ -1089,11 +1089,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1699354722, - "narHash": "sha256-abmqUReg4PsyQSwv4d0zjcWpMHrd3IFJiTb2tZpfF04=", + "lastModified": 1699686971, + "narHash": "sha256-fttf55Uo88Ei57sxTuDOwKXg8izdR365lFjI13+XfwE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfbb29d76949ae53c457f152c52c173ea4bdd862", + "rev": "d638da8b6a17041483d90ba9af6c3b5e30b4fbcc", "type": "github" }, "original": { @@ -1104,11 +1104,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1698924604, - "narHash": "sha256-GCFbkl2tj8fEZBZCw3Tc0AkGo0v+YrQlohhEGJ/X4s0=", + "lastModified": 1699099776, + "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fa804edfb7869c9fb230e174182a8a1a7e512c40", + "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", "type": "github" }, "original": { @@ -1205,11 +1205,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1699308475, - "narHash": "sha256-sFHOFiE+GV1JkwDmHi0LLJLSRyggdIK1Yra02oj2eZg=", + "lastModified": 1699721903, + "narHash": "sha256-ghsMr6EqRNCRJtzNokmqeyA3soMjl7bc+/TN7LX/Izc=", "owner": "pta2002", "repo": "nixvim", - "rev": "6b93c8fa6db999320d53f13e0ebd555e33f86577", + "rev": "1286a0f41e37b2bb94f2eb87a7f4efde727f8e87", "type": "github" }, "original": { @@ -1220,11 +1220,11 @@ }, "nur": { "locked": { - "lastModified": 1699536582, - "narHash": "sha256-xW16bouhkI9fx6wMLy8002cbLvB3UK4B3J10+Anq9BU=", + "lastModified": 1699789173, + "narHash": "sha256-8ImqQHlD/RV/DqUkLX6OMOLC0L3rOnpz18/L8kt+9QQ=", "owner": "nix-community", "repo": "NUR", - "rev": "71d46644e40610ea90c7e97ba32667de90c5f1a5", + "rev": "cafc94f2fafd3bc7ef0a2f35a3484dd2df64f111", "type": "github" }, "original": { @@ -1289,11 +1289,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1698852633, - "narHash": "sha256-Hsc/cCHud8ZXLvmm8pxrXpuaPEeNaaUttaCvtdX/Wug=", + "lastModified": 1699271226, + "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "dec10399e5b56aa95fcd530e0338be72ad6462a0", + "rev": "ea758da1a6dcde6dc36db348ed690d09b9864128", "type": "github" }, "original": { diff --git a/nixos/hosts/hades/overseerr/lidarr.nix b/nixos/hosts/hades/overseerr/lidarr.nix index cba131e..8a21e14 100644 --- a/nixos/hosts/hades/overseerr/lidarr.nix +++ b/nixos/hosts/hades/overseerr/lidarr.nix @@ -5,6 +5,7 @@ in { vault-secrets.secrets.lidarr = { quoteEnvironmentValues = false; # Needed for docker + services = [ "podman-lidarr" ]; }; virtualisation.oci-containers.containers.lidarr = { From 4e5ef010d4e813ad33280a1eebb7455b08550de3 Mon Sep 17 00:00:00 2001 From: Victor Date: Sun, 12 Nov 2023 15:07:41 +0100 Subject: [PATCH 05/12] deploy grist --- flake.nix | 2 +- .../apps/services/grist/external-secret.yaml | 17 ----- flux/olympus/apps/services/grist/grist.yaml | 47 ------------- flux/olympus/apps/services/grist/ingress.yaml | 29 -------- .../apps/services/grist/kustomization.yaml | 7 -- flux/olympus/apps/services/grist/pvc.yaml | 12 ---- flux/olympus/apps/services/kustomization.yaml | 1 - .../oauth2-proxy/external-secret.yaml | 25 ------- .../services/oauth2-proxy/kustomization.yaml | 5 -- .../services/oauth2-proxy/oauth2-proxy.yaml | 67 ------------------- nixos/hosts/olympus/default.nix | 22 ++++-- nixos/hosts/olympus/dex/configuration.nix | 19 ++---- nixos/hosts/olympus/grist/configuration.nix | 42 ++++++++++++ 13 files changed, 66 insertions(+), 229 deletions(-) delete mode 100644 flux/olympus/apps/services/grist/external-secret.yaml delete mode 100644 flux/olympus/apps/services/grist/grist.yaml delete mode 100644 flux/olympus/apps/services/grist/ingress.yaml delete mode 100644 flux/olympus/apps/services/grist/kustomization.yaml delete mode 100644 flux/olympus/apps/services/grist/pvc.yaml delete mode 100644 flux/olympus/apps/services/oauth2-proxy/external-secret.yaml delete mode 100644 flux/olympus/apps/services/oauth2-proxy/kustomization.yaml delete mode 100644 flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml create mode 100644 nixos/hosts/olympus/grist/configuration.nix diff --git a/flake.nix b/flake.nix index 96f4d3b..3ef1297 100644 --- a/flake.nix +++ b/flake.nix @@ -118,7 +118,7 @@ default = colmena.packages.${system}.colmena; proxmox-lxc = nixos-generators.nixosGenerate { - inherit system pkgs specialArgs; + inherit system specialArgs; format = "proxmox-lxc"; modules = util.base_imports ++ [ (import ./nixos/templates/proxmox-lxc.nix) ]; diff --git a/flux/olympus/apps/services/grist/external-secret.yaml b/flux/olympus/apps/services/grist/external-secret.yaml deleted file mode 100644 index 21a84e7..0000000 --- a/flux/olympus/apps/services/grist/external-secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: grist - namespace: services -spec: - refreshInterval: "5m" - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grist - data: - - secretKey: GRIST_SESSION_SECRET - remoteRef: - key: services/grist - property: grist_session_secret diff --git a/flux/olympus/apps/services/grist/grist.yaml b/flux/olympus/apps/services/grist/grist.yaml deleted file mode 100644 index b2ce844..0000000 --- a/flux/olympus/apps/services/grist/grist.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grist - namespace: services - labels: - app: grist -spec: - replicas: 1 - selector: - matchLabels: - app: grist - template: - metadata: - labels: - app: grist - spec: - volumes: - - name: persist - persistentVolumeClaim: - claimName: grist - containers: - - name: grist-core - image: gristlabs/grist:1.1.7 - volumeMounts: - - name: persist - mountPath: /persist - env: - - name: APP_HOME_URL - value: "https://grist.0x76.dev" - - name: GRIST_SINGLE_ORG - value: "" - - name: GRIST_SUPPORT_ANON - value: false - - name: PYTHON_VERSION - value: 3 - - name: PYTHON_VERSION_ON_CREATION - value: 3 - - name: GRIST_FORWARD_AUTH_HEADER - value: X-Forwarded-User - - name: GRIST_FORWARD_AUTH_LOGOUT_PATH - value: /_oauth/logout - envFrom: - - secretRef: - name: grist - ports: - - containerPort: 8484 diff --git a/flux/olympus/apps/services/grist/ingress.yaml b/flux/olympus/apps/services/grist/ingress.yaml deleted file mode 100644 index c648f4e..0000000 --- a/flux/olympus/apps/services/grist/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: grist - namespace: services -spec: - selector: - app: grist - ports: - - protocol: TCP - port: 8484 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: grist - namespace: services -spec: - rules: - - host: "grist.0x76.dev" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: grist - port: - number: 8484 diff --git a/flux/olympus/apps/services/grist/kustomization.yaml b/flux/olympus/apps/services/grist/kustomization.yaml deleted file mode 100644 index 2bb88f3..0000000 --- a/flux/olympus/apps/services/grist/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - external-secret.yaml - - pvc.yaml - - grist.yaml - - ingress.yaml diff --git a/flux/olympus/apps/services/grist/pvc.yaml b/flux/olympus/apps/services/grist/pvc.yaml deleted file mode 100644 index eefaa64..0000000 --- a/flux/olympus/apps/services/grist/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: grist - namespace: services -spec: - accessModes: - - ReadWriteOnce - storageClassName: local-path - resources: - requests: - storage: 2Gi diff --git a/flux/olympus/apps/services/kustomization.yaml b/flux/olympus/apps/services/kustomization.yaml index c3536ca..4ddab70 100644 --- a/flux/olympus/apps/services/kustomization.yaml +++ b/flux/olympus/apps/services/kustomization.yaml @@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - renovate - - oauth2-proxy diff --git a/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml b/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml deleted file mode 100644 index c127b72..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: oauth2-proxy - namespace: services -spec: - refreshInterval: "5m" - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: oauth2-proxy - data: - - secretKey: OAUTH2_PROXY_CLIENT_ID - remoteRef: - key: services/oauth2-proxy - property: client_id - - secretKey: OAUTH2_PROXY_CLIENT_SECRET - remoteRef: - key: services/oauth2-proxy - property: client_secret - - secretKey: OAUTH2_PROXY_COOKIE_SECRET - remoteRef: - key: services/oauth2-proxy - property: cookie_secret diff --git a/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml b/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml deleted file mode 100644 index fb4e8cd..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - external-secret.yaml - - oauth2-proxy.yaml diff --git a/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml b/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml deleted file mode 100644 index 68fc287..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - k8s-app: oauth2-proxy - name: oauth2-proxy - namespace: services -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: oauth2-proxy - template: - metadata: - labels: - k8s-app: oauth2-proxy - spec: - containers: - - args: - - --provider=oidc - - --provider-display2-name="Dex" - - --oidc-issuer-url=https://dex.0x76.dev/dex - - --redirect-url=https://o2p.0x76.dev/oauth2/callback - - --cookie-secure=false - - --http-address=0.0.0.0:4180 - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 - envFrom: - - secretRef: - name: oauth2-proxy - name: oauth2-proxy - ports: - - containerPort: 4180 - protocol: TCP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: oauth2-proxy - name: oauth2-proxy - namespace: services -spec: - ports: - - name: http - port: 4180 - protocol: TCP - targetPort: 4180 - selector: - k8s-app: oauth2-proxy ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: oauth2-proxy - namespace: services -spec: - rules: - - host: "o2p.0x76.dev" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oauth2-proxy - port: - number: 4180 diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix index d50a25a..58b6d7e 100644 --- a/nixos/hosts/olympus/default.nix +++ b/nixos/hosts/olympus/default.nix @@ -53,7 +53,6 @@ exposes = { www.domain = "0x76.dev"; flux.domain = "flux.0x76.dev"; - o2p.domain = "o2p.0x76.dev"; internal.domain = "internal.xirion.net"; blog.domain = "blog.xirion.net"; }; @@ -61,9 +60,15 @@ "dex" = { ip = "10.42.42.11"; mac = "AE:66:7B:FA:15:72"; - exposes.dex = { - domain = "dex.0x76.dev"; - port = 5556; + exposes = { + dex = { + domain = "dex.0x76.dev"; + port = 5556; + }; + o2p_proxy = { + domain = "o2p.0x76.dev"; + port = 8484; + }; }; }; "WoolooTV" = { @@ -151,7 +156,14 @@ ip = "10.42.42.25"; mac = "1E:ED:97:2C:C3:9D"; }; - # 10.42.42.26 + "grist" = { + ip = "10.42.42.26"; + mac = "B2:AA:AB:5D:2F:22"; + exposes.grist = { + domain = "grist.0x76.dev"; + port = 8484; + }; + }; "bookwyrm" = { ip = "10.42.42.27"; mac = "9E:8A:6C:39:27:DE"; diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix index 3105b95..4bcbf5b 100644 --- a/nixos/hosts/olympus/dex/configuration.nix +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -23,6 +23,8 @@ in { networking.firewall.allowedTCPPorts = [ port metricsPort ]; vault-secrets.secrets.dex = { }; + vault-secrets.secrets.oauth2_proxy = { }; + services = { postgresql = { @@ -91,24 +93,15 @@ in { secretEnv = "FLUX_CLIENT_SECRET"; } { - id = "oauth2-proxy"; - name = "OAuth2 Proxy"; - redirectURIs = [ "https://o2p.0x76.dev/oauth2/callback" ]; - secretEnv = "O2P_CLIENT_SECRET"; + id = "grist"; + name = "grist"; + redirectURIs = [ "https://grist.0x76.dev/oauth2/callback" ]; + secretEnv = "GRIST_CLIENT_SECRET"; } ]; }; environmentFile = "${vs.dex}/environment"; }; - - oauth2_proxy = { - enable = true; - provider = "oidc"; - redirectURL = "https://o2p.0x76.dev/oauth2/callback"; - cookie.secure = false; - httpAddress = "0.0.0.0:4180"; - keyFile = ""; - }; }; } diff --git a/nixos/hosts/olympus/grist/configuration.nix b/nixos/hosts/olympus/grist/configuration.nix new file mode 100644 index 0000000..c097f5d --- /dev/null +++ b/nixos/hosts/olympus/grist/configuration.nix @@ -0,0 +1,42 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, ... }: +let vs = config.vault-secrets.secrets; +in { + imports = [ ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + networking.firewall.allowedTCPPorts = [ 8484 ]; + + virtualisation.podman.enable = true; + virtualisation.oci-containers.backend = "podman"; + + vault-secrets.secrets.grist = { + quoteEnvironmentValues = false; # Needed for docker + services = [ "podman-grist" ]; + }; + + virtualisation.oci-containers.containers.grist = { + image = "gristlabs/grist:latest"; + environment = { + APP_HOME_URL = "https://grist.0x76.dev"; + GRIST_SUPPORT_ANON = "false"; + PYTHON_VERSION = "3"; + PYTHON_VERSION_ON_CREATION = "3"; + + # Beta OIDC support + GRIST_OIDC_IDP_ISSUER = "https://dex.0x76.dev"; + }; + environmentFiles = [ "${vs.grist}/environment" ]; + ports = [ "8484:8484" ]; + volumes = [ "/var/lib/grist:/persist" ]; + }; +} From c45df4dc1f41bd3a1dab3295b684776fc9014975 Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 13 Nov 2023 17:39:02 +0100 Subject: [PATCH 06/12] fix grist deployment completely --- nixos/common/hm-modules/git.nix | 2 +- nixos/hosts/olympus/grist/configuration.nix | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/nixos/common/hm-modules/git.nix b/nixos/common/hm-modules/git.nix index f7bb139..beb4150 100644 --- a/nixos/common/hm-modules/git.nix +++ b/nixos/common/hm-modules/git.nix @@ -7,7 +7,7 @@ in { programs.git = { enable = true; package = pkgs.gitAndTools.gitFull; - userName = "Victor"; + userName = "0x76"; userEmail = "victor@xirion.net"; lfs.enable = true; extraConfig = { diff --git a/nixos/hosts/olympus/grist/configuration.nix b/nixos/hosts/olympus/grist/configuration.nix index c097f5d..5424fc4 100644 --- a/nixos/hosts/olympus/grist/configuration.nix +++ b/nixos/hosts/olympus/grist/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, ... }: +{ config, pkgs, ... }: let vs = config.vault-secrets.secrets; in { imports = [ ]; @@ -16,6 +16,8 @@ in { system.stateVersion = "23.11"; # Did you read the comment? networking.firewall.allowedTCPPorts = [ 8484 ]; + environment.systemPackages = with pkgs; [ sqlite ]; + virtualisation.podman.enable = true; virtualisation.oci-containers.backend = "podman"; @@ -25,10 +27,22 @@ in { }; virtualisation.oci-containers.containers.grist = { - image = "gristlabs/grist:latest"; + image = + "gristlabs/grist:latest"; # Switch to versioned release as soon as OIDC hits stable environment = { APP_HOME_URL = "https://grist.0x76.dev"; GRIST_SUPPORT_ANON = "false"; + GRIST_FORCE_LOGIN = "true"; + GRIST_SINGLE_ORG = "xirion"; + GRIST_ORG_IN_PATH = "false"; + GRIST_DEFAULT_EMAIL = "v@0x76.dev"; # Defines admin user + GRIST_HIDE_UI_ELEMENTS = + "helpCenter,billing,templates,multiSite,multiAccounts"; + GRIST_TELEMETRY_LEVEL = "off"; + GRIST_WIDGET_LIST_URL = + "https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json"; + + # No Python 2 PYTHON_VERSION = "3"; PYTHON_VERSION_ON_CREATION = "3"; From dddcf0d8c67c76a164c3bb69ae7124acae1715df Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 13 Nov 2023 17:39:38 +0100 Subject: [PATCH 07/12] fix lints --- nixos/hosts/olympus/eevee/hardware.nix | 2 +- nixos/hosts/olympus/grist/configuration.nix | 62 +++++++++++---------- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/nixos/hosts/olympus/eevee/hardware.nix b/nixos/hosts/olympus/eevee/hardware.nix index e573137..cd1cb84 100644 --- a/nixos/hosts/olympus/eevee/hardware.nix +++ b/nixos/hosts/olympus/eevee/hardware.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: { +{ pkgs, ... }: { hardware = { enableAllFirmware = true; nvidia = { diff --git a/nixos/hosts/olympus/grist/configuration.nix b/nixos/hosts/olympus/grist/configuration.nix index 5424fc4..726e09d 100644 --- a/nixos/hosts/olympus/grist/configuration.nix +++ b/nixos/hosts/olympus/grist/configuration.nix @@ -17,40 +17,42 @@ in { networking.firewall.allowedTCPPorts = [ 8484 ]; environment.systemPackages = with pkgs; [ sqlite ]; + virtualisation = { - virtualisation.podman.enable = true; - virtualisation.oci-containers.backend = "podman"; + podman.enable = true; + oci-containers.backend = "podman"; + + oci-containers.containers.grist = { + image = + "gristlabs/grist:latest"; # Switch to versioned release as soon as OIDC hits stable + environment = { + APP_HOME_URL = "https://grist.0x76.dev"; + GRIST_SUPPORT_ANON = "false"; + GRIST_FORCE_LOGIN = "true"; + GRIST_SINGLE_ORG = "xirion"; + GRIST_ORG_IN_PATH = "false"; + GRIST_DEFAULT_EMAIL = "v@0x76.dev"; # Defines admin user + GRIST_HIDE_UI_ELEMENTS = + "helpCenter,billing,templates,multiSite,multiAccounts"; + GRIST_TELEMETRY_LEVEL = "off"; + GRIST_WIDGET_LIST_URL = + "https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json"; + + # No Python 2 + PYTHON_VERSION = "3"; + PYTHON_VERSION_ON_CREATION = "3"; + + # Beta OIDC support + GRIST_OIDC_IDP_ISSUER = "https://dex.0x76.dev"; + }; + environmentFiles = [ "${vs.grist}/environment" ]; + ports = [ "8484:8484" ]; + volumes = [ "/var/lib/grist:/persist" ]; + }; + }; vault-secrets.secrets.grist = { quoteEnvironmentValues = false; # Needed for docker services = [ "podman-grist" ]; }; - - virtualisation.oci-containers.containers.grist = { - image = - "gristlabs/grist:latest"; # Switch to versioned release as soon as OIDC hits stable - environment = { - APP_HOME_URL = "https://grist.0x76.dev"; - GRIST_SUPPORT_ANON = "false"; - GRIST_FORCE_LOGIN = "true"; - GRIST_SINGLE_ORG = "xirion"; - GRIST_ORG_IN_PATH = "false"; - GRIST_DEFAULT_EMAIL = "v@0x76.dev"; # Defines admin user - GRIST_HIDE_UI_ELEMENTS = - "helpCenter,billing,templates,multiSite,multiAccounts"; - GRIST_TELEMETRY_LEVEL = "off"; - GRIST_WIDGET_LIST_URL = - "https://github.com/gristlabs/grist-widget/releases/download/latest/manifest.json"; - - # No Python 2 - PYTHON_VERSION = "3"; - PYTHON_VERSION_ON_CREATION = "3"; - - # Beta OIDC support - GRIST_OIDC_IDP_ISSUER = "https://dex.0x76.dev"; - }; - environmentFiles = [ "${vs.grist}/environment" ]; - ports = [ "8484:8484" ]; - volumes = [ "/var/lib/grist:/persist" ]; - }; } From 4123f9a4ec421ce516fef31a9c83df220b5ecfdc Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Nov 2023 15:00:26 +0000 Subject: [PATCH 08/12] chore(deps): update flaresolverr/flaresolverr docker tag to v3.3.9 --- nixos/hosts/hades/overseerr/prowlarr.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/hosts/hades/overseerr/prowlarr.nix b/nixos/hosts/hades/overseerr/prowlarr.nix index f37c307..b68b64f 100644 --- a/nixos/hosts/hades/overseerr/prowlarr.nix +++ b/nixos/hosts/hades/overseerr/prowlarr.nix @@ -5,7 +5,7 @@ _: { }; virtualisation.oci-containers.containers.flaresolverr = { - image = "flaresolverr/flaresolverr:v3.3.7"; + image = "flaresolverr/flaresolverr:v3.3.9"; ports = [ "8191:8191" ]; }; } From aab01c9f91123b4cf7735de124644258106728f6 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Nov 2023 15:00:29 +0000 Subject: [PATCH 09/12] chore(deps): update renovate/renovate docker tag to v37.57.0 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 57384d0..89357d5 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:37.51.3 + image: renovate/renovate:37.57.0 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From 2c0409da67db9779c3f6e2a9975660d0389d2a99 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Nov 2023 23:00:29 +0000 Subject: [PATCH 10/12] chore(deps): update renovate/renovate docker tag to v37.57.2 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 89357d5..7b35049 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:37.57.0 + image: renovate/renovate:37.57.2 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From 3767b37bbff2affd31f5940fd9fd986d6f3f26ad Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 14 Nov 2023 23:00:32 +0000 Subject: [PATCH 11/12] chore(deps): update renovate/renovate docker tag to v37.59.4 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 7b35049..0d64108 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:37.57.2 + image: renovate/renovate:37.59.4 volumeMounts: - name: config-volume mountPath: /opt/renovate/ From cfa3ae8d24f6929c9cafa248e89060abcfe9942b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 15 Nov 2023 23:00:31 +0000 Subject: [PATCH 12/12] chore(deps): update renovate/renovate docker tag to v37.59.8 --- flux/olympus/apps/services/renovate/cronjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flux/olympus/apps/services/renovate/cronjob.yaml b/flux/olympus/apps/services/renovate/cronjob.yaml index 0d64108..45fd50f 100644 --- a/flux/olympus/apps/services/renovate/cronjob.yaml +++ b/flux/olympus/apps/services/renovate/cronjob.yaml @@ -19,7 +19,7 @@ spec: emptyDir: {} containers: - name: renovate - image: renovate/renovate:37.59.4 + image: renovate/renovate:37.59.8 volumeMounts: - name: config-volume mountPath: /opt/renovate/